I'm unsure if this will be a problem in reality or is just a potential for issues, but figured I should document it. This is somewhat similar to #6705, but is:

• Specific to SAML.
• Not specific to UI authentication (e.g. it will apply to login/registration as well).

The SAML handler stores state about ongoing SAML requests in memory (see uses of _outstanding_requests_dict in the synapse.handlers.saml_handler.SamlHandler class).

In worker mode, it is possible for a request to get created and the callback to occur on different workers causing an error about an unrequested SAML response.

I believe the workaround is to ensure that the following endpoints all go to the same worker:

• /_matrix/client/r0/login/sso/redirect
• /_matrix/saml2/authn_response
• /_matrix/client/r0/auth/(org.matrix.login.sso|m.login.sso)/fallback/web