FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    SAML IDP - message.State is null or empty

    Scheduled Pinned Locked Moved Unsolved
    Q&A
    2
    3
    921
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tw
      last edited by

      We are setting up Google as an SAML v2 IdP initiated identity provider, the setup is working fine, and the SAML exchange is working & authenticated into FusionAuth.

      Our API gateway (dotnet) is integrated into our FusionAuth via OIDC & when it redirects, it contains the code but is missing the state parameter (which i understand happens in a SAML IdP workflow, after reading the comments on github).

      The redirect back to our gateway for example is:

      /signin-oidc?code=j6rOnUBViLU1kR5UA2eKK_UTzc-cO2auei53TJU9X8g&locale=en_US&userState=Authenticated

      Our gateway throws the error:

      OpenIdConnectAuthenticationHandler: message.State is null or empty.

      We have tried to disable state validation (not ideal), but that does not work.

      options.ProtocolValidator.RequireState = false;
options.ProtocolValidator.RequireStateValidation = false;

      You can see that Auth0 provides a hacky workflow in thier
      documentation

      Just wondering how I can get this to work? Any ideas?

      danD 1 Reply Last reply Reply Quote 1
      • danD
        dan @tw
        last edited by

        @tw Hmmm. Did you ever get this working?

        A few thoughts:

        • what version of FusionAuth are you running?
        • have you turned on the debug switch and checked the event log? If so, can you share?
        • This issue may be of interest: https://github.com/FusionAuth/fusionauth-issues/issues/1077

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        T 1 Reply Last reply Reply Quote 0
        • T
          tw @dan
          last edited by

          @dan figured out a workaround based of the auth0 documentation.

          I have added a new route in our API gateway as the callback url in fusionauth. This is the RelayState (or redirect_uri with the acs) that we are providing for our IdP providers.

          The route for example is now:

          /signin-saml-oidc?code=j6rOnUBViLU1kR5UA2eKK_UTzc-cO2auei53TJU9X8g&locale=en_US&userState=Authenticated

          Which we just issue a ChallengeAsync which then redirects back to fusionauth and then redirects back to signin-oidc with the code and state parameter.

          await this.HttpContext.ChallengeAsync()

          Obviously this isn't ideal & add's another redirect in the flow, but it works as the user is authenticated in FusionAuth & our gateway is triggered the challenge (so generating the state)

          FusionAuth Version: 1.44.0

          1 Reply Last reply Reply Quote 0
          • First post
            Last post