and the Verbose SSO log has “Nonce has already expired”, I don’t see any other error messages.
It doesn’t work on both prod and dev environment, so I don’t think that it is related to the server configuration, nothing was changed in SSO code too.
I need some direction on where to dig in further, did something change in SSO or were any new configuration options added between 2.5.1 and 2.6.2?
Thanks for the details via PM @rysher. In case it helps anyone else, the problem here was that the DiscourseConnect flow is being initiated by a server-side request from the identity provider. This isn’t how the protocol is designed to be used, although before the recent security commit, it was technically possible.
The solution is to make sure that the users are directed to /session/sso in their own browser, before being redirected to the identity provider.