Skip to content

Double POST with SAML on Chromium-based browsers #18655

New issue
New issue
Open
Bug
#18727
Open
Double POST with SAML on Chromium-based browsers#18655
Bug
#18727
Assignees
GirlBossRush
Labels
bugSomething isn't workingstatus/reviewingthanks for opening, we're taking a look
@dminuoso

Description

@dminuoso
dminuoso
opened on Dec 7, 2025

Describe the bug

Given a SAML application with POST binding, the POST request back to the service provider carrying the SamlResponse is submitted twice on Chromium browsers in rapid succession. We have been able to replicate it with Edge, Chrome and Chromium on most recent versions.

How to reproduce

  1. Set up a SAML Provider with a POST binding
  2. Execute authentication flow in a chromium based browser
  3. Observe a double POST redirect in Network tab under developer tools

Expected behavior

A single POST request being sent out

Screenshots

Image

Additional context

The root cause seems to be an incorrect use of a lit lifecycle hook updated in ak-stage-autosubmit which triggers twice under some conditions.

authentik/web/src/flow/stages/autosubmit/AutosubmitStage.ts

Lines 28 to 34 in a0fe677

updated(changed: PropertyValues<this>): void {
super.updated(changed);
if (this.challenge.url !== undefined) {
this.form?.submit();
}
}

Depending on network latency and the DOM interaction that first POST may fully be transmitted before it gets cancelled by the second POST. Our service provider rejects authentication attempts when it sees a SamlResponse being replayed, so whenever the race condition is complete it results in failed authentication attempts sporadically for us.

Deployment Method

Other (please specify)

Version

2025.10.2

Relevant log output

N/A

Metadata

Metadata

Assignees

Labels

bugSomething isn't workingstatus/reviewingthanks for opening, we're taking a look

Type

Bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions