Currently we handle SAML session with expired token for the case when user goes directly to Kibana, but if IdP initiates login then Kibana fails miserably and requires explicit logout.
During IdP initiated login we check whether user has existing session to know if they're going to authenticate as the same user or not. If user is different we'll warn user with Overwritten Session page. But it seems we missed the case with expired token.
I believe we just need to add that additional isAccessTokenExpiredError check to SAMLAuthenticationProvider.login and don't try to refresh it since access token, well, expired and we have a new login attempt already.
TEMPORARY WORKAROUND: since expired token failure forces Kibana to clear cookie, just refreshing browser page or making the second login attempt will allow users to log in.
Currently we handle SAML session with expired token for the case when user goes directly to Kibana, but if IdP initiates login then Kibana fails miserably and requires explicit logout.
During IdP initiated login we check whether user has existing session to know if they're going to authenticate as the same user or not. If user is different we'll warn user with
Overwritten Sessionpage. But it seems we missed the case with expired token.I believe we just need to add that additional
isAccessTokenExpiredErrorcheck toSAMLAuthenticationProvider.loginand don't try to refresh it since access token, well, expired and we have a new login attempt already.TEMPORARY WORKAROUND: since expired token failure forces Kibana to clear cookie, just refreshing browser page or making the second login attempt will allow users to log in.