Most seem to require a cookie to the pin the session or to match the passed state

there is a state parameter? so If I want to have a cookie that passes stuff, I can just store my stuff inside a cookie and pass the stuff inside the state param, there are so many possibilites via openid (which is super easy), I do not know how saml2 works, which might be different tough.

I know of a token system that some questionable engineers started pushing session state into and since it shipped before anyone noticed, walking that back turned out to be quite a chore. What was supposed to be a couple hundred byte cookie started hitting max cookie length warnings in other parts of the system.

When people need to keep a door open, if they don't see a doorstop in the immediate vicinity after two seconds of looking, some will just use whatever heavy object that is closest and consider the problem 'solved' instead of managed.

I needed data, I didn't know where to put it, this thing can give me data, boom, solved.

yes, but the solutions I have seen they seem to store the state also in a cookie and then check against it on the redirect that it didn't change

saml also has a relaystate parameter