Error “The InResponseTo attribute does not match the id in the AuthNRequest” with custom domain

Problem statement

SAML login attempts return the error “The InResponseTo attribute does not match the id in the AuthNRequest” even though the InResponseTo attribute does match.

Symptoms

Failure to complete SAML login flow with error “The InResponseTo attribute does not match the id in the AuthNRequest” returned from the Auth0 tenant. On closer inspection, the InResponseTo attribute of the SAML response is confirmed to match the ID from the SAML request.

Troubleshooting:

Confirm the following:

  • The tenant has a custom domain configured
  • The error “The InResponseTo attribute does not match the id in the AuthNRequest” is returned from the Auth0 tenant when the SAML response is POSTed to /login/callback
  • The InResponseTo value from the SAML response matches the ID of the most recent SAML request from Auth0
  • The browser is not blocking cookies (generally, blocking third party cookies is not a problem)

Cause

This error occurs when the InResponseTo attribute in the SAML response is not recognized by the Auth0 tenant. This might be because the value doesn’t actually match or because of missing cookies, but these are not the causes this article covers.

In this case, the tenant has a custom domain configured. The login flow begins on the custom domain, and completes on the canonical domain (or vice versa). For example, the user starts at the custom domain:

https://auth.mydomain.com/authorize?client_id=abc123&redirect_uri=https://jwt.io&response_type=code&scope=openid&audience=https://example.com&connection=mysamlconnection

And the IdP is configured to return the SAML response to the following ACS URL at the canonical domain:

https://mytenant.auth0.com/login/callback

When the SAML response is POSTed to the canonical domain, the error “The InResponseTo attribute does not match the id in the AuthNRequest” is returned.

The reason for this is the ID of the SAML request is scoped to the domain of the initial request. If the ID is returned to another domain in the InResponseTo attribute of a SAML response, the auth0 tenant doesn’t have a record of it and returns an error.

Solution

Use the same domain throughout the login flow. Change either the domain in the initial /authorize request, or the ACS URL on the IdP. The canonical and custom domains will behave identically and either can be used, as long as they are used consistently.

4 Likes