SAML "Failed to determine the state of the SSO redirect"

Hello,

Failed to determine the state of the SSO redirect error usually occurs while signing into Amazon Managed Grafana workspace using a SAML IdP. Kindly note, when a user try to login and the authentication is successful at SAML IdP side, the SAML IdP will send a SAML Assertion file to AMG, and AMG will parse the incoming SAML assertion from SAML IdP to use the attributes within the "AttributeStatement" tags for identifying the user access level.

Thus, the above error usually occurs due to :-

1. Single sign on URL in your IdP is not setup correctly i.e. ACS / Redirect URL is not correct.
2. SAML Assertion Response received from IdP do not contain the required attributes
3. SAML Assertion Response not following UTF-8
4. SAML IdP's certificate expired

As you already mentioned that the setup was working fine previously but started throwing the errors recently. It could be possible due to SAML IdP's certificate expired. However, it is also possible that the SAML IdP application might have been modified.

Thus, please verify your SAML IdP setup according to SAML Setup documentation, and also ensure the certificate is not expired.

If the suggestions above do not help resolve the issue, we might need to troubleshoot based on your configurations. Could you please create a support case, so we may discuss details on your resource configurations?

Please do not post any sensitive information over re:Post since this is a public platform.

As always, feel free to reach back with any further questions or concerns in the meantime!