An SP-initiated SAML response from Identity Provider was received unexpectedly.

Hi there,

I’m building a SP Initiated approach for our application, using a mock identity provider that is pretty much the same as the Example ID Provider, provided.
The whole approach is closely based off the examples, aside from reading the Configuration from a DB when the SAML Request is initialled in the Service Provider.
However on receiving the response from the Identity Provider back into our application SAMLServiceProvider.ReceiveSSO() is throwing the following error
“An SP-initiated SAML response from Identity Provider was received unexpectedly.”

I have the SAML Logs file from both SP and the ID-P and everything looks correct up, but I’m very new to this!
Assuming there something obvious I’m missing, just can’t spot it, if anyone can help that would be excellent…

Thanks, Patrick

Hi Patrick,

By default, we maintain SAML session state in memory and use a SAML_SessionId cookie to index this memory. The SAML session state is used in support of the SAML protocol and one of the checks we make is to ensure that when a SAML response with an InResponseTo field (ie SP-initiated SAML response) is received it’s in response to a previously sent SAML authn request. If this check fails you’ll see the “SP-initiated SAML response from Identity Provider was received unexpectedly” exception.

I suspect the SAML_SessionId cookie isn’t being sent along with the SAML response.

The SAML_SessionId cookie is marked as Secure and SameSite=None. Please ensure you’re using HTTPS rather than HTTP as the transport protocol.

If there’s still an issue, please send the IdP and SP SAML log files as email attachments to support@componentspace.com mentioning your forum post. Before testing the SSO, close all browsers to clear the session cookies.

Thanks.

Awesome, that was exactally the cause, once I set my local env running HTTPS, everything came into line.
Thanks you kindly!

You’re very welcome. Thanks for the update.

Hi Team,

I'm having the same issue as well.I use OneLogin with SAML2, and my scenario is below.

1) I have two websites configured with OneLogin utilising Component Space.
2) When I am redirected to the first website ("It authenticates and provides user which is login send that username") after logging in to the second website using onelogin ("Without login directly provide user which is active current cookie "), operating properly in localhost
3) After deploying the modifications in the development environment using the correct URL and onelogin configuration
4) Right now, if I try to log in on the first website, everything works great. However, if I try to move to the second page, I receive the problem below. If I log in on the first website with the same user, however,
on that console if i click 2 website working fine

Now i am confused where is the error



An SP-initiated SAML response from was received unexpectedly.

Thanks !

The error usually means either the SAML_SessionId cookie is missing or the in-memory SAML state indexed by this cookie is missing.

Make sure to use HTTPS to access your application as the SAML_SessionId cookie is marked as Secure and SameSite=None.

Make sure you don’t have any middleware etc configured that strips these attributes from the cookie.

Is your application deployed to a single server only? If not, you’ll need to configure the load balancer to use sticky sessions or switch to a central SAML state store such as a database.

If there’s still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.

https://www.componentspace.com/Forums/17/Enabing-SAML-Trace

Thanks for response !!!!

If we using " " it's not allowing me to access and given below error , if we comment this everything work fine
An SP-initiated SAML response from was received unexpectedly.

Thanks !

What version of ASP.NET are you using?

I am using Asp.Net 4.6.1, Web-forms

thanks !

I recommend moving to ASP.NET 4.8.

For more information, please refer to:

https://www.componentspace.com/forums/10843/Ramifications-of-setting-httpCookies-sameSite-in-webconfig

Thanks!

You’re welcome.

Hi, I'm getting the same error "Error:An SP-initiated SAML response from *IdP* was received unexpectedly."

I have upgraded to the latest stable version of ComponentSpace.Saml2.Net (6.5.0). So I had to refactor the code changing the old syntax: "PartnerCertificateString=..., SecondaryPartnerCertificateString=..., etc... " to the newer syntax using the "List" to define the certificates used.

Is there an upgrade guide? or something I've missed while upgrading to the latest stable version, that might cause the error?

I'm using https and I've added the following rule to the Web.config:











I can see the SAML_sessionId cookie in the browser's storage

Is the SAML_SessionId cookie being sent by the browser with the HTTP Post of the SAML response?

https://www.componentspace.com/forums/11875/Troubleshooting-Missing-Cookies

You shouldn’t need the rewrite rule as the .NET framework now supports the SameSite property.

If there’s still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com.

https://www.componentspace.com/Forums/17/Enabing-SAML-Trace

I found the answer:

I've been using MySql to store SSO Sessions and I had to add 'UpdateDateTime' and 'ExpirationDateTime' columns of type 'DateTime NULL' to the 'SSOSessions' table.

That was the only issue.

I found about the issue by enabling SAML trace and checking the logs.

Thanks!

Thanks for the update. I’m glad you found the issue and thanks for letting us know.