Csrf_detected in SP initiated login

Hi there, I ran into this csrf_detected issue even though I have two almost identical SAML connections (using Auth0 as SP, Okta as SAML IDP), one is working fine, the other is hitting this csrf_detected failure after the browser complained too many redirections (https://xxx.auth0.com/authorize?xxx). And yes, the failing one is calling ‘/auth/auth0/callback?code=xxx&state=yyyy’ with invalid ‘state’ token. The behavior is similar to IDP initiated login though it’s a SP initiated login.

Both SAML connections are talking to Okta as IDP. Both Auth0’s log and Okta’s system log show successful logins, though browser complained too many redirections and application log shows Started GET “/auth/failure?message=csrf_detected&strategy=auth0”

What would be a likely cause and what direction should I look?

Thanks in advance.

If you haven’t done so already you should capture and HTTP trace (browser network tools) for a login attempt to each connection. You should capture each attempt in a new Incognito session so that you start with the same clean slate for both.

Upon capturing the traces, reviewing them step by step while comparing URL domains being visited, cookies being set and/or sent to each request may give you a hint of what’s going on.

In addition, given you say you have a too many redirections issue as well which may be masking or making it more difficult to review the original problem I would check if your system has any logic that automatically starts a new login request upon failing to process an authentication response. Ideally, an application should not automatically start a new login request when an error occurred processing a previous authentication response as the issue may be specific to the application itself and as such initiating a new login is mostly asking for a redirect loop.

thanks! got some HTTP traces, so I will be analyzing them.