We recently encountered an error where iOS devices were failing to log into a newly set up AD FS endpoint with a rather cryptic error: "The required parameter RelayState was missing or invalid". The error was appearing in the AD FS event logs on the window server.
It appears that this error is usually caused by the SAML cookies exceeding the 4kb cookie limit , which results in a truncated cookie being sent to the endpoint, which is certainly invalid.
It turned out that the workaround to the problem was to uncheck the settings under Enterprise Login advanced settings
- Encrypt Assertion
- Enable Signed Request
- Propagate logout to Identity Provider
For some reason, enabling all of these options resulted in cookies that were too large and caused the failures. Hopefully this information can help others who run into the same issue.