Context and issue
We are at Spring Boot 2.6 and use simpleSamlPhp 1.18.8 as a local idp server running in Docker, accessible through host.docker.internal for our test/develop environment. The application itself can run directly on my laptop or in another docker container (issue occurs either way) and is accessed via localhost:8080. This setup works fine on Spring Boot 2.4, 2.5, 2.6(.15). But now I want to upgrade to 2.7 and receive the error in the title when I attempt to log into the application. The only change in the code is changing Spring Boot 2.6.15 to 2.7.0 (or 2.7.14) in build.gradle. Reverting back to 2.6.15 makes the problem go away again. We use Gradle 7.4, Jdk 11. All other dependency versions are managed automatically based on the Spring Boot version.
Most interestingly: When the error shows upon login, and I click the 'previous page' button in the browser, the application DOES immediately log me in successfully and redirects to the application's home screen. All works well after this point. If, when the error occurs, I instead go back to localhost:8080 or the login page, I again get the error. It occurs in Chrome, Firefox, Edge.
Attempted solutions
Googling the error points to articles on SO and elsewhere (e.g. Spring Saml2 and Spring Session - SavedRequest not retrieved (cannot redirect to requested page after authentication / InResponseTo exception) ) that blame an issue with CSRF / SameSite setting but then I think the error should occur just as well in Spring Boot 2.6? I implemented the suggested fixes at the url above anyway (setting SameSite attribute to null OR setting to none + setting secure attribute) but this did not solve the problem.
https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter discusses some deprecated methods. I have updated the code to remove usage of the deprecated methods/classes but the issue occurs with or without those changes.
The weird cycle of "attempt login -> error -> click previous -> login succesful" makes me think it might have something to do with the originating and returning URL's from the idp server mismatching anyway (which I think is the point of the 'InResponseTo' attribute?) but at this point I must admit my understanding of saml is simply too limited to even know how or where to continue looking for answers.
I discovered upgrading Spring Security to version 5.8 fixes the issue. Simply add
ext['spring-security.version']='5.8.5'to your build.gradle file.I unfortunately still do not know the underlying cause of the problem, nor why upgrading to 5.8 fixes it. After all, Spring Security 5.7 is the default version for Spring Boot 2.7 and as I understand it Spring Security 5.8 was in fact only released to make the eventual upgrade to 6.0 (and Spring Boot 3.0) easier. Still, at least there is a fix for the issue.