SAML - SSO state Invalid : User IP missmatch


We are running Passbolt with SAML configuration since 2 weeks now and we are facing an issue sometimes with SAML.

The SAML popup prompt :

Someone already sea this error ? And how can we solve it ?

Thanks !

hey @Shas welcome to the forum!

Since this is SSO it is a pro feature and you can reach out to use at if you’d like.

Usually this error is due to a configuration issue. Could you run the status-report and post the output?

On Debian the command is:
su -s /bin/bash -c "/usr/share/php/passbolt/bin/status-report" www-data


After some investigation it seems the problem is :

We have 2 DNS public IP for our passbolt and each of these IP goes to different Loab Balancer who each have an internal IP for SNAT.

It seems sometimes the browser goes to the passbolt page with one of the DNS record and passbolt see the IP source of the first LB and the extension use the second public IP for the SSO auth and passbolt see the IP source of the second LB.

Passbolt seems to have User IP check feature who check if all the resquests from a same user session are from the same IP.

It seems it’s possible if I go to the passbolt php and modify the option :

‘userIp’ => filter_var(env(‘PASSBOLT_SECURITY_USER_IP’, true)

for :

‘userIp’ => filter_var(env(‘PASSBOLT_SECURITY_USER_IP’, false)

I will test this and back to the topic with the final answer if someone meet the same problem some day.

Maybe if someone already do it and can confirm it’s working it would be great :).