CSRFTokenVerifier::InvalidCSRFToken when initiating SAML login on Discourse 2026.6
Hi,
I’m trying to configure SAML authentication with ADFS on a fresh Discourse installation.
Environment
- Discourse version: 2026.6 (Rails 8.0.5)
- discourse-saml plugin
- Plugin commit:
7d0fe944bf33588e6813bffaef5eb8f34e37d039
- HTTPS enabled
- Reverse proxy / Load Balancer in front of Discourse
- force_https = true
SAML configuration
Metadata endpoint works correctly:
https://<hostname>/auth/saml/metadata
Metadata contains:
- EntityID
- ACS URL
- SLO URL
ADFS team successfully imported the metadata.
Problem
When clicking Login with SAML, Discourse never redirects to ADFS.
Instead it immediately returns:
Sorry, the authorization timed out, or you have switched browsers.
Rails log
Started GET "/session/csrf"
Completed 200 OK
Started POST "/auth/saml"
(saml) Authentication failure!
CSRFTokenVerifier::InvalidCSRFToken
Started GET "/auth/failure?message=csrf_detected&strategy=saml"
Things already verified
- HTTPS works
- Discourse.base_url = https://hostname
- force_https = true
- Session cookie (_forum_session) exists
- authenticity_token is included in POST /auth/saml
- discourse-saml plugin is latest main branch
- Metadata endpoint works
- ADFS metadata has been recreated from SP metadata
Browser request
POST /auth/saml contains:
- _forum_session cookie
- authenticity_token
However the request immediately fails with:
CSRFTokenVerifier::InvalidCSRFToken
It never reaches ADFS.
Additional information
Browser DevTools shows:
x-csrf-token: undefined
Could this be a Rails 8 / OmniAuth CSRF issue, or is there another configuration required for discourse-saml on recent Discourse versions?
Any suggestions would be appreciated.
Discourse.base_url
https://testvknowyeni.vakifbank.intra
SiteSetting.force_https
true
SiteSetting.same_site_cookies
Lax