DLP SSO: InResponseToField of the Response doesn't correspond to sent message
search cancel

DLP SSO: InResponseToField of the Response doesn't correspond to sent message

book

Article ID: 237335

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

In the DLP logs, users are unable to login and we are presented with the following "INFO" level error in the DLP localhost log:

AuthNResponse;FAILURE;EndpointMachine.domain.tld;https://Enforce.domain.tld/ProtectManager/saml/metadata;http://IDP.domain.tld;;;org.opensaml.common.SAMLException: InResponseToField of the Response doesn't correspond to sent message a3128419c09317e646b9i212472eh83

Cause

This is frequently seen with ADFS implementations of SSO.

 

Option 1.

The IdP isn't using the same session to track its response as is coming from DLP. 

 

Option 2.

The URL used to access the Enforce server does not match the ACS (Assertion Customer Service) URL imported into IdP from the Enforce server. The ACS URL in the metadata xml file generated by the Enforce server is based on SpringSecurityContext.xml file.  Specifically the ACS URL is generated from the entityBaseURL property of the file, for example:

<property name="entityBaseURL" value="https://enforce.domain.com/ProtectManager" />

When the IdP responds after successful login, it will deliver the response for the specific ACS URL, along other logon related information, for which the logon operation is valid. If the Enforce server was accessed with a URL different than the one specified in the entityBaseURL/metadata then the logon to the Console will fail with the error described in this article. 

This can happen if, for example, IP address of the Enforce server was used to access the Console, instead of the FQDN/hostname.

 

 

Resolution

Option 1.

The IdP isn't using the same session to track its response as is coming from DLP.  The DLP springSecurityContext.xml needs to be updated with the below value. After making the change and saving the file, restart the DLP Enforce services for the change to take effect.

 

Current value:

<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl" />

Updated value (highlighting added for clarity on what was changed):

<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl">
  <property name="storageFactory">
    <bean class="org.springframework.security.saml.storage.EmptyStorageFactory"/>
  </property>
</bean>

 

Option 2.

To avoid such issues it is obligatory to use the same URL as specified in the entityBaseURL/metadata to access the Enforce server if SAML authentication is to be used. In this example the Enforce needs to be accessed by using the https://enforce.domain.com address as it matches the entityBaseURL entry from the SpringSecurityContext.xml file for the SAML authentication to succeed.

This does not apply to Administrator bypass URL.

Powered by Wolken Software