This article explains why a user is redirected to an incorrect URL, such as a localhost address, instead of the expected callback URL after a successful login using SAML connection. This occurs during a Service Provider (SP)-initiated flow using a Security Assertion Markup Language (SAML) connection where the Identity Provider (IdP) Initiated setting is enabled.

• SAML Connection 
• Callback URL

The system defaults to an IdP-initiated flow when the RelayState and InResponseTo attributes are missing from the SAML response. When this occurs, the parameters from the original SP-initiated authorize request are ignored. The system cannot match the login request with the SAML response and processes it as a separate login transaction.

If the IdP-initiated flow were disabled for the connection, the following error would occur:

“invald_request”: “IdP-Initiated login is not enabled for connection ‘<CONNECTION_NAME>’.”

To resolve this issue, the SAML IdP must be configured to return the RelayState parameter and the correct InResponseTo attribute in the SAML response. This ensures the SP-initiated flow is used and the user is redirected to the correct URL specified in the authorize request.

To troubleshoot and confirm the cause, perform the following steps:

1. Examine the SAML connection configuration to see if IdP Initiated Flow is enabled.

2. Check the default application's callback URLs if no redirect_uri is specified in the query string field.

   • Note: The system defaults to using the first allowed callback URL. If this URL matches the incorrect URL the user sees, the flow is likely being treated as IdP-initiated.

3. Capture a .HAR file and decode SAML response from IdP using SAML decoding tool, such as: https://www.samltool.io/ to inspect the response from the IdP and confirm that the RelayState parameter is missing.

Related References

• Troubleshoot SAML Configurations - Error IdP-initiated Login Not Enabled