I am having an issue with the RelayState parameter in a SAML Single Sign-On (SSO) flow involving Okta and Google. We use Okta as an authentication provider for our applications and Google for everything else. We have set up Google as an Identity Provider (IdP) in Okta.

In our SSO flow, when we initiate a login, Okta redirects us to Google for authentication. We're passing the RelayState parameter in our SAML request to Google via Okta, which contains the URL of the application instance from where the authentication process was initiated.

However, when Google authenticates the user and redirects back to Okta, and then Okta redirects back to our application, the RelayState parameter is lost somewhere in the process. The final redirect from Okta to our application doesn't have the RelayState parameter that we initially passed.

Here's what our SSO URL looks like:

${OKTA_ISSUER_DOMAIN}/sso/saml2/${idpId}/home/oidc_client/${OKTA_CLIENT_ID}/${OKTA_EMBED_ID}?login_hint=${encodedEmail}&RelayState=${encodedRedirectUrl}

In this function, the RelayState parameter is set to the current window's location. We expect to see this RelayState parameter when Okta redirects back to our application, but it's not present.

When Okta redirects back it has

{{appdomain}}/login-callback?code=hNuNKY7U2G6PXr_VYlXdfZxOri34fndpQspR0&state=upO7JCvDbnDnKeQyEvMAHQUW1Y9wSCOWsvOKRnQNersdKyUMwo

Could this be an issue with how Okta handles the RelayState parameter? Or is it possible that Google's IdP is not returning the RelayState value? Any ideas or suggestions would be greatly appreciated.

Thank you!