In the DLP logs, users are unable to login and we are presented with the following "INFO" level error in the DLP localhost log:
AuthNResponse;FAILURE;EndpointMachine.domain.tld;https://Enforce.domain.tld/ProtectManager/saml/metadata;http://IDP.domain.tld;;;org.opensaml.common.SAMLException: InResponseToField of the Response doesn't correspond to sent message a3128419c09317e646b9i212472eh83
This is frequently seen with ADFS implementations of SSO.
The IdP isn't using the same session to track its response as is coming from DLP. The DLP springSecurityContext.xml needs to be updated with the below value. After making the change and saving the file, restart the DLP Enforce services for the change to take effect.
Current value:
<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl" />
Updated value (highlighting added for clarity on what was changed):
<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl">
<property name="storageFactory">
<bean class="org.springframework.security.saml.storage.EmptyStorageFactory"/>
</property>
</bean>