Multiple IdP issues


I have an SP configured for multiple IdP’s for the same customer. They have an “external tenant” for their customers and other users, and an “internal tenant” for their employees and contractors - all of this is assembled in Okta. What happens is there is one “log in button” that they click on my my SP site and by default are transported to the external tenant to log in. If they have an internal account the external tenant somehow knows this, sends their login to the internal tenant, which then sends them back to my service provider site. Usually this seems to be just fine. But sometimes people have an error:
The SAML message issuer does not match the expected issuer

at ComponentSpace.SAML2.AbstractSAMLProvider.CheckPendingResponseState(String inResponseTo) in C:\Sandboxes\ComponentSpace\SAMLv20\Library\AbstractSAMLProvider.cs:line 313
at ComponentSpace.SAML2.InternalSAMLServiceProvider.ProcessSAMLResponse(XmlElement samlResponseElement, Boolean& isInResponseTo, String& authnContext, String& userName, SAMLAttribute[]& attributes)
in C:\Sandboxes\ComponentSpace\SAMLv20\Library\InternalSAMLServiceProvider.cs:line 790
at ComponentSpace.SAML2.InternalSAMLServiceProvider.ReceiveSSO(HttpRequestBase httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& authnContext, String& userName, SAMLAttribute[]& attributes, String& relayState)
in C:\Sandboxes\ComponentSpace\SAMLv20\Library\InternalSAMLServiceProvider.cs:line 1081

Sometimes they can try again and just get in, but other times it seems like they just give up and browse the site anonymously. I currently do not have diagnostic logging enabled but I can send samlresponse data that has been logged for these events.

We check the issuer of the SAML response against who we expect to be sending the SAML response. If they don’t match we throw the error you’re seeing.

This check can be disabled but it would be good to get to the root cause and fix that if possible. It sounds like it might be a limitation in Okta.

It would be good to see the full log to see what’s happening. Please send the SAML log file as an email attachment to mentioning your forum post.