Description
Describe the bug
SAML-tracer-export-2025-06-18T02_29_31.504Z.json
Based on the analysis of the provided SAML tracer file, the login attempt failed because the Identity Provider (IdP), obfy0n.logto.app, did not return the RelayState parameter to the Service Provider (SP), auth.services.adobe.com, after the user successfully authenticated.
Here is a step-by-step breakdown of the authentication flow and the point of failure:
-
Initiation (SP-Initiated Flow): The process begins with the user attempting to log in to Adobe (the Service Provider). Adobe's system identifies that the user's domain (
linshi.licsso.com) is configured for federated login (SAML). -
SAML Request: Adobe (SP) constructs a SAML authentication request and redirects the user's browser to the Logto Identity Provider (IdP). This can be seen in request
22660, which contains aSAMLRequestpayload. This request also includes aRelayStateparameter, which is a value the SP uses to maintain the session state and prevent cross-site request forgery (CSRF) attacks. -
Authentication at IdP: The user is redirected to the Logto IdP (
obfy0n.logto.app) and successfully authenticates with their credentials (ming@linshi.licsso.com). The successful authentication is confirmed by a series of successful API calls to the IdP, culminating in a redirect to generate the SAML response. -
SAML Response: The Logto IdP generates a
SAMLResponseindicating a successful login (<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>). This response is then sent back to Adobe's Assertion Consumer Service (ACS) URL via the user's browser in request22687. -
Point of Failure: The crucial failure occurs at this final step. While the IdP sent a successful
SAMLResponse, it omitted theRelayStateparameter in its response to Adobe. The POST request to Adobe's ACS URL only contains theSAMLResponsedata, but not theRelayStatethat Adobe originally sent. -
Error at Service Provider: Because the
RelayStateis missing, Adobe's service cannot verify the integrity of the login session. As a security measure, it aborts the login process and redirects the user to an error page:https://auth.services.adobe.com/en_US/index.html#/error/state_not_provided.
In conclusion, the SAML login failed not because of incorrect credentials or a problem with the SAML assertion itself, but due to a misconfiguration or implementation issue on the Identity Provider's side, which failed to return the required RelayState parameter to the Service Provider.
Expected behavior
Logto response contain RelayState .
How to reproduce?
Just config Logto as Adobe SAML IdP.
Environment
Logto Cloud
Screenshots
No response