Auth0 Home Blog Docs

SAML assertion returning InResponseTo

samlp
saml2

#1

Hi,

I’m working on configuring SAML assertion with ISAM, but on SAML assertion I’m getting this problem:
access_denied: The InResponseTo attribute does not match the id in the AuthNRequest.

When I debug SAML request, I see ID="_d840188d65766a61fff8" attribute sending to IdP,
and on SAML assertion to Auth0 InResponseTo="_d840188d65766a61fff8" where those two values matches.

Is there some other thing that should match to fulfill InResponseTo check?
Any advice on what else could I look at?

btw. I did the same setup with Auth0 as SP and other Auth0 as IdP, all working fine.
So I’m not sure if the problem in SP or IdP configuration for SAMLp…

Kind regards,
Davor


#2

:wave: @d-sauer this is the first time you configure it? As you’ve mentioned this error is thrown when Auth0 can’t receive the ID sent in AuthNRequest, in the InResponseTo attribute of the received SAML assertion.

Are you using custom domains by any chance? If you are can you check that you are using the custom domain to initiate the SAML login and check the IdP URL in the SAML response. What could be happening is when switching to a custom domain, your application’s authorization requests go to the custom domain. If the domain is configured to use an upstream SAML identity provider, then Auth0 (from your custom domain) issues a SAML request to the identity provider, which may be pre-configured to return the SAML response to your standard Auth0 domain. So the mismatch could be the domain, where it does not allow Auth0 to correlate the received response from the original request, breaking the flow. Can you let me know if this is the case for you? If so, there are solutions we can implement.


#3

Hi,

I resolve the problem where I was using Auth0 SAML debug page as callback from IdP,
but that page was not whitelisted on that IdP.
Things started working after that and when I had my original page as callback.


#4

okay great ! glad you were able to solve your issue