Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13892

Erroneous "Response's InResponseTo attribute is not valid error "SAML2 failover is enabled" when it is not



    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 13.5.0, 13.5.1, 13.5.2, 14.1.0, 14.1.1, 5.5.1, 6.0.0,,,,,, 5.5.2
    •, 6.5.1, 6.0.1, 7.0.0
    • debug logging, SAML
    • AM Sustaining Sprint 59, AM Sustaining Sprint 60
    • 1
    • No
    • No
    • No
    • Yes and I used the same an in the description


      Bug description

      When having a SAML2 federation and especially having mutliple instances, when the SP authenticate to IDP and the response lands back onto a different SP instance from the original instamce, without SAML2 failover (and definitely the request is not sticky back to the original SP instance), then we get some exceptions like

       ERROR: SAML2Utils.verifyResponse:InResponseTo attribute in Response is invalid: s238be86c72f2c10936e05a4e38a62353d91e18905, SAML2 failover is enabled
      libSAML2:10/29/2018 03:41:38:189 PM GMT: Thread[http-nio-33280-exec-27,5,main]: TransactionId[f5c42388-eefe-4834-95e9-8b66f73febd8-27059047]
      ERROR: spAssertionConsumer.jsp: SSO failed.
      com.sun.identity.saml2.common.SAML2Exception: Response's InResponseTo attribute is not valid.​
       at com.sun.identity.saml2.common.SAML2Utils.verifyResponse(SAML2Utils.java:346)

      There is nothing wrong here BUT when debugging the issue is that the line

       SAML2Utils.verifyResponse:InResponseTo attribute in Response is invalid: ...., SAML2 failover is enabled
      printed in SAML2Utils.verifyResponse(SAML2Utils.java:346)

      As the error supposed to be SAML2 failover is NOT enabled.

      How to reproduce the issue

      Details steps outlining how to recreate the issue (remove this text)

      1. Two or more SP and one IDP
      2. Make sure the SP does not enable SAML2 failover
      3. Perform a SP SSO and when IDP response via POST that this lands on another SP
      4. (alternatively i believe 1 SP can also be used but when the request goes to IDP, restart SP) and then proceed with IDP so that the request lands back on SP with no cache or information of the original SP request.
      Expected behaviour
      SAML2 failover is NOT enabled. should be printed. So that everyone knows
      that they DID not enable SAML2 faiover which is required for multiple cluster.
      Current behaviour
      SAML2 failover is enabled. printed wrong for SAML2Utils,java:346

      Work around

      Code analysis

       if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
      } else {
            // THIS IS INSIDE NO FAILOVER enabled !!!! but it still mis logged.
           debug.error(method + "InResponseTo attribute in Response"
                                    + " is invalid: " + inRespToResp + ", SAML2 failover is enabled");




            joe.starling Joe Starling
            chee-weng.chea C-Weng C
            Filip Kubáň [X] Filip Kubáň [X] (Inactive)
            0 Vote for this issue
            3 Start watching this issue