I have a Laravel application that uses Socialiate to handle the authentication between AWS Cognito + Entra (formerly known as Azure Active Directory).
We have local > staging > preprod > prod environments.
On all environments, our SAML login flow works fine but on production, after authenticating successfully with the IDP, upon redirect, we get an invalid_client
error.
However, if I go through the SAML flow again after being authenticated in the same browser session, I get redirected and authentication into the client application correctly.
I only get this invalid_client
error on production and it happens 50% of the time. Half of the time it redirects to the client application immediately and completes a successful SAML login flow, the other half of the time it gets the invalid_client
error. If I keep hitting the redirect endpoint though, it eventually works. (what on earth?)
Sign-in logs from Entra SAML application
Debugging interrupted status in Entra
It says I can de-activate 'Keep Me Signed-In' option but these will not work for other companies that use our platform.
Has anyone ever run into something like this?
Validated that our client credentials correct (otherwise we would not be able to successfully authenticate with IDP and get redirect to client application).
I tried to disable KMSI option however, the sandbox env I'm in doesn't have this option and it will not work for other companies.
I tried to implement a retry 7x every 3 seconds on the BE to keep retrying until we do not get an Exception and eventually redirect to dashboard with the token but that didn't resolve the issue.
I am expecting to get redirected to the dashboard with the correct auth token we get back from Socialiate after successfully flow between Cognito < = > IDP. Every attempt after successful IDP Authentication, we get the code & state for stateless socialite user to be returned but we still get
invalid_client
error.