An SP-initiated SAML response from was received unexpectedly

We are having this issue in Prod where AKAMAI as CDN.
There is no such issue in stage Environment where we have multiple servers behind the VIP.

2024-06-02 00:29:13.694 -04:00 [DBG] The SAML response signature verified.
2024-06-02 00:29:13.694 -04:00 [ERR] Receiving an SSO response from a partner identity provider has failed.
ComponentSpace.Saml2.Exceptions.SamlProtocolException: An SP-initiated SAML response from https://fZXXXXXXXXXXXXXXXXXXXXXoIMys6JhpRnP7_LH was received unexpectedly.
at ComponentSpace.Saml2.SamlServiceProvider.CheckInResponseTo(String inResponseTo)

By default we store SAML session state in memory.

In a multi-server environment you either need to configure the load balancer to use sticky sessions or SAML session state must be saved in a central repository (eg a database) accessible to all servers.

For more information, please refer to our Web Farm Guide.

Even If we have one server in the rotation we see same issue in prod but not in stage where we have Load Balancer too. Is there any Cache or SAML-Session manipulation done by CDN?

By default, SAML session state is stored in the IDistributedCache which defaults to the in-memory cache.

I’m not sure how this would be impacted by the CDN.

You’re welcome to enable SAML trace and send us the log file as an email attachment to confirm what you’re seeing and in case it offers any clues.