This error may occur during SP-initiated SSO. A SAML authn request is sent to the IdP and a SAML response is returned. We check that the InResponseTo field in the SAML response matches the ID field of the authn request. If they don't match then we throw the error you see. One possible scenario is that an authn request is being sent twice. For example, the first authn request is sent. However, prior to receiving the SAML response, a second authn request is sent. The IdP sends a SAML response for the first authn request but we expect a response for the second authn request. This may occur if the user navigates backwards and forwards whilst a SAML response is pending. There are a couple of options. The first is to simply display a generic error page perhaps saying not to navigate within the browser whilst logging in and to get the user to try again. The second option is to disable this check. This can be done by setting DisableInResponseToCheck to true in the <PartnerIdentityProvider> entry in your saml.config. The InResponseTo check is part of the SAML specification and generally we don't recommend disabling this check. However, we do provide the option if required.
Regards ComponentSpace Development
|