ComponentSpace

Forums



Multiple IdP issues


Multiple IdP issues

Author
Message
Matt Olson
Matt Olson
New Member
New Member (49 reputation)New Member (49 reputation)New Member (49 reputation)New Member (49 reputation)New Member (49 reputation)New Member (49 reputation)New Member (49 reputation)New Member (49 reputation)New Member (49 reputation)

Group: Forum Members
Posts: 14, Visits: 72
Hello,

I have an SP configured for multiple IdP's for the same customer.  They have an "external tenant" for their customers and other users, and an "internal tenant" for their employees and contractors - all of this is assembled in Okta.  What happens is there is one "log in button" that they click on my my SP site and by default are transported to the external tenant to log in.  If they have an internal account the external tenant somehow knows this, sends their login to the internal tenant, which then sends them back to my service provider site.  Usually this seems to be just fine.  But sometimes people have an error:  
The SAML message issuer http://www.okta.com/internal does not match the expected issuer http://www.okta.com/external.
at ComponentSpace.SAML2.AbstractSAMLProvider.CheckPendingResponseState(String inResponseTo) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\AbstractSAMLProvider.cs:line 313
 at ComponentSpace.SAML2.InternalSAMLServiceProvider.ProcessSAMLResponse(XmlElement samlResponseElement, Boolean& isInResponseTo, String& authnContext, String& userName, SAMLAttribute[]& attributes)
 in C:\Sandboxes\ComponentSpace\SAMLv20\Library\InternalSAMLServiceProvider.cs:line 790
 at ComponentSpace.SAML2.InternalSAMLServiceProvider.ReceiveSSO(HttpRequestBase httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& authnContext, String& userName, SAMLAttribute[]& attributes, String& relayState)
 in C:\Sandboxes\ComponentSpace\SAMLv20\Library\InternalSAMLServiceProvider.cs:line 1081

Sometimes they can try again and just get in, but other times it seems like they just give up and browse the site anonymously.  I currently do not have diagnostic logging enabled but I can send samlresponse data that has been logged for these events.


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)ComponentSpace Development (4K reputation)

Group: Administrators
Posts: 2.9K, Visits: 9.4K
We check the issuer of the SAML response against who we expect to be sending the SAML response. If they don't match we throw the error you're seeing.

This check can be disabled but it would be good to get to the root cause and fix that if possible. It sounds like it might be a limitation in Okta.

It would be good to see the full log to see what's happening. Please send the SAML log file as an email attachment to [email protected] mentioning your forum post.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Social Logins

Select a Forum....









Forums, Documentation & Knowledge Base - ComponentSpace


Search