SAML - Domain Mismatch - "The InResponseTo attribute does not match the id in the AuthNRequest"

Last Updated: Jul 31, 2024

Overview

SAML login attempts return the error below in a har file/network trace even though the InResponseTo attribute does match.

The InResponseTo attribute does not match the id in the AuthNRequest

This will either result in a failed login or, depending on the SAML IdP, can result in confusing behavior. An Okta SAML IdP connection was seen defaulting to IdP-initiated login due to this, which was undesired behavior.

Obtain a network HAR file of a login attempt and look for this error:

https://DOMAIN/callback?error=access_denied&error_description=The%20InResponseTo%20attribute%20does%20not%20match%20the%20id%20in%20the%20AuthNRequest&state=<value>

For further information, refer to Generate and Analyse HAR Files.

Applies To

  • SAML
  • Network Trace
  • Attribute not matching

Cause

This error occurs when the InResponseTo attribute in the SAML response is not recognized by the Auth0 tenant. This error could be caused by:

  • blocked cookies
  • mismatched IDs from the most recent SAML request
  • inconsistent use of domains

If the tenant uses a custom domain, there could be a mismatch if the login flow begins on the custom domain and finishes on the canonical domain. For further information, refer to Error: InResponseTo attribute does not match the ID in AuthNRequest

Solution

To troubleshoot the issue, confirm the following:

  • The tenant has a custom domain configured
  • The error encountered is: “The InResponseTo attribute does not match the id in the AuthNRequest” is returned from the Auth0 tenant when the SAML response is POSTed to /login/callback"
  • The InResponseTo value from the SAML response matches the ID of the most recent SAML request from Auth0
  • The browser is not blocking cookies (generally, blocking third party cookies is not a problem)

To fix this problem:

  • Use the same domain throughout the login flow. Change either the domain in the initial /authorize request or the ACS URL with the identity provider so they are the same.

Related References

4 Likes