Troubleshooting
Fixing "Invalid state" after OIDC redirect in Redmine SSO
RRedmineShop

Symptom
User clicks Sign in with SSO, authenticates at the identity provider, then Redmine shows SSO login failed (invalid state) instead of logging in.
Cause 1: Session cookie not persisted
OIDC state is stored in the Rails session. If cookies are blocked, the session store is misconfigured, or HTTPS termination strips Secure flags, the callback cannot match state.
- Ensure Redmine
host_namematches the URL users visit - Behind a reverse proxy, set
RAILS_RELATIVE_URL_ROOTand trusted proxy headers correctly - Test in a normal browser window (not embedded webviews that block third-party cookies)
Cause 2: Multiple hostnames
Users open http://redmine.internal but the OAuth redirect uses https://redmine.company.com. Sessions do not cross hostnames.
Pick one canonical URL and redirect all others. Register the same host in your IdP redirect URI.
Cause 3: Stale login tab
Starting SSO from a tab open for days can expire the session. Retry from a fresh incognito window.
Still stuck?
Community support: GitHub Issues. Optional Install Assist for production cutover help.