Issue description 

Possible cause 

• The InResponseTo value in the SAML response does not match the SAML request ID generated by ADSelfService Plus.

Prerequisites 

• You need administrative access to the ADSelfService Plus portal and the IdP's configuration interface.
• The server clocks for both the service provider (ADSelfService Plus) and the IdP must be synchronized to prevent valid requests from being incorrectly marked as expired.

Resolution

1. Use a SAML debugging tool like SAML-tracer to capture the login attempt.
2. Find the initial SAMLRequest sent from ADSelfService Plus to your IdP. Locate and copy the value of the ID attribute.
3. Find the SAMLResponse sent from the IdP back to ADSelfService Plus.
4. Look for the InResponseTo attribute within the response.
• If the attribute is missing, your IdP is not configured to send this attribute. You must enable it in your IdP's settings for the ADSelfService Plus application.
• If the attribute is present, compare its value to the request ID you copied earlier. If they do not match, the IdP's configuration is incorrect and needs to be fixed.

1. Log in to the ADSelfService Plus admin portal.
2. Navigate to Admin > Customize > Login Settings > Single Sign-On.
3. Confirm that the configuration matches the IdP setup.
4. Restart the browser session to generate a fresh SAML request and test the login again.

Troubleshooting tips 

• If a user has multiple login tabs open or uses the browser's back button during a login attempt, the IdP might respond to an older, expired request ID. Instruct users to always start a fresh login from the main portal.
• This error typically occurs in a service-provider-initiated flow. IdP-initiated flows do not contain the InResponseTo attribute. If your workflow requires this validation, ensure you are using a service-provider-initiated flow.

How to reach support