ComponentSpace

Forums



Need help tracking down Receiving an SSO response from a partner identity provider has failed.


Need help tracking down Receiving an SSO response from a partner...

Author
Message
ghostfacexdoom
ghostfacexdoom
New Member
New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)

Group: Forum Members
Posts: 1, Visits: 7
Can anyone point me in the direction of finding out/reading more about this error?  "Receiving an SSO response from a partner identity provider has failed."  We have an SP initiated SSO.  Apparently on the IDP side there are two different "types" of users that attempting to login.  One group can login successfully with no issues and the second group cannot.  Trying to narrow down the differences and what they are doing on the idp to throw this error.  I've been unsuccessful in hunting down what this means, or any documentation related to it.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)

Group: Administrators
Posts: 2.8K, Visits: 8.8K
Please enable SAML trace and send the generated log file as an email attachment to [email protected] mentioning your forum post.

https://www.componentspace.com/Forums/17/Enabing-SAML-Trace


Regards
ComponentSpace Development
micahbright
micahbright
New Member
New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)

Group: Forum Members
Posts: 2, Visits: 7
Hi, I am getting the exact same error.  I turned on NLog and this is what I have:


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)

Group: Administrators
Posts: 2.8K, Visits: 8.8K
It would help to see the entire log file.

Please send the log file as an email attachment to [email protected]

Regards
ComponentSpace Development
BKBK
BKBK
New Member
New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)

Group: Forum Members
Posts: 2, Visits: 25
Hi ComponentSpace Developer,

Have you looked into this issue yet? We too are seeing it regularly in our logs.

I am attaching a JSON from our logs.

We would be grateful if you could help us solve this.

Regards,
BKBK

  
Attachments
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)

Group: Administrators
Posts: 2.8K, Visits: 8.8K
Thanks for the log. The error in the log is:

"The SAML message InResponseTo _7787eaf8-66ea-44e1-9211-5f1e6af2a31d doesn't match the expected InResponseTo _73a93cfc-02d4-4ded-80ae-ca57c0487f19."

When a SAML response is received from the IdP, we check the InResponseTo field against the ID field of the SAML authn request that had been sent to the IdP. This ties the SAML response to the authn request. If the two don't match, we throw the exception you're seeing.

One scenario that can lead to this is if SAMLServiceProvider.InitiateSSO is called again before the call to SAMLServiceProvider.ReceiveSSO. The flow is as follows:

1. Call SAMLServiceProvider.InitiateSSO to create and send SAML authn request #1 to the IdP. Expecting a response to #1.
2. Call SAMLServiceProvider.InitiateSSO to create and send SAML authn request #2 to the IdP. Now expecting a response to #2.
3. IdP sends a SAML response to request #1.
4. Call SAMLServiceProvider.ReceiveSSO to receive and process the SAML response.
5. The InResponseTo is #1 but expecting a response to #2 so throw an exception.

One way to avoid this is to call SAMLServiceProvider.IsSSOCompletionPending() to check if an SSO completion is already pending. If this method returns true, don't call SAMLServiceProvider.InitiateSSO again.

Alternatively, the application could keep track of the state of the button or link that's clicked to initiate SSO and disable it if it's already been clicked.

Regards
ComponentSpace Development
BKBK
BKBK
New Member
New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)

Group: Forum Members
Posts: 2, Visits: 25
ComponentSpace - 10/26/2021
Thanks for the log. The error in the log is:

"The SAML message InResponseTo _7787eaf8-66ea-44e1-9211-5f1e6af2a31d doesn't match the expected InResponseTo _73a93cfc-02d4-4ded-80ae-ca57c0487f19."

When a SAML response is received from the IdP, we check the InResponseTo field against the ID field of the SAML authn request that had been sent to the IdP. This ties the SAML response to the authn request. If the two don't match, we throw the exception you're seeing.

One scenario that can lead to this is if SAMLServiceProvider.InitiateSSO is called again before the call to SAMLServiceProvider.ReceiveSSO. The flow is as follows:

1. Call SAMLServiceProvider.InitiateSSO to create and send SAML authn request #1 to the IdP. Expecting a response to #1.
2. Call SAMLServiceProvider.InitiateSSO to create and send SAML authn request #2 to the IdP. Now expecting a response to #2.
3. IdP sends a SAML response to request #1.
4. Call SAMLServiceProvider.ReceiveSSO to receive and process the SAML response.
5. The InResponseTo is #1 but expecting a response to #2 so throw an exception.

One way to avoid this is to call SAMLServiceProvider.IsSSOCompletionPending() to check if an SSO completion is already pending. If this method returns true, don't call SAMLServiceProvider.InitiateSSO again.

Alternatively, the application could keep track of the state of the button or link that's clicked to initiate SSO and disable it if it's already been clicked.

Thank you for your reply.

Your explanation is helpful. Not only have you made us aware of the cause of the error, you've also provided a possible solution. Thanks.



micahbright
micahbright
New Member
New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)New Member (2 reputation)

Group: Forum Members
Posts: 2, Visits: 7
ComponentSpace - 10/26/2021
Thanks for the log. The error in the log is:

"The SAML message InResponseTo _7787eaf8-66ea-44e1-9211-5f1e6af2a31d doesn't match the expected InResponseTo _73a93cfc-02d4-4ded-80ae-ca57c0487f19."

When a SAML response is received from the IdP, we check the InResponseTo field against the ID field of the SAML authn request that had been sent to the IdP. This ties the SAML response to the authn request. If the two don't match, we throw the exception you're seeing.

One scenario that can lead to this is if SAMLServiceProvider.InitiateSSO is called again before the call to SAMLServiceProvider.ReceiveSSO. The flow is as follows:

1. Call SAMLServiceProvider.InitiateSSO to create and send SAML authn request #1 to the IdP. Expecting a response to #1.
2. Call SAMLServiceProvider.InitiateSSO to create and send SAML authn request #2 to the IdP. Now expecting a response to #2.
3. IdP sends a SAML response to request #1.
4. Call SAMLServiceProvider.ReceiveSSO to receive and process the SAML response.
5. The InResponseTo is #1 but expecting a response to #2 so throw an exception.

One way to avoid this is to call SAMLServiceProvider.IsSSOCompletionPending() to check if an SSO completion is already pending. If this method returns true, don't call SAMLServiceProvider.InitiateSSO again.

Alternatively, the application could keep track of the state of the button or link that's clicked to initiate SSO and disable it if it's already been clicked.

We resolved this by updating to version 3.0.1 - we were using 3.0.0
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)ComponentSpace Development (3.9K reputation)

Group: Administrators
Posts: 2.8K, Visits: 8.8K
Thanks for the update.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Social Logins

Select a Forum....









Forums, Documentation & Knowledge Base - ComponentSpace


Search