Django + Okta + django_saml2_auth Forbidden (CSRF cookie not set.) 403

Question

Created a saml application in Okta for local testing. Django side I'm using plugin django_saml2_auth ( https://github.com/fangli/django-saml2-auth ) to authenticate with Okta.

When I open the application from Okta app, Django throws below error;

Forbidden (CSRF cookie not set.): /
[03/Aug/2021 12:45:23] "POST / HTTP/1.1" 403 2870

Forbidden (403)
CSRF verification failed. Request aborted.

You are seeing this message because this site requires a CSRF cookie when submitting forms. This cookie is required for security reasons, to ensure that your browser is not being hijacked by third parties.

If you have configured your browser to disable cookies, please re-enable them, at least for this site, or for “same-origin” requests.

Actually home page ('/') doesn't have any forms for csrf verification, but okta tries POST on '/' and that fails at csrf. Followed this link https://github.com/fangli/django-saml2-auth/issues/30#issuecomment-438056798 and added "requestable urls" in okta but issue remains same.

Okta configuration

GENERAL
Single Sign On URL http://127.0.0.1:8000/
Requestable SSO URLs
URL  Index
http://127.0.0.1:8000/ 0
http://127.0.0.1:8000/saml2_auth/acs/ 1
http://127.0.0.1:8000/accounts/login/ 2
Recipient URL http://127.0.0.1:8000/
Destination URL http://127.0.0.1:8000/
Audience Restriction http://127.0.0.1:8000/saml2_auth/acs/

Am I missing anything? Is there any other saml plugin I can use for django + Okta integration?

Answer 1

I got this error while using Okta with Django.

This might be one of the solutions as I believe this error can happen because of multiple reasons, here is what solved the above error for me:

My SSO URL field in Okta did not have a "/" at the end. Basically, make sure the SSO URL and entity ID on Okta matches with your settings on the app.