[Salesforce] SFDC Initiated SSO fails due to InResponseTo not being empty. Skip to main content
https://support.okta.com/help/answers?id=906f0000000dfmdiao&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Alexandre ChouinardAlexandre Chouinard 

[Salesforce] SFDC Initiated SSO fails due to InResponseTo not being empty.

Ok.. so I successfully linked Salesforce to OKTA and I can login into Salesforce from the latter.

I then used OKTA as an IDP in another application but I get an error when trying to log in.

See #6

Last recorded SAML login failure: 2016-09-12T19:06:07.074Z
Unexpected Exceptions
Ok
1. Validating the Status
Ok
2. Looking for an Authentication Statement
Ok
3. Looking for a Conditions statement
Ok
4. Checking that the timestamps in the assertion are valid
Ok
5. Checking that the Attribute namespace matches, if provided
Not Provided
6. Miscellaneous format confirmations
InResponseTo must be empty for Idp-init Browser POST Profile
7. Confirming Issuer matches
Ok
8. Confirming a Subject Confirmation was provided and contains valid timestamps
Ok
9. Checking that the Audience matches
Ok
10. Checking the Recipient
Ok
Organization Id that we expected: 00D4100000080z7
Organization Id that we found based on your assertion: 00D4100000080z7
11. Validating the Signature
Is the response signed? true
Is the assertion signed? false
Is the correct certificate supplied in the keyinfo? true
Ok
12. Checking that the Site URL Attribute contains a valid site url, if provided
Not Provided
13. Looking for portal and organization id, if provided
Not Provided
14. Checking if session security level is valid, if provided
Ok
Here is the SAML response:
<?xml version="1.0" encoding="UTF-8"?> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="id1195001894998175345354729" InResponseTo="vf-7af904dcf49fe353e1236f74da6d8737b5ad8755" IssueInstant="2016-09-12T19:06:06.627Z" Version="2.0" > <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">exknm881b3ztAJ4gm1t6</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference URI="#id1195001894998175345354729"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>Pzz0fVQbyvj11rB2z8KjClaTs0DpnOpVdaEZVZdhYhY=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>Fepa9d92iv2PZT8GJmZi8zvnY9Z2XLM4E/PYAZqvRNLQb97NVaNNYEaCg1pQMbUzv8wRqApKcdN2U/+9awKSCE3YWRkbLyk0JYnaYL85uOuWnxAFi8BpFAh+vmdJ60mucJSoIFbjvum6oGfWMRO4d6fy82sBVuBDECTkuoqA/4/vXK/B4jJKYt0k8Bzr5p+cYKteUuLOY/Lil5maDGQt8QkkoS7xU1lTcLhdLTmEzdG4BNdhuDRSYzE/f3bh/92YGEUU2l1eILk7UJhjXXwCu++0CCi9yzzUBbhzuwrWmJRB0PA421W3qmveXFNRzVweOuVwe+44qA4Y4K7y5wC3pw==</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIDqjCCApKgAwIBAgIGAVcQHzXeMA0GCSqGSIb3DQEBBQUAMIGVMQswCQYDVQQGEwJVUzETMBEG A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU MBIGA1UECwwLU1NPUHJvdmlkZXIxFjAUBgNVBAMMDXZhbmlsbGFmb3J1bXMxHDAaBgkqhkiG9w0B CQEWDWluZm9Ab2t0YS5jb20wHhcNMTYwOTA5MTgwMzIzWhcNMjYwOTA5MTgwNDIzWjCBlTELMAkG A1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTAL BgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRYwFAYDVQQDDA12YW5pbGxhZm9ydW1z MRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAxQ7T3Mk4vzinTFo6JZmSDk7NOhWnIDNxoGIXXIOJGJyYLL+u1eZuVmobK2e1VJw7hVuK +BHy+1ZCfgFbV3DGz95C3dxFQM65bRsTjNs+QejkcOA4p716lJBj0KnqExAFFwSo0yRjlzIPuqIe CCQ9pGJj125X5u0+qlBIkKt+3BjyRYO6u8PqlljR/4KtLhlTD2VxNBf7kKNHxxvbYbxpuN6x11yV M1gaPTDXG1wBaUllr8691lmy5lhEkIU8wx6pmPkcIc6ZG8etg+kK+bdyKVuNU+jctfOuwIIF9G5/ 7KFWev5pITD52gNiibljdWQBiTXq8XtqhUGcpHcgh0YqIwIDAQABMA0GCSqGSIb3DQEBBQUAA4IB AQA7PWSZPK+z7O5lXl83uMc5fAecBOJh0o6CUmW2T0alo2q7FafVCVJNFrXSO1fLZ6Oi/jI0ShKL avAVOziS6HU5X/es/JWXetN7UUSwPe9iDV13HDVs2hcl3c3bfSSpacBXL16G14xKj7W9n5S9w2sP Tdq/NcJHaRn0D2rzpJvBtcaTLmixkBgTcjsPOJEPdXO3vOFmaAlh0+tsFTC8mQK09QFJ/NZ37bYO TE6Pi197qYJMvgZfcyI1BjCL2j2UO/qUOdLDGALLwCketKUdYv5HE/wbt4OW8VpJrFQcz8KVR/rQ FdzVF0vjY4mfgy0tenpuyeEbLc6wIcG2raYgOoME</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </saml2p:Status> <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="id1195001895059079335107336" IssueInstant="2016-09-12T19:06:06.627Z" Version="2.0"> <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">exknm881b3ztAJ4gm1t6</saml2:Issuer> <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">alexandre.c@vanillaforums.com</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData InResponseTo="vf-7af904dcf49fe353e1236f74da6d8737b5ad8755" NotOnOrAfter="2016-09-12T19:11:06.627Z" Recipient="https://login.salesforce.com?so=00D4100000080z7"/> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2016-09-12T19:01:06.627Z" NotOnOrAfter="2016-09-12T19:11:06.627Z"> <saml2:AudienceRestriction> <saml2:Audience>https://saml.salesforce.com</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2016-09-12T19:06:06.627Z" SessionIndex="vf-7af904dcf49fe353e1236f74da6d8737b5ad8755"> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> <saml2:AttributeStatement> <saml2:Attribute Name="portal_id" NameFormat="ns"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"/> </saml2:Attribute> <saml2:Attribute Name="organization_id" NameFormat="ns"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"/> </saml2:Attribute> <saml2:Attribute Name="siteURL" NameFormat="ns"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"/> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion> </saml2p:Response>


It seems that OKTA put an InResponseTo attribute on the response and that Saleforces does not like it.

I do not know what to do..

Bogdan AndrisanBogdan Andrisan (Okta, Inc.)
Hello Alexandre,

This error usually occurs when there is some mismatch in either the certificate or any configuration step in the Salesforce SAML settings. The InResponseTo is used in SP initiated flows.
What I would recommend is to go through the SAML settings for this application, make sure everything is set properly and reupload the certificate.
Under your current Salesforce integration, go to the Sign-On tab and follow the "View Setup Instructions", and everything should work as expected.

Thank you.
 
Owen FullerOwen Fuller
Did you get this resolved by chance? I have the same problem.