Hi,
Custom Message: ReceiveSSO() exception: ComponentSpace.SAML2.Exceptions.SAMLProtocolException: The SAML message InResponseTo _XXXXXXXXXXXXXXXXXXXXXXXX doesn’t match the expected InResponseTo _XXXXXXXXXXXXXXXXXXX.
at ComponentSpace.SAML2.AbstractSAMLProvider.CheckPendingResponseState(String inResponseTo)
at ComponentSpace.SAML2.InternalSAMLServiceProvider.ProcessSAMLResponse(XmlElement samlResponseElement, Boolean& isInResponseTo, String& authnContext, String& userName, SAMLAttribute[]& attributes)
at ComponentSpace.SAML2.InternalSAMLServiceProvider.ReceiveSSO(HttpRequest httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& authnContext, String& userName, SAMLAttribute[]& attributes, String& relayState)
at NeptonSite.SAML2_AssertionConsumerService.Page_Load(Object sender, EventArgs e) in “Path” 115.
But what is this SAMLProtocolException? In what case do we get this kind of error?
In SP-initiated SSO, the SAML response includes an InResponseTo field which should match the ID of the SAML authn request sent by the SP.
This ties the SAML response to the authn request.
If the InResponseTo doesn’t match you’ll get the error you see.
One way this error can occur is as follows.
1. SP calls SAMLServiceProvider.InitiateSSO to send a SAML authn request to the IdP.
2. SP calls SAMLServiceProvider.InitiateSSO a second time to send another SAML authn request to the IdP.
3. IdP sends a SAML response for the first SAML authn request.
4. SP calls SAMLServiceProvider.ReceiveSSO which throws this exception as it was expecting a response to the second SAML authn request.
To avoid this, ensure that the user doesn’t click the button or link to initiate SSO more than once.
If this isn’t the case, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com.
https://www.componentspace.com/Forums/17/Enabing-SAML-Trace
This ties the SAML response to the authn request.
If the InResponseTo doesn't match you'll get the error you see.
One way this error can occur is as follows.
1. SP calls SAMLServiceProvider.InitiateSSO to send a SAML authn request to the IdP.
2. SP calls SAMLServiceProvider.InitiateSSO a second time to send another SAML authn request to the IdP.
3. IdP sends a SAML response for the first SAML authn request.
4. SP calls SAMLServiceProvider.ReceiveSSO which throws this exception as it was expecting a response to the second SAML authn request.
To avoid this, ensure that the user doesn't click the button or link to initiate SSO more than once.
If this isn't the case, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com.
https://www.componentspace.com/Forums/17/Enabing-SAML-Trace
Hi,
Thanks for the reply. Another error message which constantly appears is SAMLBindingException.
ReceiveSSO() exception: ComponentSpace.SAML2.Exceptions.SAMLBindingException: The message is not an HTTP POST.
at ComponentSpace.SAML2.Bindings.HTTPPostBinding.ReceiveResponse(HttpRequest httpRequest, XmlElement& samlMessage, String& relayState)
at ComponentSpace.SAML2.InternalSAMLServiceProvider.ReceiveSSO(HttpRequest httpRequest, Boolean& isInResponseTo, String& partnerIdP, String& authnContext, String& userName, SAMLAttribute[]& attributes, String& relayState)
at NeptonSite.SAML2_AssertionConsumerService.Page_Load(Object sender, EventArgs e) in "Path":line 115
Could you please tell me what this is about as well.
Thank you.
Typically this occurs if an HTTP Get is received instead of the expected HTTP Post.
You should trace the network traffic to determine the source of this HTTP Get.
Are users browsing to or is your application redirecting to this SAML endpoint?
Your application could check the Request.Method prior to calling SAMLServiceProvider.ReceiveSSO but you would then need to decide what to do if you receive an HTTP Get.