Set our SAML Assertion Consumer Service URL as the “Application Callback URL”
Usage > Identity Provider Metadata > Download
Convert xml metadata to php config for SimpleSAMLphp
We end up getting a response that’s got no InResponseTo in the XML here:
This results in the response being processed as “unsolicited” (which I believe should only happen when the IdP initiated the auth - i.e not this case).
Trying to handle the unsolicited response we end up with SimpleSAMLphp effectively redirecting to the RelayState parameter as a path roughly here:
This results in a 404 - aside from the 404 the auth actually works correctly. As far as I can tell the RelayState is optional but is meant to be a URL so I wouldn’t mind understanding what’s going wrong here, but I think at this stage it’s more important to get the responses being “solicited” as that’s the more common case and I don’t think we can redirect back to a sensible place in the app without that.
Hey there @neerolyte, I’d love to help you track this down. When you get a free minute can you DM me your tenant name please so we can continue to investigate what may be occurring? Thanks in advance!
I’ve PM’d you @James.Morrison, thanks but I’ll also share here that I’ve since set up an independent install of SimpleSAMLphp as a SP and it works fine (even with the unsolicited SAMLResponse) - so it’s something weird about how we’re embedding the code in our app.
I’ll keep trying to track down where the process differs between the embedded and stand alone version for now.