SAML | InResponseTo attribute in SAML Response is missing - error code 50

SAML | InResponseTo attribute in SAML Response is missing - error code 50

What is InResponseTo?

SDP will send a unique identifier named 'ID' in every SAML request and the IDP must return this ID in every SAML response named 'InResponseTo'. Most of the popular IDPs return this and this and SDP will check this for security reasons.

Response without InResponseTo:


Expected Response:


Case 1: SameSiteCookie as 'Lax' or 'Strict':

Some customers run security reports and these reports ask to change the samesitecookie setting as 'Lax' or 'Strict'. Please note that samesite must be set to 'none' in order for SAML to work. Connect to application database, run the following query and restart the services to set the samesite as 'none'.
Quote
update globalconfig set paramvalue='none' where "parameter"='SAMESITECOOKIE';

Case 2: Some custom IDPs do not send this.

If your custom IDPs do not return this by default, this needs to be included now. Please request your IDP admin to add InResponseTo attribute to the SAML response by altering the IDP settings.

Case 3: Some complex environment condition causes failure.

If you have a complex environment where this cannot be propagated to SDP and this validation needs to be removed, please contact our support team with your version number (especially if your version is above 15140 or not), but this is not recommended and can lead to security vulnerabilities.

      New to M365 Manager Plus?
      New to M365 Manager Plus?
        New to RecoveryManager Plus?
        New to RecoveryManager Plus?
          New to Exchange Reporter Plus?
          New to Exchange Reporter Plus?
            New to SharePoint Manager Plus?
            New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                    • Related Articles

                    • SAML FAQ's

                      Please find the list of frequently asked queries in SAML 1. I have enabled SAML but still could not find a way to log in using SAML Since the application has multi-tenant feature there are certain security added to the SAML login. In a SAML ...

                    • SAML | Configure KeyCloak as IDP

                      Setting up KeyCloak Download KeyCloak from their official website (Used v25 here). Open conf/keycloak.conf and enter the hostname Run sh kc.sh start-dev Create a user and login at http://localhost:8080 Setting up the IDP: To enable logging, go to ...

                    • SAML | Multiple Login URLs for SAML Response

                      Issue: Even if SDP can be accessed with multiple URLs like internal.servicedesk.com and external.servicedesk.com, the SAML response is always received at the same URL that is configured in Alias URL. Fix: The acs_url column in the SAMLSP table can be ...

                    • SAML | Incresing throttle for SAML request URL

                      Kindly add the following code in webapps/ROOT/WEB-INF/security/security-publicaccess.xml and restart SDP to increase the throttle limit for SamlRequestServlet URL. Here it's set as 45. You can change to any number you want per minute. <throttles ...

                    • HTTP ERROR 400 when logging in via SAML - Description and Resolution

                      Description: When logging into the application via SAML, the following error occurs even when the configurations are accurate. Overview: When you see an HTTP ERROR 400 during a SAML login, it means there’s a "Bad Request" error. This error occurs ...

                      Related Products