Can't verify CSRF token authenticity (Rails 4 and below)

When authentication fails and you see ‘Can't verify CSRF token authenticity’ in the logs, it's likely that Devise::SamlSessionsController isn't skipping CSRF protection, even though it contains this line:

skip_before_action :verify_authenticity_token, raise: false

You need to monkey-patch it with another skip_before_action:

Devise::SamlSessionsController.class_eval do
  skip_before_action :verify_authenticity_token
end

This is because the raise: false above causes the filter not to be skipped in Rails 4, as explained in https://github.com/Shopify/shopify_app/issues/304.

See also:

• https://github.com/apokalipto/devise_saml_authenticatable/issues/91
• https://github.com/apokalipto/devise_saml_authenticatable/pull/213
• https://github.com/apokalipto/devise_saml_authenticatable/issues/62#issuecomment-249935690