I have configured an AWS Cognito UserPool to use an Azure AD Enterprise Application as a SAML federated identity provider as per the blog post here: https://medium.com/the-apps-team/how-to-add-azure-ad-as-aws-cognito-federated-identity-provider-60a29139e693
I have a web app which redirects to the hosted Cognito login page, which redirects to the hosted Azure AD login page, I can then login successfully and a code is returned to my web app which I can exchange for a token
The problem occurs if my web app redirects to the Cognito page for a second time without first invalidating the Cognito token with a call to GlobalSignOut
, and the user selects 'Sign in as a different user'. They are presented with an Azure error screen with the error "AADSTS700517: The element 'SessionIndex' in XML namespace 'urn:oasis:names:tc:SAML:2.0:protocol' cannot be empty
If I call GlobalSignOut before redirecting to the Cognito page for a second time, the problem doesn't occur
The error code AADSTS700517 does not return any results on a google search, and none of the results from a bing search contain the actual error code
Has anyone else encountered this error, or do you know where I can find the docs for the error code?