User getting frequently logged out using Sustainsys SAML and ASP.NET Session Cookies

Question

I am facing a weird issue with one of our clients where users are getting logged out after few seconds(after placing 10-15 requests) of login. We are using following

1. Sustainsys.Saml2.Owin 2.3.0 library to use SAML SSO. We tried upgrading package to 2.9.0 but to no avail.
2. Sticky Sessions are enabled at the load balancer. Even if we just keep one web server, even then user is getting logged out after few seconds of login.
3. After successful SAML response, we issue ASP.NET Authentication Cookie(Session based).

I compared the successful and unauthorized requests in browser and they look exactly similar. They both have all the necessary cookies present - Authentication Cookie, Session Cookie.

I am guessing the issue is somewhere on the Load Balancer or Web Server side. The trace on the Web Server is just showing one difference between the request.
The request that succeeds has Session Id present and the request that returns unauthorized is missing the Session Id.

I have 2 questions

1. How is Asp.Net Authentication Cookie(which is Session Based) supposed to behave in case Session ID is missing?
2. Even though both Authentication Cookie and Session Cookie are being sent from browser. What can I check on Load Balancer or Web Server side to see why Session Id is getting lost in unauthorized request? And why does it work fine for few seconds and happens after some requests?

Please note if I switch to Form/LDAP authentication instead of SAML, it seems working fine. So issues seems related to SustainSys SAML.

Answer 1

The issue was occurring because SessionNotOnOrAfter in the SAML response was set to 2 minutes. That was causing the session to end and user was getting logged out.