DLP SSO: InResponseToField of the Response doesn't correspond to sent message
search cancel

DLP SSO: InResponseToField of the Response doesn't correspond to sent message

book

Article ID: 237335

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

In the DLP logs, users are unable to login and we are presented with the following "INFO" level error in the DLP localhost log:

AuthNResponse;FAILURE;EndpointMachine.domain.tld;https://Enforce.domain.tld/ProtectManager/saml/metadata;http://IDP.domain.tld;;;org.opensaml.common.SAMLException: InResponseToField of the Response doesn't correspond to sent message a3128419c09317e646b9i212472eh83

Cause

This is frequently seen with ADFS implementations of SSO.

Resolution

The IdP isn't using the same session to track its response as is coming from DLP.  The DLP springSecurityContext.xml needs to be updated with the below value. After making the change and saving the file, restart the DLP Enforce services for the change to take effect.

 

Current value:

<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl" />

Updated value (highlighting added for clarity on what was changed):

<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl">
  <property name="storageFactory">
    <bean class="org.springframework.security.saml.storage.EmptyStorageFactory"/>
  </property>
</bean>
Powered by Wolken Software