Mismatched or missing 'RelayState' in IdP responses to SP initiated requests

[jrissler]

Hey there - working through troubleshooting this error:

access_denied {{:badmatch, []}, [{:xmerl_dsig, :verify, 2, [file: '/app/deps/esaml/src/xmerl_dsig.erl', line: 200]}, {:esaml_sp, :"-validate_assertion/3-fun-3-", 3, [file: '/app/deps/esaml/src/esaml_sp.erl', line: 282]}, {:esaml_util, :threaduntil, 2, [file: '/app/deps/esaml/src/esaml_util.erl', line: 92]}, {Samly.Helper, :decode_idp_auth_resp, 3, [file: 'lib/samly/helper.ex', line: 72]}, {Samly.SPHandler, :consume_signin_response, 1, [file: 'lib/samly/sp_handler.ex', line: 37]}, {Samly.SPRouter, :"-dispatch/2-fun-0-", 4, [file: 'lib/plug/router.ex', line: 246]}, {:telemetry, :span, 3, [file: '/app/deps/telemetry/src/telemetry.erl', line: 321]}, {Samly.SPRouter, :dispatch, 2, [file: 'lib/plug/router.ex', line: 242]}]}

Anyone have any insight into this? I'm going to /sso/auth/signin/my_identity_provider and it redirects to IDP where they get redirected back and I get the following error?

I see Mismatched or missing 'RelayState' in IdP responses to SP initiated requests will fail (with HTTP '403 access_denied') and not sure why that would be.

[Gigitsu]

Samly puts RelayState in the session cookie. Phoenix by default sets the SameSite attribute of the session cookie to Lax. This prevents the cookie from being sent alongside the post request if this request is initiated outside the session cookie domain.

Verify that the session cookie is correctly sent in the post request and that it contains the RelayState

[jrissler]

Thanks much, that resolved it.

[Anonyfox]

months later, this saved us a lot of headache :-)