This was a Firefox thing for me.
I dug a little deeper, and it turned out to be a really odd interaction with Container tabs in Firefox. I was opening https://sonar.example.com/sessions/init/saml?return_to=%2F in a non-Container tab, but my SAML IdP domain was set to always open in my Work Container. As a result it lost the OAUTH_STATE cookie set by /sessions/init/saml after it went to load the IdP.
The flow is like this:
- (no Container) visit https://sonar.example.com/sessions/init/saml?return_to=%2F
- (no Container) load response (including OAUTHSTATE cookie) and redirect to IdP URL with SAMLRequest
- (Work Container) IdP URL is set to always open in the Work Container so browser loads it here
- (Work Container) load response and redirect to https://sonar.example.com/oauth2/callback/saml (with no OAUTHSTATE cookie)
- (Work Container) redirect to OAUTHSTATE cookie missing error page
The fix is to set the sonar.example.com domain and the IdP domain to open in the same Container (in my case, Work). It also works if neither Sonar nor the IdP domain are set to use Container tabs. I tried with distinct Container tabs and it doesn’t work.