Thanks for the log. The error in the log is:
"The SAML message InResponseTo _7787eaf8-66ea-44e1-9211-5f1e6af2a31d doesn't match the expected InResponseTo _73a93cfc-02d4-4ded-80ae-ca57c0487f19."
When a SAML response is received from the IdP, we check the InResponseTo field against the ID field of the SAML authn request that had been sent to the IdP. This ties the SAML response to the authn request. If the two don't match, we throw the exception you're seeing.
One scenario that can lead to this is if SAMLServiceProvider.InitiateSSO is called again before the call to SAMLServiceProvider.ReceiveSSO. The flow is as follows:
1. Call SAMLServiceProvider.InitiateSSO to create and send SAML authn request #1 to the IdP. Expecting a response to #1.
2. Call SAMLServiceProvider.InitiateSSO to create and send SAML authn request #2 to the IdP. Now expecting a response to #2.
3. IdP sends a SAML response to request #1.
4. Call SAMLServiceProvider.ReceiveSSO to receive and process the SAML response.
5. The InResponseTo is #1 but expecting a response to #2 so throw an exception.
One way to avoid this is to call SAMLServiceProvider.IsSSOCompletionPending() to check if an SSO completion is already pending. If this method returns true, don't call SAMLServiceProvider.InitiateSSO again.
Alternatively, the application could keep track of the state of the button or link that's clicked to initiate SSO and disable it if it's already been clicked.