Updated session handling in SAML-P and WS-Fed authentication flows to align with industry best practices and existing OAuth2/OIDC behavior. Following successful login via SAML-P or WS-Fed, the session ID will now be rotated and a new session cookie issued. Implementations that read or store session IDs across these flows should review and update their code to handle the new session ID.
Fetched April 11, 2026