When System Manager connects to an external Identity Provider (IdP) for SAML authentication, login failures may occur with the following error message: Cross site request forgery could be present in your request.
Possible Causes and Checks to be done
Incomplete or incorrect TLS certificate trust chain in the SMGR truststore.
IdP resolves to multiple IP addresses, and each IP presents a different certificate chain that leads to the root certificate.
SSL inspection or proxy interference changes TLS or SAML traffic.
DNS resolves IdP to multiple IP addresses with inconsistent routing.
Time synchronization issues cause invalid SAML assertions.
Firewall restrictions block access to required SAML Authentication server.
Recommended Solutions
Procedure
Import the full certificate chain (leaf and intermediate CA) for IdP into System Manager truststore. Do not rely only on root CA or intermediate CA.
If System Manager resolves IdP FQDN to multiple IPs and each IP presents a different root or intermediate certificate chain, ensure that the full certificate chain for each resolved IP is imported into System Manager truststore. This ensures trust validation succeeds across all resolved IdP IPs and prevents intermittent TLS or SAML failures caused by inconsistent certificate chains.
If you cannot add the certificate chain for all IPs to System Manager truststore, map the IdP FQDN in System Manager hosts file to a static, controlled IP resolution to ensure consistent routing to a known IP or server.
Ensure NTP is correctly configured on System Manager to prevent clock drift that could break SAML assertion validation.
Ensure that the customer's network firewall rules allow System Manager to connect to the SAML Authentication server.
