How to get rid of Warning message: Could not load state specified by InResponseTo

[Clay Li]

We use simplesamlphp for authentication in our app. Both web app and simplesaml reside in the same web server and use the same domain. The integration works: a) the user gets redirected to an external IdP; b) the user logs in after authenticated. However, a warning message is shown in the simplesaml log:

1. The trackId changed: before the call to IdP: 10ddb6280a; after call to IdP: 98419cf8e3

2. The warning may be caused by the change of trackId (sessions)

3. Looks like the session was recreated after auth-redirect from IdP

4. The user is logged into web app successfully.

5. There are discussions of the issue previously (see https://groups.google.com/g/simplesamlphp/c/S0CYpHsVfGQ/m/IkhMWJv-AAAJ)

Sep 24 12:03:06 simplesamlphp DEBUG [10ddb6280a] Sending SAML 2 AuthnRequest to 'https://idp.ssocircle.com'

Sep 24 12:03:06 simplesamlphp DEBUG [10ddb6280a] Redirect to 734 byte URL: https://idp.ssocircle.com:443/...

Sep 24 12:03:55 simplesamlphp DEBUG [98419cf8e3] Loading state: '_9b12792c34617c9f447cb025c75916c705cdc401d3'

Sep 24 12:03:55 simplesamlphp WARNING [98419cf8e3] Could not load state specified by InResponseTo: NOSTATE Processing response as unsolicited.

Sep 24 12:03:55 simplesamlphp DEBUG [98419cf8e3] Received SAML2 Response from 'https://idp.ssocircle.com'.

Sep 24 12:03:55 simplesamlphp DEBUG [98419cf8e3] Has 1 candidate keys for validation.

Sep 24 12:03:55 simplesamlphp DEBUG [98419cf8e3] Validation with key #0 failed without exception.

Sep 24 12:03:55 simplesamlphp DEBUG [98419cf8e3] Has 1 candidate keys for validation.

Sep 24 12:03:55 simplesamlphp DEBUG [98419cf8e3] Validation with key #0 succeeded.

Sep 24 12:03:55 simplesamlphp DEBUG [98419cf8e3] Filter config for https://idp.ssocircle.com->http://192.168.0.14/simplesaml/module.php/saml/sp/metadata.php/default-sp: array (  0 =>   SimpleSAML\Module\core\Auth\Process\LanguageAdaptor::__set_state(array(     'langattr' => 'preferredLanguage',     'priority' => 90,  )),)

Sep 24 12:03:55 simplesamlphp DEBUG [98419cf8e3] Session: doLogin("default-sp")

Sep 24 12:03:55 simplesamlphp DEBUG [98419cf8e3] Session: Valid session found with 'default-sp'.

Sep 24 12:03:55 simplesamlphp DEBUG [98419cf8e3] Session: Valid session found with 'default-sp'.

Sep 24 12:03:55 simplesamlphp DEBUG [98419cf8e3] Session: Valid session found with 'default-sp'.

Sep 24 12:03:55 simplesamlphp DEBUG [98419cf8e3] Session: Valid session found with 'default-sp'.

Does anyone have insights of getting rid of the warning message?

[Clay Li]

The warning message above happens with Chrome browser. Run the login from FireFox, the warning does not show. However, a prompt is shown from the IdP when login is authenticated - the authentication request will be sent via unsecured http request, do you want to continue?

Answer "Yes", the login is successful. There is no warning message. Answer "No", IdP will not redirect the auth-request back.

This is expected since my local web server is not using https.

The odd thing is that the warning message is gone. It seems to do with Chrome.

[Clay Li]

Using Microsoft Edge browser does not have the prompt dialog (warning not using https), and the login flow is successful from the simplesaml log. The warning message does not show. 

So, it seems to do with how Chrome handles the php-session of simplesamlphp. 

[Clay Li]

Running from Safari got the prompt dialog (as in FireFox above), and login flow is successful - no warning message as seen in the Chrome.

It is interesting how Chrome is causing the issue, while other browsers do not.

[Clay Li]

The same behavior above has been confirmed with HTTPs.

Since it works with other browsers (FireFox, Safari and Edge), the culprit seems Chrome. Any ideas what else to look at?

[pat...@cirrusidentity.com]

Is your SSP session cookie (default name is SimpleSAMLSessionID) getting sent when the IdP does the POST redirect back to your web app?

[pat...@cirrusidentity.com]

I think you are encountering Chrome Same-Site behavior. See https://www.chromium.org/updates/same-site/faq

You can address one part of the Same-Site option by viewing some of the PR comments in https://github.com/simplesamlphp/simplesamlphp/pull/1153#issuecomment-566381258 

Your second issue is that Chrome doesn't send cross site cookies to non-secure sites. See https://www.chromium.org/updates/same-site/faq which also describes how to adjust your Chrome options if you need to send to a non-secure site.

- Patrick

[Clay Li]

No, when the IdP redirect back to sp, "SimpleSAML" was not included in the request header.

[Clay Li]

Thanks Patrick for the pointers. Unfortunately, I tried to set the samesite to "None" at the config.php, but got a loop of errors and login is blocked.

<     'session.cookie.samesite' => 'None',

---

>     'session.cookie.samesite' => null,

In the looping messages - each time a new cookie is created. The test was for a site with https and baseurlpath configured, simplesamlphp-1.18.4.

Sep 25 19:18:15 [d5663c3faf] Invalid AuthToken cookie.

Sep 25 19:18:15 [f6ce11fba5] Invalid AuthToken cookie.

Sep 25 19:18:16 [e30b36aff1] Invalid AuthToken cookie.

Sep 25 19:18:16 [0a4aa291c2] Invalid AuthToken cookie.

[Clay Li]

The test was with Chrome 85, php version 7.2.24.