CSRFTokenVerifier::InvalidCSRFToken when initiating SAML login on Discourse 2026.6

CSRFTokenVerifier::InvalidCSRFToken when initiating SAML login on Discourse 2026.6
Hi,

I’m trying to configure SAML authentication with ADFS on a fresh Discourse installation.

Environment

  • Discourse version: 2026.6 (Rails 8.0.5)
  • discourse-saml plugin
  • Plugin commit:
7d0fe944bf33588e6813bffaef5eb8f34e37d039
  • HTTPS enabled
  • Reverse proxy / Load Balancer in front of Discourse
  • force_https = true

SAML configuration

Metadata endpoint works correctly:

https://<hostname>/auth/saml/metadata

Metadata contains:

  • EntityID
  • ACS URL
  • SLO URL

ADFS team successfully imported the metadata.

Problem

When clicking Login with SAML, Discourse never redirects to ADFS.

Instead it immediately returns:

Sorry, the authorization timed out, or you have switched browsers.

Rails log

Started GET "/session/csrf"
Completed 200 OK

Started POST "/auth/saml"

(saml) Authentication failure!
CSRFTokenVerifier::InvalidCSRFToken

Started GET "/auth/failure?message=csrf_detected&strategy=saml"

Things already verified

  • HTTPS works
  • Discourse.base_url = https://hostname
  • force_https = true
  • Session cookie (_forum_session) exists
  • authenticity_token is included in POST /auth/saml
  • discourse-saml plugin is latest main branch
  • Metadata endpoint works
  • ADFS metadata has been recreated from SP metadata

Browser request

POST /auth/saml contains:

  • _forum_session cookie
  • authenticity_token

However the request immediately fails with:

CSRFTokenVerifier::InvalidCSRFToken

It never reaches ADFS.

Additional information

Browser DevTools shows:

x-csrf-token: undefined

Could this be a Rails 8 / OmniAuth CSRF issue, or is there another configuration required for discourse-saml on recent Discourse versions?

Any suggestions would be appreciated.


Discourse.base_url

https://testvknowyeni.vakifbank.intra

SiteSetting.force_https

true

SiteSetting.same_site_cookies

Lax