I’m getting the following exception:
Exception: ComponentSpace.SAML2.Exceptions.SAMLProtocolException: The SAML message InResponseTo _6b63bc8d-d759-4290-9f96-fd9c685d13c2 doesn’t match the expected InResponseTo _54c7cd9a-6255-4823-84ef-5a2aa7b60ad0.
It happens infrequently and I cannot (intentionally) reproduce it. I have been unable to find anything regarding this exception in the forum or searching google. I’m using the retail version of SAML v2.0 for both the IdP and the SP (ver. 2.6.0.8). I was on the SP site when the problem occurred, and based on the trace file, it appears it occurred during SSO from the SP.
I can provide the entries from the trace logs for the IdP and the SP for the transaction that failed.
Any help with this exception would be appreciated.
This error may occur during SP-initiated SSO. A SAML authn request is sent to the IdP and a SAML response is returned. We check that the InResponseTo field in the SAML response matches the ID field of the authn request. If they don’t match then we throw the error you see.
One possible scenario is that an authn request is being sent twice. For example, the first authn request is sent. However, prior to receiving the SAML response, a second authn request is sent. The IdP sends a SAML response for the first authn request but we expect a response for the second authn request. This may occur if the user navigates backwards and forwards whilst a SAML response is pending.
There are a couple of options. The first is to simply display a generic error page perhaps saying not to navigate within the browser whilst logging in and to get the user to try again. The second option is to disable this check. This can be done by setting DisableInResponseToCheck to true in the entry in your saml.config.
The InResponseTo check is part of the SAML specification and generally we don’t recommend disabling this check. However, we do provide the option if required.