SATOSA
SATOSA copied to clipboard
IdentityPython
Received AuthN response without a SATOSA session cookie
Some of my users are getting this error and are unable to login. I'm using SATOSA as a SAML to OpenID Connect proxy.
Feb 23 23:18:44 petrock gunicorn[1243483]: [2025-02-23 23:18:44,495] [DEBUG] [satosa.proxy_server.unpack_post] unpack_post:: {'SAMLResponse': '[skipped for brevity of pasting the logs]', 'RelayState': 'u8RVcK4I8QK8aXGK'}
Feb 23 23:18:44 petrock gunicorn[1243483]: [2025-02-23 23:18:44,497] [DEBUG] [satosa.proxy_server.unpack_request] read request data: {'SAMLResponse': '[skipped]', 'RelayState': 'u8RVcK4I8QK8aXGK'}, 'query_params': {}, 'http_headers': {'HTTP_HOST': 'localhost:9999', 'HTTP_CONNECTION': 'close', 'HTTP_USER_AGENT': 'Mozilla/5.0 (X11; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0', 'HTTP_ACCEPT': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'HTTP_ACCEPT_LANGUAGE': 'en-US,en;q=0.5', 'HTTP_ACCEPT_ENCODING': 'gzip, deflate, br, zstd', 'HTTP_REFERER': 'https://okta.mit.edu/', 'HTTP_ORIGIN': 'https://okta.mit.edu', 'HTTP_COOKIE': ' _ga=GA1.2.1928801700.1729147367; _ga_R8TSBG6RMB=GS1.2.1732681261.9.0.1732681261.0.0.0; _hp2_props.3001039959=%7B%22Base.appName%22%3A%22Canvas%22%7D; _hp2_id.3001039959=%7B%22userId%22%3A%221983360643078916%22%2C%22pageviewId%22%3A%223955185603060480%22%2C%22sessionId%22%3A%228931659374261705%22%2C%22identity%22%3A%22uu-2-5a0e735754e31e6ed65568a25e701585be775f569195ef1217259a52be65da93-aBnMizi0Az3KJzfw5YssKxIjtQMk0eN5LLbvPCDn%22%2C%22trackerVersion%22%3A%224.0%22%2C%22identityField%22%3Anull%2C%22isIdentified%22%3A1%7D; _ga_RWD7VEM8GR=GS1.2.1729806969.1.0.1729806969.0.0.0; _ga_TFJ43DV753=GS1.1.1731718030.1.1.1731718941.0.0.0', 'HTTP_UPGRADE_INSECURE_REQUESTS': '1', 'HTTP_SEC_FETCH_DEST': 'document', 'HTTP_SEC_FETCH_MODE': 'navigate', 'HTTP_SEC_FETCH_SITE': 'same-site', 'HTTP_PRIORITY': 'u=0, i', 'REMOTE_ADDR': '127.0.0.1', 'REMOTE_PORT': '55038'}, 'server_headers': {'SERVER_SOFTWARE': 'gunicorn/21.2.0', 'SERVER_PROTOCOL': 'HTTP/1.0', 'SERVER_NAME': '0.0.0.0', 'SERVER_PORT': '9999'}}
Feb 23 23:18:44 petrock gunicorn[1243483]: [2025-02-23 23:18:44,503] [DEBUG] [satosa.base._load_state] [urn:uuid:87a5b3ab-7b36-45b8-a4d5-8e4f86a0d10d] Loaded state {'SESSION_ID': 'urn:uuid:87a5b3ab-7b36-45b8-a4d5-8e4f86a0d10d'} from cookie _ga=GA1.2.1928801700.1729147367; _ga_R8TSBG6RMB=GS1.2.1732681261.9.0.1732681261.0.0.0; _hp2_props.3001039959=%7B%22Base.appName%22%3A%22Canvas%22%7D; _hp2_id.3001039959=%7B%22userId%22%3A%221983360643078916%22%2C%22pageviewId%22%3A%223955185603060480%22%2C%22sessionId%22%3A%228931659374261705%22%2C%22identity%22%3A%22uu-2-5a0e735754e31e6ed65568a25e701585be775f569195ef1217259a52be65da93-aBnMizi0Az3KJzfw5YssKxIjtQMk0eN5LLbvPCDn%22%2C%22trackerVersion%22%3A%224.0%22%2C%22identityField%22%3Anull%2C%22isIdentified%22%3A1%7D; _ga_RWD7VEM8GR=GS1.2.1729806969.1.0.1729806969.0.0.0; _ga_TFJ43DV753=GS1.1.1731718030.1.1.1731718941.0.0.0
Feb 23 23:18:44 petrock gunicorn[1243483]: [2025-02-23 23:18:44,504] [DEBUG] [satosa.routing.endpoint_routing] [urn:uuid:87a5b3ab-7b36-45b8-a4d5-8e4f86a0d10d] Routing path: touchstone/acs/post
Feb 23 23:18:44 petrock gunicorn[1243483]: [2025-02-23 23:18:44,505] [DEBUG] [satosa.routing._find_registered_endpoint_for_module] [urn:uuid:87a5b3ab-7b36-45b8-a4d5-8e4f86a0d10d] Found registered endpoint: module name:'touchstone', endpoint: touchstone/acs/post
Feb 23 23:18:44 petrock gunicorn[1243483]: [2025-02-23 23:18:44,506] [INFO] [satosa.backends.saml2.authn_response] [urn:uuid:87a5b3ab-7b36-45b8-a4d5-8e4f86a0d10d] {'message': 'Authentication failed', 'error': 'Received AuthN response without a SATOSA session cookie'}
Feb 23 23:18:44 petrock gunicorn[1243483]: [2025-02-23 23:18:44,507] [ERROR] [satosa.base.run] [urn:uuid:87a5b3ab-7b36-45b8-a4d5-8e4f86a0d10d] {'message': 'Missing SATOSA State', 'error': "{'message': 'Authentication failed', 'error': 'Received AuthN response without a SATOSA session cookie'}", 'error_id': 'urn:uuid:d5331036-2abb-496c-85c8-17b34568f09f'}
Feb 23 23:18:44 petrock gunicorn[1243483]: [2025-02-23 23:18:44,508] [ERROR] [satosa.proxy_server.__call__] {'message': 'Authentication failed', 'error': 'Received AuthN response without a SATOSA session cookie'}
Feb 23 23:18:44 petrock gunicorn[1243483]: Traceback (most recent call last):
Feb 23 23:18:44 petrock gunicorn[1243483]: File "/home/oidc/.local/lib/python3.10/site-packages/satosa/proxy_server.py", line 160, in __call__
Feb 23 23:18:44 petrock gunicorn[1243483]: resp = self.run(context)
Feb 23 23:18:44 petrock gunicorn[1243483]: File "/home/oidc/.local/lib/python3.10/site-packages/satosa/base.py", line 268, in run
Feb 23 23:18:44 petrock gunicorn[1243483]: resp = self._run_bound_endpoint(context, spec)
Feb 23 23:18:44 petrock gunicorn[1243483]: File "/home/oidc/.local/lib/python3.10/site-packages/satosa/base.py", line 193, in _run_bound_endpoint
Feb 23 23:18:44 petrock gunicorn[1243483]: return spec(context)
Feb 23 23:18:44 petrock gunicorn[1243483]: File "/home/oidc/.local/lib/python3.10/site-packages/satosa/backends/saml2.py", line 419, in authn_response
Feb 23 23:18:44 petrock gunicorn[1243483]: raise SATOSAMissingStateError(msg)
Feb 23 23:18:44 petrock gunicorn[1243483]: satosa.exception.SATOSAMissingStateError: {'message': 'Authentication failed', 'error': 'Received AuthN response without a SATOSA session cookie'}
Feb 24 00:02:09 petrock gunicorn[1243483]: [2025-02-24 00:02:09,300] [DEBUG] [satosa.proxy_server.unpack_request] read request data: {}
Feb 24 00:02:09 petrock gunicorn[1243483]: [2025-02-24 00:02:09,302] [DEBUG] [satosa.proxy_server.__call__] {'message': 'Proxy server received request', 'request_method': 'GET', 'request_uri': None, 'content_length': 0, 'request_data': {}, 'query_params': {}, 'http_headers': {'HTTP_HOST': 'localhost:9999', 'HTTP_CONNECTION': 'close', 'HTTP_ACCEPT': 'application/json', 'HTTP_USER_AGENT': 'openid-client/5.7.0 (https://github.com/panva/node-openid-client)', 'HTTP_ACCEPT_ENCODING': 'identity', 'REMOTE_ADDR': '127.0.0.1', 'REMOTE_PORT': '43170', 'HTTP_COOKIE': ''}, 'server_headers': {'SERVER_SOFTWARE': 'gunicorn/21.2.0', 'SERVER_PROTOCOL': 'HTTP/1.0', 'SERVER_NAME': '0.0.0.0', 'SERVER_PORT': '9999'}}
Feb 24 00:02:09 petrock gunicorn[1243483]: [2025-02-24 00:02:09,303] [DEBUG] [satosa.base._load_state] [urn:uuid:a5dfb666-d16b-4211-a207-e12fa0316c13] Loaded state {'SESSION_ID': 'urn:uuid:a5dfb666-d16b-4211-a207-e12fa0316c13'} from cookie
Feb 24 00:02:09 petrock gunicorn[1243483]: [2025-02-24 00:02:09,304] [DEBUG] [satosa.routing.endpoint_routing] [urn:uuid:a5dfb666-d16b-4211-a207-e12fa0316c13] Routing path: .well-known/openid-configuration
Feb 24 00:02:09 petrock gunicorn[1243483]: [2025-02-24 00:02:09,305] [DEBUG] [satosa.routing.endpoint_routing] [urn:uuid:a5dfb666-d16b-4211-a207-e12fa0316c13] Unknown backend .well-known
Feb 24 00:02:09 petrock gunicorn[1243483]: [2025-02-24 00:02:09,306] [DEBUG] [satosa.routing._find_registered_endpoint_for_module] [urn:uuid:a5dfb666-d16b-4211-a207-e12fa0316c13] Found registered endpoint: module name:'oidc', endpoint: .well-known/openid-configuration
Feb 24 00:02:09 petrock gunicorn[1243483]: [2025-02-24 00:02:09,378] [DEBUG] [satosa.state.state_to_cookie] [urn:uuid:a5dfb666-d16b-4211-a207-e12fa0316c13] Saved state in cookie SATOSA_STATE with properties [('expires', ''), ('path', '/'), ('comment', ''), ('domain', ''), ('max-age', ''), ('secure', True), ('httponly', ''), ('version', ''), ('samesite', 'None')]
Feb 24 00:02:09 petrock gunicorn[1243483]: [2025-02-24 00:02:09,645] [DEBUG] [satosa.proxy_server.unpack_request] read request data: {'client_id': 'IJBCPLseBy1l', 'scope': 'openid email profile', 'response_type': 'code', 'redirect_uri': 'https://opengrades.mit.edu/api/auth/callback/mit-oidc', 'state': 'KcJLZUZiovnvbkJKCs6j_7ueNmmUi_d7-EqrYxwKYMs'}
Feb 24 00:02:09 petrock gunicorn[1243483]: [2025-02-24 00:02:09,646] [DEBUG] [satosa.proxy_server.__call__] {'message': 'Proxy server received request', 'request_method': 'GET', 'request_uri': None, 'content_length': 0, 'request_data': {'client_id': 'IJBCPLseBy1l', 'scope': 'openid email profile', 'response_type': 'code', 'redirect_uri': 'https://opengrades.mit.edu/api/auth/callback/mit-oidc', 'state': 'KcJLZUZiovnvbkJKCs6j_7ueNmmUi_d7-EqrYxwKYMs'}, 'query_params': {'client_id': 'IJBCPLseBy1l', 'scope': 'openid email profile', 'response_type': 'code', 'redirect_uri': 'https://opengrades.mit.edu/api/auth/callback/mit-oidc', 'state': 'KcJLZUZiovnvbkJKCs6j_7ueNmmUi_d7-EqrYxwKYMs'}, 'http_headers': {'HTTP_HOST': 'localhost:9999', 'HTTP_CONNECTION': 'close', 'HTTP_CACHE_CONTROL': 'max-age=0', 'HTTP_UPGRADE_INSECURE_REQUESTS': '1', 'HTTP_USER_AGENT': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Edg/133.0.0.0', 'HTTP_ACCEPT': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7', 'HTTP_SEC_FETCH_SITE': 'same-site', 'HTTP_SEC_FETCH_MODE': 'navigate', 'HTTP_SEC_FETCH_USER': '?1', 'HTTP_SEC_FETCH_DEST': 'document', 'HTTP_SEC_CH_UA': '"Not(A:Brand";v="99", "Microsoft Edge";v="133", "Chromium";v="133"', 'HTTP_SEC_CH_UA_MOBILE': '?0', 'HTTP_SEC_CH_UA_PLATFORM': '"Windows"', 'HTTP_REFERER': 'https://opengrades.mit.edu/', 'HTTP_ACCEPT_ENCODING': 'gzip, deflate, br, zstd', 'HTTP_ACCEPT_LANGUAGE': 'en-US,en;q=0.9,ko;q=0.8', 'HTTP_COOKIE': ' fpestid=WrDpXvn9yQkuXxAbGztRNc1XRWTfJlhA-mpzNX2l93MkPPBcEa1H_G8QCigarHTuqf_Fuw; _ga_GZC1B4EWQD=GS1.1.1721329303.1.1.1721329772.0.0.0; _ga_RSB5VZ24H4=GS1.2.1722031705.1.0.1722031705.0.0.0; _ga_9NP94J247X=GS1.1.1722353311.3.1.1722353967.0.0.0; _ga_R8E68YJSPK=GS1.1.1722354565.3.0.1722354591.0.0.0; _ga_DLLWT5K0XX=GS1.1.1722354444.6.1.1722354870.0.0.0; _ga_MZ0RMBZGSY=GS1.2.1724082817.1.0.1724082823.0.0.0; _ga_RWD7VEM8GR=GS1.2.1724082828.2.0.1724082828.0.0.0; _ga_03E2REYYWV=GS1.1.1724960329.2.0.1724960337.0.0.0; _ga_PW4Z02MCFS=GS1.1.1724960329.2.0.1724960337.0.0.0; _ga_B3YDHBHK16=GS1.1.1726105912.1.0.1726105943.0.0.0; _ga_9N690GFS8K=GS1.1.1726105912.1.0.1726105943.0.0.0; _cs_c=0; _cs_id=2b4daaed-527b-a1ca-89d2-225e8bef52fb.1726439128.1.1726439128.1726439128.1.1760603128328.1; _uetvid=69113f1073b111ef86400ba1f6006edb|1ond8lv|1726439128502|1|1|bat.bing.com/p/insights/c/d; _ga_6MBWVKL298=GS1.1.1726439128.1.0.1726439140.48.0.0; _ga_6QXGK7CKTT=GS1.1.1726444352.2.0.1726444355.57.0.0; __gsas=ID=d5e2704178dfab1a:T=1726585216:RT=1726585216:S=ALNI_MaLa1lCH7nn7oKL8I7-G5FhVTv7uw; _ga_YNG7LYHMFL=GS1.1.1726585199.1.1.1726586789.0.0.0; _ga_V6GE2CH3Y2=GS1.2.1726606665.1.1.1726606972.0.0.0; _ga_R25YX21CMW=GS1.2.1726890618.1.0.1726890618.0.0.0; _hjSessionUser_3696576=eyJpZCI6IjM1YTZjNWNhLWU1OTktNTYyMC05NDEzLTdmYmZkMDFiNDVlMSIsImNyZWF0ZWQiOjE3Mjk5NjUzNDkwMzMsImV4aXN0aW5nIjp0cnVlfQ==; _ga_YYT4ZZQG9P=GS1.1.1730071382.3.1.1730071600.0.0.0; _ga_VTJH3BHFP8=GS1.1.1730251411.1.0.1730251784.60.0.0; _ga_XTFKGPQK2R=GS1.1.1730251411.1.0.1730251784.60.0.0; _ga_NWDK3DX66P=GS1.1.1730321136.1.1.1730321609.60.0.0; _ce.s=v~89470efbbbf75afc71e2e4989fe205604023cfb8~lcw~1730321609468~vir~new~lva~1730321137317~vpv~0~v11.cs~81572~v11.s~eb02c970-96ff-11ef-bcf0-f767b485e741~v11.sla~1730321609472~v11.send~1730321609468~lcw~1730321609472; _ga_KZ09YHE6JS=GS1.1.1731016122.1.1.1731016149.0.0.0; __hstc=205621196.6b51054191d310e30841f10dc96d320a.1731192811819.1731192811819.1731192811819.1; hubspotutk=6b51054191d310e30841f10dc96d320a; _ga_QHQ7FX68QG=GS1.1.1731192811.1.0.1731192839.0.0.0; _ga_EW2QNH134R=GS1.1.1731613993.1.1.1731615063.0.0.0; _ga_85CR1KWHDW=GS1.2.1733354959.1.1.1733355115.0.0.0; _ga_7F0QY2CKEC=GS1.1.1733354959.1.1.1733355133.0.0.0; _ga_TB1HXSVPRG=GS1.1.1733354959.1.1.1733355133.0.0.0; _ga_EGEP5GKBT8=GS1.1.1733597091.1.0.1733597095.0.0.0; _ga_8LXP0KTQX1=GS1.1.1733938588.1.1.1733938643.0.0.0; _hp2_props.3001039959=%7B%22Base.appName%22%3A%22Canvas%22%7D; _hp2_id.3001039959=%7B%22userId%22%3A%228380098618431080%22%2C%22pageviewId%22%3A%228263404083042979%22%2C%22sessionId%22%3A%226190933744679632%22%2C%22identity%22%3A%22uu-2-2eb6e98b50646c7507132b2723e82dfc233c73df18214ed911653cc54338b536-aBnMizi0Az3KJzfw5YssKxIjtQMk0eN5LLbvPCDn%22%2C%22trackerVersion%22%3A%224.0%22%2C%22identityField%22%3Anull%2C%22isIdentified%22%3A1%7D; _ga_Z4CT6X6KZ9=GS1.1.1738806238.1.0.1738806242.0.0.0; _ga_5BGKP7GP4G=GS1.2.1739409946.1.0.1739409946.0.0.0; _ga_342NG5FVLH=GS1.1.1739409946.1.1.1739410082.0.0.0; _hjSessionUser_3031228=eyJpZCI6IjBkMDZmNDBiLTU1YzQtNTc0YS1iYmNjLWI0MTFlNjNmMWUxOSIsImNyZWF0ZWQiOjE3Mzk0MDk5NDEwNTMsImV4aXN0aW5nIjp0cnVlfQ==; _ga_VYPEJGRDJF=GS1.1.1739409940.1.1.1739410105.0.0.0; _ga_YYFR1GWPHW=GS1.1.1739413109.1.0.1739413120.0.0.0; _ga_S5BH0KM7VB=GS1.2.1739905947.27.1.1739906072.0.0.0; _ga_0302HMZBJ8=GS1.1.1739921970.18.1.1739923555.0.0.0; _gcl_au=1.1.518602444.1739926326; _fbp=fb.1.1739926326150.532557184730761016; _ga_X3TNE87YPK=GS1.1.1739926325.1.1.1739926687.60.0.0; _ga_23PLH19HNX=GS1.1.1740008783.1.1.1740008943.0.0.0; _ga_R8TSBG6RMB=GS1.2.1740245189.69.0.1740245189.0.0.0; _ga_R6KRQHZJBT=GS1.1.1740272404.3.0.1740272404.0.0.0; _ga_5EVDWQ3TEC=GS1.1.1740273655.6.1.1740273691.0.0.0; fs_uid=#o-1V47MT-na1#26db6986-e5cc-49ec-8da7-fb30a42abda9:d15e9750-214d-41ec-9fb4-b34653504fc1:1740273689050::10#745ba53b#/1762218956; _ga=GA1.2.671589718.1739926326; _gid=GA1.2.1492661393.1740355120; _ga_HMGCPE01DS=GS1.2.1740355120.7.0.1740355120.0.0.0', 'REMOTE_ADDR': '127.0.0.1', 'REMOTE_PORT': '43180'}, 'server_headers': {'SERVER_SOFTWARE': 'gunicorn/21.2.0', 'SERVER_PROTOCOL': 'HTTP/1.0', 'SERVER_NAME': '0.0.0.0', 'SERVER_PORT': '9999'}}
Feb 24 00:02:09 petrock gunicorn[1243483]: [2025-02-24 00:02:09,652] [DEBUG] [satosa.base._load_state] [urn:uuid:5f92e601-ff14-4fdf-8cc3-af8de3784eb4] Loaded state {'SESSION_ID': 'urn:uuid:5f92e601-ff14-4fdf-8cc3-af8de3784eb4'} from cookie fpestid=WrDpXvn9yQkuXxAbGztRNc1XRWTfJlhA-mpzNX2l93MkPPBcEa1H_G8QCigarHTuqf_Fuw; _ga_GZC1B4EWQD=GS1.1.1721329303.1.1.1721329772.0.0.0; _ga_RSB5VZ24H4=GS1.2.1722031705.1.0.1722031705.0.0.0; _ga_9NP94J247X=GS1.1.1722353311.3.1.1722353967.0.0.0; _ga_R8E68YJSPK=GS1.1.1722354565.3.0.1722354591.0.0.0; _ga_DLLWT5K0XX=GS1.1.1722354444.6.1.1722354870.0.0.0; _ga_MZ0RMBZGSY=GS1.2.1724082817.1.0.1724082823.0.0.0; _ga_RWD7VEM8GR=GS1.2.1724082828.2.0.1724082828.0.0.0; _ga_03E2REYYWV=GS1.1.1724960329.2.0.1724960337.0.0.0; _ga_PW4Z02MCFS=GS1.1.1724960329.2.0.1724960337.0.0.0; _ga_B3YDHBHK16=GS1.1.1726105912.1.0.1726105943.0.0.0; _ga_9N690GFS8K=GS1.1.1726105912.1.0.1726105943.0.0.0; _cs_c=0; _cs_id=2b4daaed-527b-a1ca-89d2-225e8bef52fb.1726439128.1.1726439128.1726439128.1.1760603128328.1; _uetvid=69113f1073b111ef86400ba1f6006edb|1ond8lv|1726439128502|1|1|bat.bing.com/p/insights/c/d; _ga_6MBWVKL298=GS1.1.1726439128.1.0.1726439140.48.0.0; _ga_6QXGK7CKTT=GS1.1.1726444352.2.0.1726444355.57.0.0; __gsas=ID=d5e2704178dfab1a:T=1726585216:RT=1726585216:S=ALNI_MaLa1lCH7nn7oKL8I7-G5FhVTv7uw; _ga_YNG7LYHMFL=GS1.1.1726585199.1.1.1726586789.0.0.0; _ga_V6GE2CH3Y2=GS1.2.1726606665.1.1.1726606972.0.0.0; _ga_R25YX21CMW=GS1.2.1726890618.1.0.1726890618.0.0.0; _hjSessionUser_3696576=eyJpZCI6IjM1YTZjNWNhLWU1OTktNTYyMC05NDEzLTdmYmZkMDFiNDVlMSIsImNyZWF0ZWQiOjE3Mjk5NjUzNDkwMzMsImV4aXN0aW5nIjp0cnVlfQ==; _ga_YYT4ZZQG9P=GS1.1.1730071382.3.1.1730071600.0.0.0; _ga_VTJH3BHFP8=GS1.1.1730251411.1.0.1730251784.60.0.0; _ga_XTFKGPQK2R=GS1.1.1730251411.1.0.1730251784.60.0.0; _ga_NWDK3DX66P=GS1.1.1730321136.1.1.1730321609.60.0.0; _ce.s=v~89470efbbbf75afc71e2e4989fe205604023cfb8~lcw~1730321609468~vir~new~lva~1730321137317~vpv~0~v11.cs~81572~v11.s~eb02c970-96ff-11ef-bcf0-f767b485e741~v11.sla~1730321609472~v11.send~1730321609468~lcw~1730321609472; _ga_KZ09YHE6JS=GS1.1.1731016122.1.1.1731016149.0.0.0; __hstc=205621196.6b51054191d310e30841f10dc96d320a.1731192811819.1731192811819.1731192811819.1; hubspotutk=6b51054191d310e30841f10dc96d320a; _ga_QHQ7FX68QG=GS1.1.1731192811.1.0.1731192839.0.0.0; _ga_EW2QNH134R=GS1.1.1731613993.1.1.1731615063.0.0.0; _ga_85CR1KWHDW=GS1.2.1733354959.1.1.1733355115.0.0.0; _ga_7F0QY2CKEC=GS1.1.1733354959.1.1.1733355133.0.0.0; _ga_TB1HXSVPRG=GS1.1.1733354959.1.1.1733355133.0.0.0; _ga_EGEP5GKBT8=GS1.1.1733597091.1.0.1733597095.0.0.0; _ga_8LXP0KTQX1=GS1.1.1733938588.1.1.1733938643.0.0.0; _hp2_props.3001039959=%7B%22Base.appName%22%3A%22Canvas%22%7D; _hp2_id.3001039959=%7B%22userId%22%3A%228380098618431080%22%2C%22pageviewId%22%3A%228263404083042979%22%2C%22sessionId%22%3A%226190933744679632%22%2C%22identity%22%3A%22uu-2-2eb6e98b50646c7507132b2723e82dfc233c73df18214ed911653cc54338b536-aBnMizi0Az3KJzfw5YssKxIjtQMk0eN5LLbvPCDn%22%2C%22trackerVersion%22%3A%224.0%22%2C%22identityField%22%3Anull%2C%22isIdentified%22%3A1%7D; _ga_Z4CT6X6KZ9=GS1.1.1738806238.1.0.1738806242.0.0.0; _ga_5BGKP7GP4G=GS1.2.1739409946.1.0.1739409946.0.0.0; _ga_342NG5FVLH=GS1.1.1739409946.1.1.1739410082.0.0.0; _hjSessionUser_3031228=eyJpZCI6IjBkMDZmNDBiLTU1YzQtNTc0YS1iYmNjLWI0MTFlNjNmMWUxOSIsImNyZWF0ZWQiOjE3Mzk0MDk5NDEwNTMsImV4aXN0aW5nIjp0cnVlfQ==; _ga_VYPEJGRDJF=GS1.1.1739409940.1.1.1739410105.0.0.0; _ga_YYFR1GWPHW=GS1.1.1739413109.1.0.1739413120.0.0.0; _ga_S5BH0KM7VB=GS1.2.1739905947.27.1.1739906072.0.0.0; _ga_0302HMZBJ8=GS1.1.1739921970.18.1.1739923555.0.0.0; _gcl_au=1.1.518602444.1739926326; _fbp=fb.1.1739926326150.532557184730761016; _ga_X3TNE87YPK=GS1.1.1739926325.1.1.1739926687.60.0.0; _ga_23PLH19HNX=GS1.1.1740008783.1.1.1740008943.0.0.0; _ga_R8TSBG6RMB=GS1.2.1740245189.69.0.1740245189.0.0.0; _ga_R6KRQHZJBT=GS1.1.1740272404.3.0.1740272404.0.0.0; _ga_5EVDWQ3TEC=GS1.1.1740273655.6.1.1740273691.0.0.0; fs_uid=#o-1V47MT-na1#26db6986-e5cc-49ec-8da7-fb30a42abda9:d15e9750-214d-41ec-9fb4-b34653504fc1:1740273689050::10#745ba53b#/1762218956; _ga=GA1.2.671589718.1739926326; _gid=GA1.2.1492661393.1740355120; _ga_HMGCPE01DS=GS1.2.1740355120.7.0.1740355120.0.0.0
Feb 24 00:02:09 petrock gunicorn[1243483]: [2025-02-24 00:02:09,652] [DEBUG] [satosa.routing.endpoint_routing] [urn:uuid:5f92e601-ff14-4fdf-8cc3-af8de3784eb4] Routing path: touchstone/oidc/authorization
Feb 24 00:02:09 petrock gunicorn[1243483]: [2025-02-24 00:02:09,653] [DEBUG] [satosa.routing._find_registered_endpoint_for_module] [urn:uuid:5f92e601-ff14-4fdf-8cc3-af8de3784eb4] Found registered endpoint: module name:'oidc', endpoint: touchstone/oidc/authorization
Feb 24 00:02:09 petrock gunicorn[1243483]: [2025-02-24 00:02:09,654] [DEBUG] [satosa.frontends.openid_connect._handle_authn_request] [urn:uuid:5f92e601-ff14-4fdf-8cc3-af8de3784eb4] Authn req from client: client_id=IJBCPLseBy1l&scope=openid+email+profile&response_type=code&redirect_uri=https%3A%2F%2Fopengrades.mit.edu%2Fapi%2Fauth%2Fcallback%2Fmit-oidc&state=KcJLZUZiovnvbkJKCs6j_7ueNmmUi_d7-EqrYxwKYMs
Feb 24 00:02:09 petrock gunicorn[1243483]: [2025-02-24 00:02:09,660] [DEBUG] [pyop.provider.parse_authentication_request] parsed authentication_request: {'client_id': 'IJBCPLseBy1l', 'scope': 'openid email profile', 'response_type': 'code', 'redirect_uri': 'https://opengrades.mit.edu/api/auth/callback/mit-oidc', 'state': 'KcJLZUZiovnvbkJKCs6j_7ueNmmUi_d7-EqrYxwKYMs'}
Feb 24 00:02:09 petrock gunicorn[1243483]: [2025-02-24 00:02:09,664] [INFO] [satosa.base._auth_req_callback_func] [urn:uuid:5f92e601-ff14-4fdf-8cc3-af8de3784eb4] Requesting provider: IJBCPLseBy1l
Feb 24 00:02:09 petrock gunicorn[1243483]: [2025-02-24 00:02:09,665] [DEBUG] [satosa.routing.backend_routing] [urn:uuid:5f92e601-ff14-4fdf-8cc3-af8de3784eb4] Routing to backend: touchstone
Feb 24 00:02:09 petrock gunicorn[1243483]: [2025-02-24 00:02:09,665] [INFO] [satosa.backends.saml2.get_idp_entity_id] [urn:uuid:5f92e601-ff14-4fdf-8cc3-af8de3784eb4] {'message': 'Selected IdP', 'only_one': 'http://www.okta.com/exkfuqmlzchKIVXFZ697', 'target_entity_id': None, 'force_authn': None, 'memorized_idp': None, 'entity_id': 'http://www.okta.com/exkfuqmlzchKIVXFZ697'}
Feb 24 00:02:09 petrock gunicorn[1243483]: [2025-02-24 00:02:09,666] [DEBUG] [satosa.backends.saml2._prefer_matching_host] [urn:uuid:5f92e601-ff14-4fdf-8cc3-af8de3784eb4] Can't find an ACS URL to this hostname (localhost:9999), selecting the first one
Feb 24 00:02:09 petrock gunicorn[1243483]: [2025-02-24 00:02:09,668] [DEBUG] [saml2.mdstore.service] service(http://www.okta.com/exkfuqmlzchKIVXFZ697, idpsso_descriptor, single_sign_on_service, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect)
Feb 24 00:02:09 petrock gunicorn[1243483]: [2025-02-24 00:02:09,668] [DEBUG] [saml2.mdstore.service] service => [{'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&SingleSignOnService', 'binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', 'location': 'https://okta.mit.edu/app/mitprod_petrocksipb_1/exkfuqmlzchKIVXFZ697/sso/saml'}]
By the symptoms, it looks like your deployment might be missing the workaround to mark cookies as SameSite=None - and the browser is refusing to send the cookie on the redirect back because the origin (the SAML IdP issuing the redirect) is different from the base URL of your SATOSA instance.
This was added in 7f5f0a1f - can you please make sure your proxy_conf.yaml has the cookies_samesite_compat setting added in this commit?
Thank you for your quick response. We do have this:
cookies_samesite_compat:
- ["SATOSA_STATE", "SATOSA_STATE_LEGACY"]
However, I just realized that our instance was running at an old commit a6262597d4d982063acdebd542af79ccd4f829fa, so I have updated it now.
We are using a reverse proxy (nginx). Would this affect anything?
Reverse proxy should be fine. And 7f5f0a1 was added in 2020, so code you were running already had this.
Can you check whether the cookie set by your SATOSA instance in HTTP response headers when issuing the SAML AuthnRequest is marked as samesite=none - and is returned by the browser when sending in the SAML response?
Either regular browser developer tools or the SAML Tracer plugin (Firefox and Chrome) can help with that.
Can you reproduce the issue, or is it happening only to some of your users? Consistently, or only sometimes?
It seems to be only some users, probably consistently but not sure. SAML Tracer does show the SameSite=none set by SATOSA.
This is the export from SAML-tracer: https://envs.sh/twc.json
Sorry, looks like everything is correct in your setup. So you may need to look for a user where this happens reproducibly - and ask them for SAML Tracer capture.
One last shot: can you try with a SAML IdP outside mit.edu domain? For some rules around cookies, browsers compare sites by their registered domain (one level below the public suffix list) - and all of your sites are under mit.edu, which may be causing cookies to be passed even where they would be rejected if the origin and target sites were in different registered domain.
Thanks a lot! This is the tracer from someone who can reproduce this reliably:
SAML-tracer-export-2025-02-24T05_05_16.100Z.json
If you have a suggestion of a public IdP I can use, we could try that.
Interesting!
Here, the SATOSA_STATE cookie is only marked Secure, not samesite=none. And the browser then refuses to send it on the way back.
I see several parts surprising.
- Why would the behaviour of SATOSA be different? Looking at the comments in 7f5f0a1, the behaviour of
cookies-samesite-compatmight be browser dependent. But the User-Agent header in both traces is the same... - Given the user still authenticated through
okta.mit.edu(so under the same registered domain), I would expect the cookie to get through even withoutsamesite=none. But browsers keep changing how they interpret this (and the spec is not explicit enough), so we can't exactly call out non-compliance here.
I'd recommend looking into the code inside cookies-samesite-compat to see how it determines when to mark the cookie samesite=none.
Hope this helps.
Cheers, Vlad
Hi Vlad, thanks a lot for your continued support.
In src/satosa/state.py and function state_to_cookie I have added print statements:
print(f"{samesite=} {name=} {path=} {state=} {type(samesite)=} {samesite=} {secure=} {httponly=} {max_age=}")
print(f"samesite", cookie[name]["samesite"], type(cookie[name]["samesite"]))
print(f"secure", cookie[name]["secure"], type(cookie[name]["secure"]))
Output from the user who can reproduce the error (so samesite is set to None as expected):
samesite=None name='SATOSA_STATE' path='/' state={'SESSION_ID': 'urn:uuid:2cca7a81-c8b1-4790-a8a8-7de842599ca3', 'oidc': {'oidc_request': 'response_type=code&client_id=DFtkQwWabPFO&redirect_uri=https%3A%2F%2Fhkn-tutoring2.mit.edu%2Foauth%2Fcallback&scope=openid+openid+email+profile&state=xSELXF0ewN5n4fPNt5dszZUk'}, 'SATOSA_BASE': {'requester': 'DFtkQwWabPFO'}, 'ROUTER': 'oidc', 'touchstone': {'relay_state': '9YYA2czswquzZvpD'}} type(samesite)=<class 'NoneType'> samesite=None secure=None httponly=None max_age=None
samesite None <class 'str'>
secure True <class 'bool'>
The logs again:
[2025-02-25 01:46:32,090] [DEBUG] [saml2.httpbase.send] GET to https://okta.mit.edu/app/exkfuqmlzchKIVXFZ697/sso/saml/metadata
[2025-02-25 01:46:32,100] [DEBUG] [urllib3.connectionpool._new_conn] Starting new HTTPS connection (1): okta.mit.edu:443
[2025-02-25 01:46:32,944] [DEBUG] [urllib3.connectionpool._make_request] https://okta.mit.edu:443 "GET /app/exkfuqmlzchKIVXFZ697/sso/saml/metadata HTTP/1.1" 200 2289
[2025-02-25 01:46:32,952] [DEBUG] [saml2.httpbase.send] Response status: 200
[2025-02-25 01:46:32,969] [DEBUG] [saml2.assertion.__init__] policy restrictions: None
[2025-02-25 01:46:34,578] [INFO] [satosa.plugin_loader.load_backends] Setup backends: ['touchstone']
[2025-02-25 01:46:34,579] [INFO] [satosa.base.__init__] Loading frontend modules...
[2025-02-25 01:46:36,892] [INFO] [satosa.plugin_loader.load_frontends] Setup frontends: ['oidc']
[2025-02-25 01:46:36,893] [INFO] [satosa.base.__init__] Loading micro services...
[2025-02-25 01:46:36,893] [INFO] [satosa.plugin_loader.load_request_microservices] Loaded request micro services: []
[2025-02-25 01:46:36,894] [INFO] [satosa.plugin_loader.load_response_microservices] Loaded response micro services:[]
[2025-02-25 01:46:36,895] [DEBUG] [satosa.backends.saml2.register_endpoints] Exposing backend entity endpoint = https://petrock.mit.edu/touchstone/proxy_saml2_backend.xml
[2025-02-25 01:46:36,896] [DEBUG] [satosa.routing.__init__] Loaded backends with endpoints: [<satosa.backends.saml2.SAMLBackend object at 0xffffa1114820>]
[2025-02-25 01:46:36,896] [DEBUG] [satosa.routing.__init__] Loaded frontends with endpoints: [<satosa.frontends.openid_connect.OpenIDConnectFrontend object at 0xffff9fbf3910>]
[2025-02-25 01:46:36,897] [DEBUG] [satosa.routing.__init__] Loaded micro services with endpoints: []
[2025-02-25 01:47:04,065] [DEBUG] [satosa.proxy_server.unpack_request] read request data: {}
[2025-02-25 01:47:04,066] [DEBUG] [satosa.proxy_server.__call__] {'message': 'Proxy server received request', 'request_method': 'GET', 'request_uri': None, 'content_length': 0, 'request_data': {}, 'query_params': {}, 'http_headers': {'HTTP_HOST': 'localhost:9999', 'HTTP_CONNECTION': 'close', 'HTTP_ACCEPT': 'application/json', 'HTTP_USER_AGENT': 'openid-client/5.7.0 (https://github.com/panva/node-openid-client)', 'HTTP_ACCEPT_ENCODING': 'identity', 'REMOTE_ADDR': '127.0.0.1', 'REMOTE_PORT': '60358', 'HTTP_COOKIE': ''}, 'server_headers': {'SERVER_SOFTWARE': 'gunicorn/21.2.0', 'SERVER_PROTOCOL': 'HTTP/1.0', 'SERVER_NAME': '0.0.0.0', 'SERVER_PORT': '9999'}}
[2025-02-25 01:47:04,067] [DEBUG] [satosa.base._load_state] [urn:uuid:3fc0cbc7-d4b3-4a59-9d4d-28ecbf8624c5] Loaded state {'SESSION_ID': 'urn:uuid:3fc0cbc7-d4b3-4a59-9d4d-28ecbf8624c5'} from cookie
[2025-02-25 01:47:04,067] [DEBUG] [satosa.routing.endpoint_routing] [urn:uuid:3fc0cbc7-d4b3-4a59-9d4d-28ecbf8624c5] Routing path: .well-known/openid-configuration
[2025-02-25 01:47:04,068] [DEBUG] [satosa.routing.endpoint_routing] [urn:uuid:3fc0cbc7-d4b3-4a59-9d4d-28ecbf8624c5] Unknown backend .well-known
[2025-02-25 01:47:04,069] [DEBUG] [satosa.routing._find_registered_endpoint_for_module] [urn:uuid:3fc0cbc7-d4b3-4a59-9d4d-28ecbf8624c5] Found registered endpoint: module name:'oidc', endpoint: .well-known/openid-configuration
[2025-02-25 01:47:04,102] [DEBUG] [satosa.state.state_to_cookie] [urn:uuid:3fc0cbc7-d4b3-4a59-9d4d-28ecbf8624c5] Saved state in cookie SATOSA_STATE with properties [('expires', ''), ('path', '/'), ('comment', ''), ('domain', ''), ('max-age', ''), ('secure', True), ('httponly', ''), ('version', ''), ('samesite', 'None')]
[2025-02-25 01:47:04,162] [DEBUG] [satosa.proxy_server.unpack_request] read request data: {'client_id': 'IJBCPLseBy1l', 'scope': 'openid email profile', 'response_type': 'code', 'redirect_uri': 'https://opengrades.mit.edu/api/auth/callback/mit-oidc', 'state': 'j-8QM6YmvpqdwxcGD9_1OeItdINgGflxkFll3O7oWVE'}
[2025-02-25 01:47:04,163] [DEBUG] [satosa.proxy_server.__call__] {'message': 'Proxy server received request', 'request_method': 'GET', 'request_uri': None, 'content_length': 0, 'request_data': {'client_id': 'IJBCPLseBy1l', 'scope': 'openid email profile', 'response_type': 'code', 'redirect_uri': 'https://opengrades.mit.edu/api/auth/callback/mit-oidc', 'state': 'j-8QM6YmvpqdwxcGD9_1OeItdINgGflxkFll3O7oWVE'}, 'query_params': {'client_id': 'IJBCPLseBy1l', 'scope': 'openid email profile', 'response_type': 'code', 'redirect_uri': 'https://opengrades.mit.edu/api/auth/callback/mit-oidc', 'state': 'j-8QM6YmvpqdwxcGD9_1OeItdINgGflxkFll3O7oWVE'}, 'http_headers': {'HTTP_HOST': 'localhost:9999', 'HTTP_CONNECTION': 'close', 'HTTP_SEC_CH_UA': '"Not(A:Brand";v="99", "Google Chrome";v="133", "Chromium";v="133"', 'HTTP_SEC_CH_UA_MOBILE': '?0', 'HTTP_SEC_CH_UA_PLATFORM': '"Windows"', 'HTTP_UPGRADE_INSECURE_REQUESTS': '1', 'HTTP_USER_AGENT': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36', 'HTTP_ACCEPT': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7', 'HTTP_SEC_FETCH_SITE': 'same-site', 'HTTP_SEC_FETCH_MODE': 'navigate', 'HTTP_SEC_FETCH_USER': '?1', 'HTTP_SEC_FETCH_DEST': 'document', 'HTTP_REFERER': 'https://opengrades.mit.edu/', 'HTTP_ACCEPT_ENCODING': 'gzip, deflate, br, zstd', 'HTTP_ACCEPT_LANGUAGE': 'en-US,en;q=0.9', 'HTTP_COOKIE': '', 'REMOTE_ADDR': '127.0.0.1', 'REMOTE_PORT': '60372'}, 'server_headers': {'SERVER_SOFTWARE': 'gunicorn/21.2.0', 'SERVER_PROTOCOL': 'HTTP/1.0', 'SERVER_NAME': '0.0.0.0', 'SERVER_PORT': '9999'}}
[2025-02-25 01:47:04,163] [DEBUG] [satosa.base._load_state] [urn:uuid:8086d622-a055-42ca-8fe0-88d72995f8cf] Loaded state {'SESSION_ID': 'urn:uuid:8086d622-a055-42ca-8fe0-88d72995f8cf'} from cookie
[2025-02-25 01:47:04,164] [DEBUG] [satosa.routing.endpoint_routing] [urn:uuid:8086d622-a055-42ca-8fe0-88d72995f8cf] Routing path: touchstone/oidc/authorization
[2025-02-25 01:47:04,166] [DEBUG] [satosa.routing._find_registered_endpoint_for_module] [urn:uuid:8086d622-a055-42ca-8fe0-88d72995f8cf] Found registered endpoint: module name:'oidc', endpoint: touchstone/oidc/authorization
[2025-02-25 01:47:04,167] [DEBUG] [satosa.frontends.openid_connect._handle_authn_request] [urn:uuid:8086d622-a055-42ca-8fe0-88d72995f8cf] Authn req from client: client_id=IJBCPLseBy1l&scope=openid+email+profile&response_type=code&redirect_uri=https%3A%2F%2Fopengrades.mit.edu%2Fapi%2Fauth%2Fcallback%2Fmit-oidc&state=j-8QM6YmvpqdwxcGD9_1OeItdINgGflxkFll3O7oWVE
[2025-02-25 01:47:04,180] [DEBUG] [pyop.provider.parse_authentication_request] parsed authentication_request: {'client_id': 'IJBCPLseBy1l', 'scope': 'openid email profile', 'response_type': 'code', 'redirect_uri': 'https://opengrades.mit.edu/api/auth/callback/mit-oidc', 'state': 'j-8QM6YmvpqdwxcGD9_1OeItdINgGflxkFll3O7oWVE'}
[2025-02-25 01:47:04,184] [INFO] [satosa.base._auth_req_callback_func] [urn:uuid:8086d622-a055-42ca-8fe0-88d72995f8cf] Requesting provider: IJBCPLseBy1l
[2025-02-25 01:47:04,185] [DEBUG] [satosa.routing.backend_routing] [urn:uuid:8086d622-a055-42ca-8fe0-88d72995f8cf] Routing to backend: touchstone
[2025-02-25 01:47:04,186] [INFO] [satosa.backends.saml2.get_idp_entity_id] [urn:uuid:8086d622-a055-42ca-8fe0-88d72995f8cf] {'message': 'Selected IdP', 'only_one': 'http://www.okta.com/exkfuqmlzchKIVXFZ697', 'target_entity_id': None, 'force_authn': None, 'memorized_idp': None, 'entity_id': 'http://www.okta.com/exkfuqmlzchKIVXFZ697'}
[2025-02-25 01:47:04,187] [DEBUG] [satosa.backends.saml2._prefer_matching_host] [urn:uuid:8086d622-a055-42ca-8fe0-88d72995f8cf] Can't find an ACS URL to this hostname (localhost:9999), selecting the first one
[2025-02-25 01:47:04,188] [DEBUG] [saml2.mdstore.service] service(http://www.okta.com/exkfuqmlzchKIVXFZ697, idpsso_descriptor, single_sign_on_service, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect)
[2025-02-25 01:47:04,189] [DEBUG] [saml2.mdstore.service] service => [{'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&SingleSignOnService', 'binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', 'location': 'https://okta.mit.edu/app/mitprod_petrocksipb_1/exkfuqmlzchKIVXFZ697/sso/saml'}]
[2025-02-25 01:47:04,191] [DEBUG] [saml2.mdstore.service] service(http://www.okta.com/exkfuqmlzchKIVXFZ697, idpsso_descriptor, single_sign_on_service, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST)
[2025-02-25 01:47:04,191] [DEBUG] [saml2.mdstore.service] service => [{'__class__': 'urn:oasis:names:tc:SAML:2.0:metadata&SingleSignOnService', 'binding': 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', 'location': 'https://okta.mit.edu/app/mitprod_petrocksipb_1/exkfuqmlzchKIVXFZ697/sso/saml'}]
[2025-02-25 01:47:04,192] [DEBUG] [saml2.client.prepare_for_negotiated_authenticate] destination to provider: https://okta.mit.edu/app/mitprod_petrocksipb_1/exkfuqmlzchKIVXFZ697/sso/saml
[2025-02-25 01:47:04,195] [DEBUG] [saml2.entity.sign] REQUEST: <ns0:AuthnRequest xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" ID="id-1oFjYIjLqibMPW3D2" Version="2.0" IssueInstant="2025-02-25T01:47:04Z" Destination="https://okta.mit.edu/app/mitprod_petrocksipb_1/exkfuqmlzchKIVXFZ697/sso/saml" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://petrock.mit.edu/touchstone/acs/post" ProviderName="Petrock"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://petrock.mit.edu/touchstone/proxy_saml2_backend.xml</ns1:Issuer><ns2:Signature Id="Signature1"><ns2:SignedInfo><ns2:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ns2:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><ns2:Reference URI="#id-1oFjYIjLqibMPW3D2"><ns2:Transforms><ns2:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ns2:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ns2:Transforms><ns2:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><ns2:DigestValue /></ns2:Reference></ns2:SignedInfo><ns2:SignatureValue /><ns2:KeyInfo><ns2:X509Data><ns2:X509Certificate>MIID/zCCAmegAwIBAgIUOM3G+QLt/Yhq//T0eHYlSVIgnKMwDQYJKoZIhvcNAQELBQAwGjEYMBYGA1UEAxMPcGV0cm9jay5taXQuZWR1MB4XDTIzMTEyMTAzMjQwMVoXDTMzMTExODAzMjQwMVowGjEYMBYGA1UEAxMPcGV0cm9jay5taXQuZWR1MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAu3AQLeM9t1TwdEM8WgndngH6Is+cd0sDyTNi35HkxdL4XsTqMfIDS5Li+JABblNo9xS2vTA05IBmA33BVfi8v4SZ0ZAHQTi+R74JkUIwxX7tzR531mEfRcPuyxPtlpsKwWTgRrrqeO/1DStcicFsu/KSLlXZJvr+SYhSXxtMXuLS/bjv5gxVI+CkfyoZereEEKDTcQymZpZv4IQqza6WghsZ+wI35cDuRpYXgqOG6+OsWRq3jj4UUH7EA0DhH9JQWOrHclnnHCnabiVd7rHertavSMT9lNp1qFWZduw/GVbTIvuxGf/a5iyaLnDEy4HpSNtYFiM0gwfKHi0TQ0+dglrxtsdf/MX6/tW5uv5l5rk+ouzM8wDkFvkpGMaYUXM/J301y0/yaCwlohZa6sAN/xXz2DZe59Ysm51j/G+ipojFP682KUjqyEmU0Q4VjqoQWnajq/6mAShVJdgFlOfIPeGYm5/BS9YRyo4218qEt+w84dUKoF71IZ7zE2WptogHAgMBAAGjPTA7MBoGA1UdEQQTMBGCD3BldHJvY2subWl0LmVkdTAdBgNVHQ4EFgQUcG1QQt8CL18uadpr1QN5COnFoIgwDQYJKoZIhvcNAQELBQADggGBAEURLVatZro3xx35AXDbwtd2rDUgEuuef/ftMyYWMcIiEntEe+jrvY0EbZmbP/q8zrBpJx6E6oJxSM5uhHMzK87eO8dO2DJpbM42vGJFtpA5H/VhghPJ9PzQcqBgEe9Kzc2a/yXTrvVDHBbzi8FdBD48mLOWc1szKtENFaS7ZMRCa8BkpUYl2kCQVuzfB5gKXO+kjPjxDBP8MCwQGYgwCu+8e4VI8Id8YBuDm9tno+a80ytJhaVUVB8JjsfPi/1+EtgtdOGYl5tfwDa+iPr7LfwPtKbHMN2rasI0Ey0J+if6iUbWsbzYPkir+lCXHmW+ErfaDaVFKJjf1w/3kurEsyyHkqgdmhwMB9Mu9SC37lyPuZg+bwXBmQUqzZFFk1yEQzrb0FJAVU65JQrF7JPudPWnf7rlZXWQhXb/l75E6gILDJefkbmW1f9O4X68Mpi3lVzqfhgWYY5LW3YBAZtQGMBApad+faS/5S1s8OctfOZXfQGJW60Ucc2KejortFRTbg==</ns2:X509Certificate></ns2:X509Data></ns2:KeyInfo></ns2:Signature></ns0:AuthnRequest>
[2025-02-25 01:47:04,224] [DEBUG] [saml2.sigver._run_xmlsec] xmlsec command: /usr/bin/xmlsec1 --sign --privkey-pem /home/oidc/keys/saml/sp-signing-key.pem --id-attr:ID urn:oasis:names:tc:SAML:2.0:protocol:AuthnRequest --node-id id-1oFjYIjLqibMPW3D2 --output /tmp/tmp7lijx5c3.xml /tmp/tmp_m3jsu0m.xml
[2025-02-25 01:47:04,305] [DEBUG] [saml2.entity._message] REQUEST: <?xml version="1.0"?>
<ns0:AuthnRequest xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" ID="id-1oFjYIjLqibMPW3D2" Version="2.0" IssueInstant="2025-02-25T01:47:04Z" Destination="https://okta.mit.edu/app/mitprod_petrocksipb_1/exkfuqmlzchKIVXFZ697/sso/saml" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://petrock.mit.edu/touchstone/acs/post" ProviderName="Petrock"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://petrock.mit.edu/touchstone/proxy_saml2_backend.xml</ns1:Issuer><ns2:Signature Id="Signature1"><ns2:SignedInfo><ns2:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ns2:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ns2:Reference URI="#id-1oFjYIjLqibMPW3D2"><ns2:Transforms><ns2:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ns2:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ns2:Transforms><ns2:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ns2:DigestValue>2d6gNfXeri9b3EeskuOtVzrYcLA=</ns2:DigestValue></ns2:Reference></ns2:SignedInfo><ns2:SignatureValue>ZzUL3c5JHowmZBPnBkgEEoqtbQ95W33D7ziyfoe3oplJd8oVvjE7QbiOBtLMx/5i
UN5tdcg8YeIzOZdokTp+oOK3nz09FqkVfwmnLqiwcMCxazUCqv/KI9VbwRdLkgd3
EwTJBksvxfuPNx4aMiI4HRqoznOzzJEf/ZT9xyKRbYYOASSIxXjowAeC0wAYA9qO
zAu3ZlhpSy61yf4iDpZbow5VorzDvxusawn65OqbYYpsUWYtdqfnmfpRqv/wEE1D
gmz7dSXm+Zq6IFpCKLF6AtCVcx8XhKkSWwJrXe6Ia4FWmcKKLcAX7XL7uFY9VDo/
8lOlbkNK/kA3MLUWn5BplDU8/Lv2Y7T4W8Z8ciB6tJ9ss8DT/fep4obD6V+N2Fuk
vI8JW/T3arsbeNYZV+5sHvEasayLVewv0yarlXWSs78ge15zrR4vUcexJv/oR08n
ZNoZ1qtgJDi1urryYu4WpCo2vB4nsuOSDJ+Cpnt6SSbSdiZp5N/3qBQY7U4cV6an</ns2:SignatureValue><ns2:KeyInfo><ns2:X509Data><ns2:X509Certificate>MIID/zCCAmegAwIBAgIUOM3G+QLt/Yhq//T0eHYlSVIgnKMwDQYJKoZIhvcNAQELBQAwGjEYMBYGA1UEAxMPcGV0cm9jay5taXQuZWR1MB4XDTIzMTEyMTAzMjQwMVoXDTMzMTExODAzMjQwMVowGjEYMBYGA1UEAxMPcGV0cm9jay5taXQuZWR1MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAu3AQLeM9t1TwdEM8WgndngH6Is+cd0sDyTNi35HkxdL4XsTqMfIDS5Li+JABblNo9xS2vTA05IBmA33BVfi8v4SZ0ZAHQTi+R74JkUIwxX7tzR531mEfRcPuyxPtlpsKwWTgRrrqeO/1DStcicFsu/KSLlXZJvr+SYhSXxtMXuLS/bjv5gxVI+CkfyoZereEEKDTcQymZpZv4IQqza6WghsZ+wI35cDuRpYXgqOG6+OsWRq3jj4UUH7EA0DhH9JQWOrHclnnHCnabiVd7rHertavSMT9lNp1qFWZduw/GVbTIvuxGf/a5iyaLnDEy4HpSNtYFiM0gwfKHi0TQ0+dglrxtsdf/MX6/tW5uv5l5rk+ouzM8wDkFvkpGMaYUXM/J301y0/yaCwlohZa6sAN/xXz2DZe59Ysm51j/G+ipojFP682KUjqyEmU0Q4VjqoQWnajq/6mAShVJdgFlOfIPeGYm5/BS9YRyo4218qEt+w84dUKoF71IZ7zE2WptogHAgMBAAGjPTA7MBoGA1UdEQQTMBGCD3BldHJvY2subWl0LmVkdTAdBgNVHQ4EFgQUcG1QQt8CL18uadpr1QN5COnFoIgwDQYJKoZIhvcNAQELBQADggGBAEURLVatZro3xx35AXDbwtd2rDUgEuuef/ftMyYWMcIiEntEe+jrvY0EbZmbP/q8zrBpJx6E6oJxSM5uhHMzK87eO8dO2DJpbM42vGJFtpA5H/VhghPJ9PzQcqBgEe9Kzc2a/yXTrvVDHBbzi8FdBD48mLOWc1szKtENFaS7ZMRCa8BkpUYl2kCQVuzfB5gKXO+kjPjxDBP8MCwQGYgwCu+8e4VI8Id8YBuDm9tno+a80ytJhaVUVB8JjsfPi/1+EtgtdOGYl5tfwDa+iPr7LfwPtKbHMN2rasI0Ey0J+if6iUbWsbzYPkir+lCXHmW+ErfaDaVFKJjf1w/3kurEsyyHkqgdmhwMB9Mu9SC37lyPuZg+bwXBmQUqzZFFk1yEQzrb0FJAVU65JQrF7JPudPWnf7rlZXWQhXb/l75E6gILDJefkbmW1f9O4X68Mpi3lVzqfhgWYY5LW3YBAZtQGMBApad+faS/5S1s8OctfOZXfQGJW60Ucc2KejortFRTbg==</ns2:X509Certificate></ns2:X509Data></ns2:KeyInfo></ns2:Signature></ns0:AuthnRequest>
[2025-02-25 01:47:04,306] [DEBUG] [saml2.client.prepare_for_negotiated_authenticate] AuthNReq: <?xml version="1.0"?>
<ns0:AuthnRequest xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" ID="id-1oFjYIjLqibMPW3D2" Version="2.0" IssueInstant="2025-02-25T01:47:04Z" Destination="https://okta.mit.edu/app/mitprod_petrocksipb_1/exkfuqmlzchKIVXFZ697/sso/saml" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://petrock.mit.edu/touchstone/acs/post" ProviderName="Petrock"><ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://petrock.mit.edu/touchstone/proxy_saml2_backend.xml</ns1:Issuer><ns2:Signature Id="Signature1"><ns2:SignedInfo><ns2:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ns2:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ns2:Reference URI="#id-1oFjYIjLqibMPW3D2"><ns2:Transforms><ns2:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ns2:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ns2:Transforms><ns2:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ns2:DigestValue>2d6gNfXeri9b3EeskuOtVzrYcLA=</ns2:DigestValue></ns2:Reference></ns2:SignedInfo><ns2:SignatureValue>ZzUL3c5JHowmZBPnBkgEEoqtbQ95W33D7ziyfoe3oplJd8oVvjE7QbiOBtLMx/5i
UN5tdcg8YeIzOZdokTp+oOK3nz09FqkVfwmnLqiwcMCxazUCqv/KI9VbwRdLkgd3
EwTJBksvxfuPNx4aMiI4HRqoznOzzJEf/ZT9xyKRbYYOASSIxXjowAeC0wAYA9qO
zAu3ZlhpSy61yf4iDpZbow5VorzDvxusawn65OqbYYpsUWYtdqfnmfpRqv/wEE1D
gmz7dSXm+Zq6IFpCKLF6AtCVcx8XhKkSWwJrXe6Ia4FWmcKKLcAX7XL7uFY9VDo/
8lOlbkNK/kA3MLUWn5BplDU8/Lv2Y7T4W8Z8ciB6tJ9ss8DT/fep4obD6V+N2Fuk
vI8JW/T3arsbeNYZV+5sHvEasayLVewv0yarlXWSs78ge15zrR4vUcexJv/oR08n
ZNoZ1qtgJDi1urryYu4WpCo2vB4nsuOSDJ+Cpnt6SSbSdiZp5N/3qBQY7U4cV6an</ns2:SignatureValue><ns2:KeyInfo><ns2:X509Data><ns2:X509Certificate>MIID/zCCAmegAwIBAgIUOM3G+QLt/Yhq//T0eHYlSVIgnKMwDQYJKoZIhvcNAQELBQAwGjEYMBYGA1UEAxMPcGV0cm9jay5taXQuZWR1MB4XDTIzMTEyMTAzMjQwMVoXDTMzMTExODAzMjQwMVowGjEYMBYGA1UEAxMPcGV0cm9jay5taXQuZWR1MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAu3AQLeM9t1TwdEM8WgndngH6Is+cd0sDyTNi35HkxdL4XsTqMfIDS5Li+JABblNo9xS2vTA05IBmA33BVfi8v4SZ0ZAHQTi+R74JkUIwxX7tzR531mEfRcPuyxPtlpsKwWTgRrrqeO/1DStcicFsu/KSLlXZJvr+SYhSXxtMXuLS/bjv5gxVI+CkfyoZereEEKDTcQymZpZv4IQqza6WghsZ+wI35cDuRpYXgqOG6+OsWRq3jj4UUH7EA0DhH9JQWOrHclnnHCnabiVd7rHertavSMT9lNp1qFWZduw/GVbTIvuxGf/a5iyaLnDEy4HpSNtYFiM0gwfKHi0TQ0+dglrxtsdf/MX6/tW5uv5l5rk+ouzM8wDkFvkpGMaYUXM/J301y0/yaCwlohZa6sAN/xXz2DZe59Ysm51j/G+ipojFP682KUjqyEmU0Q4VjqoQWnajq/6mAShVJdgFlOfIPeGYm5/BS9YRyo4218qEt+w84dUKoF71IZ7zE2WptogHAgMBAAGjPTA7MBoGA1UdEQQTMBGCD3BldHJvY2subWl0LmVkdTAdBgNVHQ4EFgQUcG1QQt8CL18uadpr1QN5COnFoIgwDQYJKoZIhvcNAQELBQADggGBAEURLVatZro3xx35AXDbwtd2rDUgEuuef/ftMyYWMcIiEntEe+jrvY0EbZmbP/q8zrBpJx6E6oJxSM5uhHMzK87eO8dO2DJpbM42vGJFtpA5H/VhghPJ9PzQcqBgEe9Kzc2a/yXTrvVDHBbzi8FdBD48mLOWc1szKtENFaS7ZMRCa8BkpUYl2kCQVuzfB5gKXO+kjPjxDBP8MCwQGYgwCu+8e4VI8Id8YBuDm9tno+a80ytJhaVUVB8JjsfPi/1+EtgtdOGYl5tfwDa+iPr7LfwPtKbHMN2rasI0Ey0J+if6iUbWsbzYPkir+lCXHmW+ErfaDaVFKJjf1w/3kurEsyyHkqgdmhwMB9Mu9SC37lyPuZg+bwXBmQUqzZFFk1yEQzrb0FJAVU65JQrF7JPudPWnf7rlZXWQhXb/l75E6gILDJefkbmW1f9O4X68Mpi3lVzqfhgWYY5LW3YBAZtQGMBApad+faS/5S1s8OctfOZXfQGJW60Ucc2KejortFRTbg==</ns2:X509Certificate></ns2:X509Data></ns2:KeyInfo></ns2:Signature></ns0:AuthnRequest>
[2025-02-25 01:47:04,306] [DEBUG] [saml2.entity.apply_binding] HTTP REDIRECT
[2025-02-25 01:47:04,402] [DEBUG] [satosa.state.state_to_cookie] [urn:uuid:8086d622-a055-42ca-8fe0-88d72995f8cf] Saved state in cookie SATOSA_STATE with properties [('expires', ''), ('path', '/'), ('comment', ''), ('domain', ''), ('max-age', ''), ('secure', True), ('httponly', ''), ('version', ''), ('samesite', 'None')]
[2025-02-25 01:47:05,217] [DEBUG] [satosa.proxy_server.unpack_post] unpack_post:: {'SAMLResponse': 'PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOlJlc3BvbnNlIERlc3RpbmF0aW9uPSJodHRwczovL3BldHJvY2subWl0LmVkdS90b3VjaHN0b25lL2Fjcy9wb3N0IiBJRD0iaWQxMjY5NTE3NTIyNTQ1NDEzMDE4MTY0MjgiIEluUmVzcG9uc2VUbz0iaWQtMW9GallJakxxaWJNUFczRDIiIElzc3VlSW5zdGFudD0iMjAyNS0wMi0yNVQwMTo0NzowNS4wMjFaIiBWZXJzaW9uPSIyLjAiIHhtbG5zOnNhbWwycD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj48c2FtbDI6SXNzdWVyIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6ZW50aXR5IiB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+aHR0cDovL3d3dy5va3RhLmNvbS9leGtmdXFtbHpjaEtJVlhGWjY5Nzwvc2FtbDI6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGEyNTYiLz48ZHM6UmVmZXJlbmNlIFVSST0iI2lkMTI2OTUxNzUyMjU0NTQxMzAxODE2NDI4Ij48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGEyNTYiLz48ZHM6RGlnZXN0VmFsdWU+czQ3RCtnd0ZYTGVQb3RJTG51cHJtN2FWOTdJNkNEaXNsV2F4NWtaai9Raz08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+b3RDRVZSWFFZQ21VVjNHdjFxenpPMUhPYzhLN3AvRXRFS3hXUGtQYm42UUxLSTNBQWlvZU1TK2RHYWZINDZ1YkV1dm5TTTB6ODJmZTYxMm52ZkhQWnk2dkJqYk5UUHo0dlMvejVoY1orRlBsSHhQbkFTWmZxRGg2RFdEbytkcms5c21VNHBNOE9JcEpTY0pYNnhsYk9DMWdQRFJITEEzaVFJZFlFeXV0WlcxZEUzcFFPSTVGSVd2NzhJTkpjQVQvM0t4TncycDM2M3l2YXpYNmtMYVE3RTV6RldmaXoxc2krNjF6TjZORmYrYVFzdFZsVzl1NDBKWXhSTUU1TGhzZ3MrZ2V1a3hacTkxNDZJcTI3eEpJRE5qZzRXVnFYMENFb2twZ1F1bkFnRXNLdE01V2dmTDd4V0w2WUoyQzNXc3h6SkJBU0xoSU1GdmQxT3VuUzVPK2tBPT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSURuakNDQW9hZ0F3SUJBZ0lHQVpCUG93MFhNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1JR1BNUXN3Q1FZRFZRUUdFd0pWVXpFVE1CRUcKQTFVRUNBd0tRMkZzYVdadmNtNXBZVEVXTUJRR0ExVUVCd3dOVTJGdUlFWnlZVzVqYVhOamJ6RU5NQXNHQTFVRUNnd0VUMnQwWVRFVQpNQklHQTFVRUN3d0xVMU5QVUhKdmRtbGtaWEl4RURBT0JnTlZCQU1NQjIxcGRIQnliMlF4SERBYUJna3Foa2lHOXcwQkNRRVdEV2x1ClptOUFiMnQwWVM1amIyMHdIaGNOTWpRd05qSTFNVE0wTWpJMFdoY05NelF3TmpJMU1UTTBNekl6V2pDQmp6RUxNQWtHQTFVRUJoTUMKVlZNeEV6QVJCZ05WQkFnTUNrTmhiR2xtYjNKdWFXRXhGakFVQmdOVkJBY01EVk5oYmlCR2NtRnVZMmx6WTI4eERUQUxCZ05WQkFvTQpCRTlyZEdFeEZEQVNCZ05WQkFzTUMxTlRUMUJ5YjNacFpHVnlNUkF3RGdZRFZRUUREQWR0YVhSd2NtOWtNUnd3R2dZSktvWklodmNOCkFRa0JGZzFwYm1adlFHOXJkR0V1WTI5dE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBeUpqWkxUM1oKVFU4MnhsWWhIZXpaczJ1SnZYRlBZT3o5UVI4NFptL1o5VkxpcitjVDVjQ3Z5d1F5eUFsYUdqUnFhbHJuVTlISldtemlLOGJCRUw3MQpZbFFlL2xWTVBNd1RZZmhWYzAxUFFwTGxFU0ZrUitxYnRhajdILzRaTWErNFphVHIrS3o5cjFVdk1YL1ppWG9TYWRZN3RJbHh2d25kCmd3VU52ZVhzQjhVTUhsTTRPMUZyZEFOS0JZOXZkNWx1UGJzbjZwSnVmZlNFTGM1OCsrUHU1L0VNb2swMkFLK1FXS0dWTTNoVmxTTysKREphVmVrUmt0NHdadUhxOHhCU3QyYzJSZnhRR2xERE50ZHBYcWkwWWgrMUV1M0RnNjlKTXJhbURlbWc2RDNHZE1hbjAyd3hiNFBzdQpocU1GUDVNdnFUV3g0MDZEOXRQam96aWZtTU4zWHdJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFWNytNUVVhT1VlZUU3ClU0UkdtODE3TUE0cmIzUUpad1Rzb0FoZG1OOGs0Z2xZZEJzaWFnandmRzNIS3BZR0xTeVJOQjNURVA5TlBLMzdFOGxYYy9DSldueloKQ3pLaFFrZ0x5c1hpSHVTNjN3ZDVsRndUM0M4MWVrUENQV3lneHA3UFpQaTMzWkM5UWJ6RzVjSDNxU2hvcTRsc0hGOHVESllYQVc5bwpoaFUydTRhTjIxM29JTzVjZkZGMFZHcWg4dW44dFdwSzNiMDhVVkF1bEtsRjRVa1ZHTEZWWjZINjJIVHRnSWhYeDc0cWhVeDZsaHAwCk9EeXJoM1d0Q3lOZHJYdlRYZHpPVmd5MXp4TlU3Q2dvV2dQZkdXZTFuMVFvWnJacEpnd29iSUJVeEJmVVR3dTRIOVhyMHpwNEtTZFYKYnZQc2pWN01YUFFiS3FXUFVsNDBZL2ZTPC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWwycDpTdGF0dXMgeG1sbnM6c2FtbDJwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxzYW1sMnA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVz
[2025-02-25 01:47:05,218] [DEBUG] [satosa.proxy_server.unpack_request] read request data: {'SAMLResponse': 'PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOlJlc3BvbnNlIERlc3RpbmF0aW9uPSJodHRwczovL3BldHJvY2subWl0LmVkdS90b3VjaHN0b25lL2Fjcy9wb3N0IiBJRD0iaWQxMjY5NTE3NTIyNTQ1NDEzMDE4MTY0MjgiIEluUmVzcG9uc2VUbz0iaWQtMW9GallJakxxaWJNUFczRDIiIElzc3VlSW5zdGFudD0iMjAyNS0wMi0yNVQwMTo0NzowNS4wMjFaIiBWZXJzaW9uPSIyLjAiIHhtbG5zOnNhbWwycD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj48c2FtbDI6SXNzdWVyIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6ZW50aXR5IiB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+aHR0cDovL3d3dy5va3RhLmNvbS9leGtmdXFtbHpjaEtJVlhGWjY5Nzwvc2FtbDI6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGEyNTYiLz48ZHM6UmVmZXJlbmNlIFVSST0iI2lkMTI2OTUxNzUyMjU0NTQxMzAxODE2NDI4Ij48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGEyNTYiLz48ZHM6RGlnZXN0VmFsdWU+czQ3RCtnd0ZYTGVQb3RJTG51cHJtN2FWOTdJNkNEaXNsV2F4NWtaai9Raz08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+b3RDRVZSWFFZQ21VVjNHdjFxenpPMUhPYzhLN3AvRXRFS3hXUGtQYm42UUxLSTNBQWlvZU1TK2RHYWZINDZ1YkV1dm5TTTB6ODJmZTYxMm52ZkhQWnk2dkJqYk5UUHo0dlMvejVoY1orRlBsSHhQbkFTWmZxRGg2RFdEbytkcms5c21VNHBNOE9JcEpTY0pYNnhsYk9DMWdQRFJITEEzaVFJZFlFeXV0WlcxZEUzcFFPSTVGSVd2NzhJTkpjQVQvM0t4TncycDM2M3l2YXpYNmtMYVE3RTV6RldmaXoxc2krNjF6TjZORmYrYVFzdFZsVzl1NDBKWXhSTUU1TGhzZ3MrZ2V1a3hacTkxNDZJcTI3eEpJRE5qZzRXVnFYMENFb2twZ1F1bkFnRXNLdE01V2dmTDd4V0w2WUoyQzNXc3h6SkJBU0xoSU1GdmQxT3VuUzVPK2tBPT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSURuakNDQW9hZ0F3SUJBZ0lHQVpCUG93MFhNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1JR1BNUXN3Q1FZRFZRUUdFd0pWVXpFVE1CRUcKQTFVRUNBd0tRMkZzYVdadmNtNXBZVEVXTUJRR0ExVUVCd3dOVTJGdUlFWnlZVzVqYVhOamJ6RU5NQXNHQTFVRUNnd0VUMnQwWVRFVQpNQklHQTFVRUN3d0xVMU5QVUhKdmRtbGtaWEl4RURBT0JnTlZCQU1NQjIxcGRIQnliMlF4SERBYUJna3Foa2lHOXcwQkNRRVdEV2x1ClptOUFiMnQwWVM1amIyMHdIaGNOTWpRd05qSTFNVE0wTWpJMFdoY05NelF3TmpJMU1UTTBNekl6V2pDQmp6RUxNQWtHQTFVRUJoTUMKVlZNeEV6QVJCZ05WQkFnTUNrTmhiR2xtYjNKdWFXRXhGakFVQmdOVkJBY01EVk5oYmlCR2NtRnVZMmx6WTI4eERUQUxCZ05WQkFvTQpCRTlyZEdFeEZEQVNCZ05WQkFzTUMxTlRUMUJ5YjNacFpHVnlNUkF3RGdZRFZRUUREQWR0YVhSd2NtOWtNUnd3R2dZSktvWklodmNOCkFRa0JGZzFwYm1adlFHOXJkR0V1WTI5dE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBeUpqWkxUM1oKVFU4MnhsWWhIZXpaczJ1SnZYRlBZT3o5UVI4NFptL1o5VkxpcitjVDVjQ3Z5d1F5eUFsYUdqUnFhbHJuVTlISldtemlLOGJCRUw3MQpZbFFlL2xWTVBNd1RZZmhWYzAxUFFwTGxFU0ZrUitxYnRhajdILzRaTWErNFphVHIrS3o5cjFVdk1YL1ppWG9TYWRZN3RJbHh2d25kCmd3VU52ZVhzQjhVTUhsTTRPMUZyZEFOS0JZOXZkNWx1UGJzbjZwSnVmZlNFTGM1OCsrUHU1L0VNb2swMkFLK1FXS0dWTTNoVmxTTysKREphVmVrUmt0NHdadUhxOHhCU3QyYzJSZnhRR2xERE50ZHBYcWkwWWgrMUV1M0RnNjlKTXJhbURlbWc2RDNHZE1hbjAyd3hiNFBzdQpocU1GUDVNdnFUV3g0MDZEOXRQam96aWZtTU4zWHdJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFWNytNUVVhT1VlZUU3ClU0UkdtODE3TUE0cmIzUUpad1Rzb0FoZG1OOGs0Z2xZZEJzaWFnandmRzNIS3BZR0xTeVJOQjNURVA5TlBLMzdFOGxYYy9DSldueloKQ3pLaFFrZ0x5c1hpSHVTNjN3ZDVsRndUM0M4MWVrUENQV3lneHA3UFpQaTMzWkM5UWJ6RzVjSDNxU2hvcTRsc0hGOHVESllYQVc5bwpoaFUydTRhTjIxM29JTzVjZkZGMFZHcWg4dW44dFdwSzNiMDhVVkF1bEtsRjRVa1ZHTEZWWjZINjJIVHRnSWhYeDc0cWhVeDZsaHAwCk9EeXJoM1d0Q3lOZHJYdlRYZHpPVmd5MXp4TlU3Q2dvV2dQZkdXZTFuMVFvWnJacEpnd29iSUJVeEJmVVR3dTRIOVhyMHpwNEtTZFYKYnZQc2pWN01YUFFiS3FXUFVsNDBZL2ZTPC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWwycDpTdGF0dXMgeG1sbnM6c2FtbDJwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxzYW1sMnA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lz
[2025-02-25 01:47:05,218] [DEBUG] [satosa.proxy_server.__call__] {'message': 'Proxy server received request', 'request_method': 'POST', 'request_uri': None, 'content_length': 22177, 'request_data': {'SAMLResponse': 'PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOlJlc3BvbnNlIERlc3RpbmF0aW9uPSJodHRwczovL3BldHJvY2subWl0LmVkdS90b3VjaHN0b25lL2Fjcy9wb3N0IiBJRD0iaWQxMjY5NTE3NTIyNTQ1NDEzMDE4MTY0MjgiIEluUmVzcG9uc2VUbz0iaWQtMW9GallJakxxaWJNUFczRDIiIElzc3VlSW5zdGFudD0iMjAyNS0wMi0yNVQwMTo0NzowNS4wMjFaIiBWZXJzaW9uPSIyLjAiIHhtbG5zOnNhbWwycD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj48c2FtbDI6SXNzdWVyIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6ZW50aXR5IiB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+aHR0cDovL3d3dy5va3RhLmNvbS9leGtmdXFtbHpjaEtJVlhGWjY5Nzwvc2FtbDI6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGEyNTYiLz48ZHM6UmVmZXJlbmNlIFVSST0iI2lkMTI2OTUxNzUyMjU0NTQxMzAxODE2NDI4Ij48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGEyNTYiLz48ZHM6RGlnZXN0VmFsdWU+czQ3RCtnd0ZYTGVQb3RJTG51cHJtN2FWOTdJNkNEaXNsV2F4NWtaai9Raz08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+b3RDRVZSWFFZQ21VVjNHdjFxenpPMUhPYzhLN3AvRXRFS3hXUGtQYm42UUxLSTNBQWlvZU1TK2RHYWZINDZ1YkV1dm5TTTB6ODJmZTYxMm52ZkhQWnk2dkJqYk5UUHo0dlMvejVoY1orRlBsSHhQbkFTWmZxRGg2RFdEbytkcms5c21VNHBNOE9JcEpTY0pYNnhsYk9DMWdQRFJITEEzaVFJZFlFeXV0WlcxZEUzcFFPSTVGSVd2NzhJTkpjQVQvM0t4TncycDM2M3l2YXpYNmtMYVE3RTV6RldmaXoxc2krNjF6TjZORmYrYVFzdFZsVzl1NDBKWXhSTUU1TGhzZ3MrZ2V1a3hacTkxNDZJcTI3eEpJRE5qZzRXVnFYMENFb2twZ1F1bkFnRXNLdE01V2dmTDd4V0w2WUoyQzNXc3h6SkJBU0xoSU1GdmQxT3VuUzVPK2tBPT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSURuakNDQW9hZ0F3SUJBZ0lHQVpCUG93MFhNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1JR1BNUXN3Q1FZRFZRUUdFd0pWVXpFVE1CRUcKQTFVRUNBd0tRMkZzYVdadmNtNXBZVEVXTUJRR0ExVUVCd3dOVTJGdUlFWnlZVzVqYVhOamJ6RU5NQXNHQTFVRUNnd0VUMnQwWVRFVQpNQklHQTFVRUN3d0xVMU5QVUhKdmRtbGtaWEl4RURBT0JnTlZCQU1NQjIxcGRIQnliMlF4SERBYUJna3Foa2lHOXcwQkNRRVdEV2x1ClptOUFiMnQwWVM1amIyMHdIaGNOTWpRd05qSTFNVE0wTWpJMFdoY05NelF3TmpJMU1UTTBNekl6V2pDQmp6RUxNQWtHQTFVRUJoTUMKVlZNeEV6QVJCZ05WQkFnTUNrTmhiR2xtYjNKdWFXRXhGakFVQmdOVkJBY01EVk5oYmlCR2NtRnVZMmx6WTI4eERUQUxCZ05WQkFvTQpCRTlyZEdFeEZEQVNCZ05WQkFzTUMxTlRUMUJ5YjNacFpHVnlNUkF3RGdZRFZRUUREQWR0YVhSd2NtOWtNUnd3R2dZSktvWklodmNOCkFRa0JGZzFwYm1adlFHOXJkR0V1WTI5dE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBeUpqWkxUM1oKVFU4MnhsWWhIZXpaczJ1SnZYRlBZT3o5UVI4NFptL1o5VkxpcitjVDVjQ3Z5d1F5eUFsYUdqUnFhbHJuVTlISldtemlLOGJCRUw3MQpZbFFlL2xWTVBNd1RZZmhWYzAxUFFwTGxFU0ZrUitxYnRhajdILzRaTWErNFphVHIrS3o5cjFVdk1YL1ppWG9TYWRZN3RJbHh2d25kCmd3VU52ZVhzQjhVTUhsTTRPMUZyZEFOS0JZOXZkNWx1UGJzbjZwSnVmZlNFTGM1OCsrUHU1L0VNb2swMkFLK1FXS0dWTTNoVmxTTysKREphVmVrUmt0NHdadUhxOHhCU3QyYzJSZnhRR2xERE50ZHBYcWkwWWgrMUV1M0RnNjlKTXJhbURlbWc2RDNHZE1hbjAyd3hiNFBzdQpocU1GUDVNdnFUV3g0MDZEOXRQam96aWZtTU4zWHdJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFWNytNUVVhT1VlZUU3ClU0UkdtODE3TUE0cmIzUUpad1Rzb0FoZG1OOGs0Z2xZZEJzaWFnandmRzNIS3BZR0xTeVJOQjNURVA5TlBLMzdFOGxYYy9DSldueloKQ3pLaFFrZ0x5c1hpSHVTNjN3ZDVsRndUM0M4MWVrUENQV3lneHA3UFpQaTMzWkM5UWJ6RzVjSDNxU2hvcTRsc0hGOHVESllYQVc5bwpoaFUydTRhTjIxM29JTzVjZkZGMFZHcWg4dW44dFdwSzNiMDhVVkF1bEtsRjRVa1ZHTEZWWjZINjJIVHRnSWhYeDc0cWhVeDZsaHAwCk9EeXJoM1d0Q3lOZHJYdlRYZHpPVmd5MXp4TlU3Q2dvV2dQZkdXZTFuMVFvWnJacEpnd29iSUJVeEJmVVR3dTRIOVhyMHpwNEtTZFYKYnZQc2pWN01YUFFiS3FXUFVsNDBZL2ZTPC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWwycDpTdGF0dXMgeG1sbnM6
[2025-02-25 01:47:05,220] [DEBUG] [satosa.base._load_state] [urn:uuid:2730a961-b965-4c94-9bd3-700c27fe1101] Loaded state {'SESSION_ID': 'urn:uuid:2730a961-b965-4c94-9bd3-700c27fe1101'} from cookie
[2025-02-25 01:47:05,221] [DEBUG] [satosa.routing.endpoint_routing] [urn:uuid:2730a961-b965-4c94-9bd3-700c27fe1101] Routing path: touchstone/acs/post
[2025-02-25 01:47:05,223] [DEBUG] [satosa.routing._find_registered_endpoint_for_module] [urn:uuid:2730a961-b965-4c94-9bd3-700c27fe1101] Found registered endpoint: module name:'touchstone', endpoint: touchstone/acs/post
[2025-02-25 01:47:05,224] [INFO] [satosa.backends.saml2.authn_response] [urn:uuid:2730a961-b965-4c94-9bd3-700c27fe1101] {'message': 'Authentication failed', 'error': 'Received AuthN response without a SATOSA session cookie'}
[2025-02-25 01:47:05,225] [ERROR] [satosa.base.run] [urn:uuid:2730a961-b965-4c94-9bd3-700c27fe1101] {'message': 'Missing SATOSA State', 'error': "{'message': 'Authentication failed', 'error': 'Received AuthN response without a SATOSA session cookie'}", 'error_id': 'urn:uuid:8cc81f61-9c0f-4420-8ef8-667ef6c9a9f9'}
[2025-02-25 01:47:05,226] [ERROR] [satosa.proxy_server.__call__] {'message': 'Authentication failed', 'error': 'Received AuthN response without a SATOSA session cookie'}
Traceback (most recent call last):
File "/home/oidc/.local/lib/python3.10/site-packages/satosa/proxy_server.py", line 160, in __call__
resp = self.run(context)
File "/home/oidc/.local/lib/python3.10/site-packages/satosa/base.py", line 268, in run
resp = self._run_bound_endpoint(context, spec)
File "/home/oidc/.local/lib/python3.10/site-packages/satosa/base.py", line 193, in _run_bound_endpoint
return spec(context)
File "/home/oidc/.local/lib/python3.10/site-packages/satosa/backends/saml2.py", line 419, in authn_response
raise SATOSAMissingStateError(msg)
I did not look at the cookies-samesite-compat code yet.
Maintainer of OpenGrades here:
I know of the issue from three different users. The last user, I tried to sign in myself on their device, and got the same error which leads me to think this is a browser issue. All users report that this works fine when using Incognito or another browser. When using the primary Chrome profile, users are facing this issue but opening a new profile (even a Guest profile) avoids the issue. I'm not sure if there's some obscure flag or device problem that leads to this, I'm a little stumped.
Hi @gabrc52 , looking at it again, I don't think the issue would be in cookies-samesite-compat. This code is just to create a copy of the state cookie without the samesite attribute to deal with browsers that might ignore the primary cookie because they do not understand / support the samesite cookie attribute. I don't think that's the culprit here.
I've looked into how state_to_cookie is called from src/satosa/base.py. The parameter samesite is driven by self.config.get("COOKIE_SAMESITE") - and defaults to Python value None.
Thanks for the debug output - that confirms samesite indeed has the Python value None.
And this line in state_to_cookie should make sure cookie[name]["samesite"] is set to String value "None":
cookie[name]["samesite"] = samesite if samesite is not None else "None"
It is a bit of a mouthful to read out withNone and "None" next to each other - but it reads "if a value is not provided, use string value "None"".
And that is indeed happening - your third debug line shows None <class 'str'>.
So it should be setting the cookie with samesite=None - except that as per the SAML Tracer capture, it does not.
Running out of ideas here...
See this comment: https://github.com/IdentityPython/SATOSA/issues/468#issuecomment-2704662146
An ugly workaround is to use a proxy to strip out all cookies except for the SATOSA session cookie before Python sees the request.
