ComponentSpace

Forums



SAML message InResponseTo doesn't match


SAML message InResponseTo doesn't match

Author
Message
btaylor
btaylor
New Member
New Member (29 reputation)New Member (29 reputation)New Member (29 reputation)New Member (29 reputation)New Member (29 reputation)New Member (29 reputation)New Member (29 reputation)New Member (29 reputation)New Member (29 reputation)

Group: Forum Members
Posts: 19, Visits: 285
I'm getting the following exception:

Exception: ComponentSpace.SAML2.Exceptions.SAMLProtocolException: The SAML message InResponseTo _6b63bc8d-d759-4290-9f96-fd9c685d13c2 doesn't match the expected InResponseTo _54c7cd9a-6255-4823-84ef-5a2aa7b60ad0.

It happens infrequently and I cannot (intentionally) reproduce it. I have been unable to find anything regarding this exception in the forum or searching google. I'm using the retail version of SAML v2.0 for both the IdP and the SP (ver. 2.6.0.8). I was on the SP site when the problem occurred, and based on the trace file, it appears it occurred during SSO from the SP.

I can provide the entries from the trace logs for the IdP and the SP for the transaction that failed.

Any help with this exception would be appreciated.

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
This error may occur during SP-initiated SSO. A SAML authn request is sent to the IdP and a SAML response is returned. We check that the InResponseTo field in the SAML response matches the ID field of the authn request. If they don't match then we throw the error you see.
One possible scenario is that an authn request is being sent twice. For example, the first authn request is sent. However, prior to receiving the SAML response, a second authn request is sent. The IdP sends a SAML response for the first authn request but we expect a response for the second authn request. This may occur if the user navigates backwards and forwards whilst a SAML response is pending.
There are a couple of options. The first is to simply display a generic error page perhaps saying not to navigate within the browser whilst logging in and to get the user to try again. The second option is to disable this check. This can be done by setting DisableInResponseToCheck to true in the <PartnerIdentityProvider> entry in your saml.config.
The InResponseTo check is part of the SAML specification and generally we don't recommend disabling this check. However, we do provide the option if required.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search