I was stumbling through the docs and several pages for a while now but I was unable to find an answer. The question is pretty simple:
Can I host an IdP in a local network (IdP is not available from outside) whilst the SP is available via internet?
NOSTATE error. I know that a SP that wants to make use of an IdP that is only available when you are on a specific network does not make too much sense. The problem is I have to deal with exactly that situation. ;)
When I am analyzing the workflow via apache access logs I do not see a direct communication between SP and IdP. It seems that everything is handled by the users browser itself. Therefor I guess it should be possible?
If it should be possible I just have to fix my NOSTATE error. If this is not possible, the NOSTATE error is just missleading and I will not be able to solve that problem.
Any ideas or experiences?
SAML supports front channel binding (what you are looking for) and a back channel binding where the SP needs to communicate directly with the IdP. The vast majority of deployments I've seen use front channel, where everything is done through the user's browser.
As for your scenario, yes it is possible. We use it quite often in testing. I've seen enterprises have their IdP only available within their local network and yet employees can still access SaaS services that are external - so your situation is does make sense and is common.
As to your issue (per the docs) NOSTATE is often caused by domain name changes, https to http redirects and any issue with storing the session - for example in a load balanced setup where you hit different servers that don't share sessions.
I would start my installing SAML Tracer in Firefox and then look at what redirects are occurring on the IdP and see if the hostname, ports, etc change.