I have a front-end gateway sitting in a DMZ, and I successfully setup Azure SSO, I can load the HMI by hitting the URL https://server.net:8043/data/perspective/client/HMI it redirects me to Azure login, I use my Azure creds and all is right with the world.
When exposing to the internet, I want clients to be able to hit a URL on port 80, get redirected to 443 and continue to use SSO behind a web application firewall, in this case, barracudas web application firewall.
I setup the cloud WAF and everything works well, it forwards port 80 requests over to 443 and proxy's the connection to my front end gateway to port 8043 - but SSO breaks with error 400.
I rebuilt the Azure SSO using the outside URL, no change, under networking > web server > Public HTTP Address I've unchecked the box and specified the public address url and ports 80 and 443, no change. Turned on debugging and I get the message below in my ignition logs:
com.inductiveautomation.ignition.gateway.auth.web.strategy.WebAuthStrategyAdapterException: RelayState is empty
at com.inductiveautomation.ignition.gateway.auth.web.strategy.saml.SAMLWebAuthStrategyAdapter.lambda$parseState$0(SAMLWebAuthStrategyAdapter.java:410)
at java.base/java.util.Optional.orElseThrow(Unknown Source)
at com.inductiveautomation.ignition.gateway.auth.web.strategy.saml.SAMLWebAuthStrategyAdapter.parseState(SAMLWebAuthStrategyAdapter.java:410)
at com.inductiveautomation.ignition.gateway.auth.federation.FederationRoutes.callback(FederationRoutes.java:251)
at com.inductiveautomation.ignition.gateway.dataroutes.Route.service(Route.java:254)
at com.inductiveautomation.ignition.gateway.dataroutes.RouteGroupImpl.service(RouteGroupImpl.java:61)
at com.inductiveautomation.ignition.gateway.dataroutes.RouteGroupCollectionServlet.serviceInternal(RouteGroupCollectionServlet.java:59)