ComponentSpace.Saml2.Exceptions.SamlProtocolException: The SAML message doesn't contain an InResponseTo attribute

Hi there,

We have a client who is using Okta as their IdP and are trying to set up SSO with our service provider. However, they are sometime running into a situation where if they start an IdP initiated login, they get a The SAML message doesn’t contain an InResponseTo attribute exception message. However it sometimes works correctly for them, I’m not sure of the exact scenarios in which they fail vs succeed but they are all IdP initiated logins.

Furthermore, if they try to do a SP initiated login, they are redirected to Okta. After they put in their credentials, they are redirected to an Otka 404 error page, which I assume is because our SP returned with some kind of error (perhaps the same error as above). I’m not sure how to confirm the exact error they’re getting however.

For each of our PartnerIdentityProviderConfigurations we are setting the OverridePendingAuthnRequest property to true. In the past we had some scenarios where an SP-initiated SSO was supplanted by an IdP-initiated SSO and this solved the issue. However is this causing an issue in this case? I believe I read if this property is set to true then the InResponseTo attribute must be set?

Any help debugging this issue would be much appreciated, thank you!

Hi Ben,

What version of the product are you using?

Is this happening on SSO or is it possibly happening on SAML logout instead?

If possible, please enable SAML trace and send the generated log file as an email attachment to mentioning your forum post. I’d like to see the flow leading up to this exception.

We are using version 2.0.4. The problem is definitely happening on SSO, I watched the customer reproduce the problem this morning over a zoom call. I will enable the SAML tracing and email over the generated log files.

Thanks. We have changed the InResponseTo checking logic a little since v2.0.4. However, I’m not sure why you’re getting this exception when you’ve specified OverridePendingAuthnRequest. Hopefully the log will help.