How to redirect to original application with ForwardAuth and SAML?

[cf-sewe]

When I open https://whoami.my.domain.com , I am successfully forwarded to https://auth.my.domain.com and can login with user/password. I am automatically redirected back to whoami service.

However when I login with SAML, this does not work and I am redirected to the Applications overview in Authentik.
The issue seems to be that when Microsoft calls the Authentik ACS URL, that Authentik is not aware anymore of the original requested application.

The POST https://auth.my.domain.com/source/saml/entraid-sso-saml/acs/ redirects to /if/flow/default-source-authentication and then I am redirected to the "My applications" view.

Is there any special configuration needed for this scenario? I checked for RelayState, but couldnt find anything to configure for a SAML Source.

I have searched for this issue at various places, but all of the similar issues are not explicitly mentioning SSO/SAML and I seem to have a different issue. I spent considerable time investigating and debugging this issue.

Configuration:

• Docker Swarm
• Authentik 2024.8.3 with Embedded Output for proxy
• Default Flows, except adding the SAML provider to the authentication stage
• Traefik v3.1 reverse proxy with working ForwardAuth setup
• Authentik SAML Source with Microsoft Entra ID SAML provider

[cf-sewe]

I am offering a bounty of 50€, payable by Paypal once my reported problem is resolved.

If any additional info is needed, I could show it in Zoom call.