Problem statement
SAML login attempts return the error below in a har file/network trace even though the InResponseTo attribute does match.
The InResponseTo attribute does not match the id in the AuthNRequest
Symptoms
This will either result in a failed login - or depending on the SAML IdP can result in confusing behavior. An Okta SAML IdP connection was seen defaulting to IdP-initiated login due to this, which was undesired behavior.
Obtain a network HAR file of a login attempt and look for this error:
https://DOMAIN/callback?error=access_denied&error_description=The%20InResponseTo%20attribute%20does%20not%20match%20the%20id%20in%20the%20AuthNRequest&state=XXXXXXX
For further information, refer to Generate and Analyse HAR Files.
Troubleshooting:
Confirm the following:
- The tenant has a custom domain configured
- The error “The InResponseTo attribute does not match the id in the AuthNRequest” is returned from the Auth0 tenant when the SAML response is POSTed to /login/callback
- The InResponseTo value from the SAML response matches the ID of the most recent SAML request from Auth0
- The browser is not blocking cookies (generally, blocking third party cookies is not a problem)
Cause
This error occurs when the InResponseTo attribute in the SAML response is not recognized by the Auth0 tenant. This error could be caused by:
- blocked cookies
- mismatched IDs from the most recent SAML request
- inconsistent use of domains
If the tenant uses a custom domain, there could be a mismatch if the login flow begins on the custom domain and finishes on the canonical domain. For further information, refer to Error: InResponseTo attribute does not match the ID in AuthNRequest
Solution
To fix this problem, use the same domain throughout the login flow. Change either the domain in the initial /authorize request or the ACS URL with the identity provider so they are the same.