RE: SAML IDP - message.State is null or empty

@dan figured out a workaround based of the auth0 documentation.

I have added a new route in our API gateway as the callback url in fusionauth. This is the RelayState (or redirect_uri with the acs) that we are providing for our IdP providers.

The route for example is now:

/signin-saml-oidc?code=j6rOnUBViLU1kR5UA2eKK_UTzc-cO2auei53TJU9X8g&locale=en_US&userState=Authenticated

Which we just issue a ChallengeAsync which then redirects back to fusionauth and then redirects back to signin-oidc with the code and state parameter.

await this.HttpContext.ChallengeAsync()

Obviously this isn't ideal & add's another redirect in the flow, but it works as the user is authenticated in FusionAuth & our gateway is triggered the challenge (so generating the state)

FusionAuth Version: 1.44.0

We are setting up Google as an SAML v2 IdP initiated identity provider, the setup is working fine, and the SAML exchange is working & authenticated into FusionAuth.

Our API gateway (dotnet) is integrated into our FusionAuth via OIDC & when it redirects, it contains the code but is missing the state parameter (which i understand happens in a SAML IdP workflow, after reading the comments on github).

The redirect back to our gateway for example is:

/signin-oidc?code=j6rOnUBViLU1kR5UA2eKK_UTzc-cO2auei53TJU9X8g&locale=en_US&userState=Authenticated

Our gateway throws the error:

OpenIdConnectAuthenticationHandler: message.State is null or empty.

We have tried to disable state validation (not ideal), but that does not work.

options.ProtocolValidator.RequireState = false;
options.ProtocolValidator.RequireStateValidation = false;

You can see that Auth0 provides a hacky workflow in thier
documentation

Just wondering how I can get this to work? Any ideas?