Following the configuration of a PAM Cluster to authenticate against a remote IdP, according to the manuals, it is not possible to establish a login session with a given valid user as once the user is authenticated at the IdP, on returning to PAM a screen is shown with message
State Informatio Lost
and no authentication is possible
Putting PAM as an SP in debug in Diagnostics and reproducing the error, one sees that- as a first step- PAM saves the state (for instance _c1234aeef45673223), it sends it with the assertion request, the assertion request returns and retrieves the state (in the example _c1234aeef45673223) but it subsequently fails with error NoState.
CA PAM several releases (3.4.X/4.0.X/4.1.X)
To understand why this is happening it is necessary to follow the process
* The browser (jxbrowser coming with the PAM Client) saves in the state the different parameters relevant to identby the transaction and its response. For instance the name of the node that the assertion is being launched from
* An assertion request is created and sent to the IdP, including the detail of the state information identifier (e.g. _c1234aeef45673223)
* The IdP authenticates and sends back the information to the Assertion Consumer service in PAM in the form of an assertion, using the one that corresponds to the ip/name of the originating node. That also includes the state information indentifier (_c1234aeef45673223)
* Once PAM receives the response, it picks up the parameters in the assertion received, compares its contents with the State Information it saved (and to do that it loads the State Information saved previously) to make sure all is consistent, and if it is consistent, then proceeds to validate the contents of the assertion with the certificates it has saved which were included with the IdP metadata.
If any of the parameters coming with the assertion does not match what was saved as State Information, this error will occur.
A typical situation when this may happen is if the machine from which we are doing SSO is identified by name in the metadata but we are using ip to communicate instead of name.
In the context of a cluster, documentation mentions to use the IP of each node to configure SAML.
However, if the nodes resolve to names, not to ip addresses, such mismatch may happen and the State Information Lost error will pop up
In this case, specify for each node its FQDN (e.g. node1.example.com) instead of its IP in its SAML configuration, plus make sure the the IdP knows of the Assertion Consumer Service in PAM both by name and by IP