providers/saml: remove SESSION_KEY_POST from session after using it

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> #1873
2021-12-06 12:47:25 +01:00 · 2021-12-06 12:47:25 +01:00 · 873aa4bb22
parent c1ea78c422
commit 873aa4bb22
1 changed files with 1 additions and 1 deletions
--- a/authentik/providers/saml/views/sso.py
+++ b/authentik/providers/saml/views/sso.py
@ -125,7 +125,7 @@ class SAMLSSOBindingPOSTView(SAMLSSOView):
        # This happens when using POST bindings but the user isn't logged in
        # (user gets redirected and POST body is 'lost')
        if SESSION_KEY_POST in self.request.session:
-            payload = self.request.session[SESSION_KEY_POST]
+            payload = self.request.session.pop(SESSION_KEY_POST)
        if REQUEST_KEY_SAML_REQUEST not in payload:
            LOGGER.info("check_saml_request: SAML payload missing")
            return bad_request_message(self.request, "The SAML request payload is missing.")