PAM was configured as the Relying Party, also referred to as Service Provider (SP), and a SAML service was configured as the IdP.  The user connected to PAM and clicked the Single Sign On button.  The authentication failed with "STATE Information lost".

Privileged Access Manager, all versions

This problem is observed when the address specified for the Fully Qualified Host Name on the Configuration > Security > SAML > SP Configuration page does not match the address with which the user connected to PAM.  In this case the user connected to PAM with the IP address, but the FQDN was configured on the SP Configuration page.

This was resolved by connecting to PAM with the FQDN configured in the PAM SP configuration.  The user then clicked the Single Sign On button, provided the SAML credentials, and was authenticated to PAM.  Subsequent logins to PAM would not have required the SAML credentials be re-entered, for as long as those credentials did not time out.

In general whatever is configured as the Fully Qualified Domainname on the SAML SP Configuration page is what the PAM users will have to use to access PAM for SAML authentication to work. Note that this field is not replicated across the cluster and can be different on different cluster nodes. E.g. it can be a site VIP.

Also, in a cluster environment the PAM server certificate should contain all individual hostnames, and also their IPs if not expected to change, as well as all VIP FQDNs and IPs in the Subject Alternate Names list to ensure that whatever valid FQDN or IP is used to access the cluster or any of its nodes will not cause a certificate error.