SAML2 exception: ACSPARAMS when switching tenants in MWP

[daniel-hefley]

Platform: [Moodle Workplace 4.1.2+ (Build: 20230417)] SAML2: 2023100300

Error: 
Debug info: #0 [dirroot]/auth/saml2/sp/saml2-acs.php(37): SimpleSAML\Module\saml\Controller\ServiceProvider->assertionConsumerService()
#1 {main}
Error code: exception

Stack trace:
line 40 of /auth/saml2/sp/saml2-acs.php: saml2_exception thrown

Single idP (Okta) 2 tenants Tenant availability: This IdP is available to all tenants (including future ones)

To replicate:

1. Log into Okta and access dashboard.
2. Select app to access MWP leaving tab open.
3. Directed to MWP (opens in new tab).
4. Change tenant in MWP.
5. Logout of MWP and close tab.
6. Return to Okta dashboard and select app again.
7. Directed to MWP (in new tab) but get above error.

Also seeing the below error in the simplesamlphp.log file. Not sure if it is related but including it here just in case.

Feb 14 12:59:36 31.94.32.37 SimpleSAMLphp WARNING [65f6e256a7] Unsuccessful logout. Status was: SimpleSAML\Module\saml\Error: AuthnFailed in /var/www/moodle_workplace/auth/saml2/.extlib/simplesamlphp/modules/saml/lib/Message.php:503
Stack trace:
#0 /var/www/moodle_workplace/auth/saml2/.extlib/simplesamlphp/modules/saml/www/sp/saml2-logout.php(72): SimpleSAML\Module\saml\Message::getResponseError()
#1 /var/www/moodle_workplace/auth/saml2/sp/saml2-logout.php(59): require('...')
#2 {main}

Okta configuration:

SAML2 configuration in MWP:

[danmarsden]

Hi @daniel-hefley - thanks for the report - we don't have many of our own clients using OKTA and our saml plugin - if you work out what's going wrong, feel free to submit a PR or reach out privately if you would like commercial level support to investigate it further.

thanks!