BrandonG.01868 (Customer) asked a question.
Unable to Validate Incoming SAML Assertion: The attribute InResponseTo ID--- in the SAML response did not match any SAML request id previously sent to the Identity Provider.
I'm setting up a new SAML IdP with a new client. This one has given an error on login that I've never experienced. They are using an Azure CIAM setup.
"The attribute InResponseTo ID--- in the SAML response did not match any SAML request id previously sent to the Identity Provider."
They are getting the generic 400 error.
We have checked the SAML req/response and the IDs match.
Any ideas what could be causing this?
Hi @BrandonG.01868 (Customer) , Thank you for reaching out to the Okta Community!
I've been doing some digging for this specific issue and found two potential causes.
>Certificate mismatch:
"Issue was resolved by uploading the right X.509 certificate from the ADFS metadata file into Okta. Successful verification was confirmed through a test user login, which mitigated the SAML error: "The digital signature in the SAML response did not validate with the Identity Provider's certificate."
>SAML IDP Login issue caused by Custom login page configuration/conflict:
-this required Okta Support intervention as it is dependent on a back-end feature flag being enabled.
So, please check the certificate being used and if that is not the issue, please open a case to work with our colleagues from the Okta Support Team.
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Collect them all. Learn a new skill and earn a new Okta Learning badge.
Just released: More Okta Community badges just added