Hello,
Our application is using the high level apis to consume SAML Responses from a couple of different Partner Identity Providers. In our QA environment we’re occasionally getting the following error message during one of the identity provider initiated SSO calls:
“The SAML message issuer http://www.abc.com does not match the expected issuer <a href=“http://www.123.com.””>http://www.123.com."
After seeing this message the tester successfully SSOs with the next try. It’s possible that the tester previously logged in under a service provider initiated SSO for http://www.123.com but I’ll need to verify that.
Would you happen to know what could cause this? Is there any caching involved? Here’s the stack trace -
at ComponentSpace.SAML2.AbstractSAMLProvider.CheckPendingResponseState(String inResponseTo)
at ComponentSpace.SAML2.InternalSAMLServiceProvider.ProcessSAMLResponse(XmlElement samlResponseElement, Boolean& isInResponseTo, String& userName, SAMLAttribute[]& attributes)
at ComponentSpace.SAML2.InternalSAMLServiceProvider.ReceiveSSO(HttpRequestBase httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& userName, SAMLAttribute[]& attributes, String& relayState)
at ComponentSpace.SAML2.SAMLServiceProvider.ReceiveSSO(HttpRequestBase httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& userName, SAMLAttribute[]& attributes, String& relayState)
As part of SP-initiated SSO we check that the SAML response returned by the IdP has the correct issuer field (ie that the SAML response came from the expected IdP).
The error you see indicates that an authn request was sent to http://www.abc.com but a SAML response was returned by http://www.123.com.
If you’d like me to take a closer look, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning this topic.
http://componentspace.com/Forums/17/Enabing-SAML-Trace