Last Updated: Jul 31, 2024
Overview
SAML login attempts return the error below in a har file/network trace even though the InResponseTo attribute does match.
The InResponseTo attribute does not match the id in the AuthNRequest
This will either result in a failed login or, depending on the SAML IdP, can result in confusing behavior. An Okta SAML IdP connection was seen defaulting to IdP-initiated login due to this, which was undesired behavior.
Obtain a network HAR file of a login attempt and look for this error:
https://DOMAIN/callback?error=access_denied&error_description=The%20InResponseTo%20attribute%20does%20not%20match%20the%20id%20in%20the%20AuthNRequest&state=<value>
For further information, refer to Generate and Analyse HAR Files.
Applies To
- SAML
- Network Trace
- Attribute not matching
Cause
This error occurs when the InResponseTo attribute in the SAML response is not recognized by the Auth0 tenant. This error could be caused by:
- blocked cookies
- mismatched IDs from the most recent SAML request
- inconsistent use of domains
If the tenant uses a custom domain, there could be a mismatch if the login flow begins on the custom domain and finishes on the canonical domain. For further information, refer to Error: InResponseTo attribute does not match the ID in AuthNRequest
Solution
To troubleshoot the issue, confirm the following:
- The tenant has a custom domain configured
- The error encountered is: “The InResponseTo attribute does not match the id in the AuthNRequest” is returned from the Auth0 tenant when the SAML response is POSTed to /login/callback"
- The InResponseTo value from the SAML response matches the ID of the most recent SAML request from Auth0
- The browser is not blocking cookies (generally, blocking third party cookies is not a problem)
To fix this problem:
- Use the same domain throughout the login flow. Change either the domain in the initial
/authorizerequest or the ACS URL with the identity provider so they are the same.