• Home
  • Categories
  • Recent
  • Popular
  • Pricing
  • Contact us
  • Docs
  • Login
FusionAuth
  • Home
  • Categories
  • Recent
  • Popular
  • Pricing
  • Contact us
  • Docs
  • Login

SAML IDP - message.State is null or empty

Scheduled Pinned Locked Moved Unsolved
Q&A
2
3
1.4k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • T
    tw
    last edited by 28 Feb 2023, 23:11

    We are setting up Google as an SAML v2 IdP initiated identity provider, the setup is working fine, and the SAML exchange is working & authenticated into FusionAuth.

    Our API gateway (dotnet) is integrated into our FusionAuth via OIDC & when it redirects, it contains the code but is missing the state parameter (which i understand happens in a SAML IdP workflow, after reading the comments on github).

    The redirect back to our gateway for example is:

    /signin-oidc?code=j6rOnUBViLU1kR5UA2eKK_UTzc-cO2auei53TJU9X8g&locale=en_US&userState=Authenticated

    Our gateway throws the error:

    OpenIdConnectAuthenticationHandler: message.State is null or empty.

    We have tried to disable state validation (not ideal), but that does not work.

    options.ProtocolValidator.RequireState = false;
options.ProtocolValidator.RequireStateValidation = false;

    You can see that Auth0 provides a hacky workflow in thier
    documentation

    Just wondering how I can get this to work? Any ideas?

    D 1 Reply Last reply 18 Mar 2023, 18:48 Reply Quote 1
    • D
      dan @tw
      last edited by 18 Mar 2023, 18:48

      @tw Hmmm. Did you ever get this working?

      A few thoughts:

      • what version of FusionAuth are you running?
      • have you turned on the debug switch and checked the event log? If so, can you share?
      • This issue may be of interest: https://github.com/FusionAuth/fusionauth-issues/issues/1077

      --
      FusionAuth - Auth for devs, built by devs.
      https://fusionauth.io

      T 1 Reply Last reply 22 Mar 2023, 21:18 Reply Quote 0
      • T
        tw @dan
        last edited by 22 Mar 2023, 21:18

        @dan figured out a workaround based of the auth0 documentation.

        I have added a new route in our API gateway as the callback url in fusionauth. This is the RelayState (or redirect_uri with the acs) that we are providing for our IdP providers.

        The route for example is now:

        /signin-saml-oidc?code=j6rOnUBViLU1kR5UA2eKK_UTzc-cO2auei53TJU9X8g&locale=en_US&userState=Authenticated

        Which we just issue a ChallengeAsync which then redirects back to fusionauth and then redirects back to signin-oidc with the code and state parameter.

        await this.HttpContext.ChallengeAsync()

        Obviously this isn't ideal & add's another redirect in the flow, but it works as the user is authenticated in FusionAuth & our gateway is triggered the challenge (so generating the state)

        FusionAuth Version: 1.44.0

        1 Reply Last reply Reply Quote 0
        • First post
          Last post