SAML - Domain Mismatch - "The InResponseTo attribute does not match the id in the AuthNRequest"
SAML login attempts return the error below in a har file/network trace even though the InResponseTo attribute does match.
The InResponseTo attribute does not match the id in the AuthNRequest
This will either result in a failed login or, depending on the SAML IdP, can result in confusing behavior. An Okta SAML IdP connection was seen defaulting to IdP-initiated login due to this, which was undesired behavior.
Obtain a network HAR file of a login attempt and look for this error:
https://DOMAIN/callback?error=access_denied&error_description=The%20InResponseTo%20attribute%20does%20not%20match%20the%20id%20in%20the%20AuthNRequest&state=<value>
For further information, refer to Generate and Analyze HAR Files.
- SAML Login
This error occurs when the InResponseTo attribute in the SAML response is not recognized by the Auth0 tenant. This error could be caused by:
- blocked cookies
- mismatched IDs from the most recent SAML request
- inconsistent use of domains
If the tenant uses a custom domain, there could be a mismatch if the login flow begins on the custom domain and finishes on the canonical domain. For further information, refer to Custom SAML Request template producing error "SAML InResponseTo validation failed: The InResponseTo attribute does not match the id in the AuthNRequest".
To fix this problem, use the same domain throughout the login flow. Change either the domain in the initial /authorize request or the ACS URL with the identity provider so they are the same.
