Topics

UAA error: InResponseToField of the Response doesn't correspond to sent message


Enrique Cano
 

Hi

I've got UAA connected to an Identity Provider using SAML. I've noticed that if the Identity Provider takes some time (in my case, 1 minute 40 seconds) in responding to the SAML request with a SAML response, then I get this error in UAA: "InResponseToField of the Response doesn't correspond to sent message..."
In the logs, I can see:
DEBUG --- HttpSessionStorage: Storing message a4g4f9f5259jb7ji12eah767h6e0i20 to session 82190965-9a09-4618-9c21-90a01cab7be5
But then it seems that that session no longer exists... Is there some sort of timeout that is deleting that HttpSession?

Many thanks in advance

Enrique


Enrique Cano
 

I've found the issue. The parameter servlet.idle-timeout was set to 60 seconds. That meant the session was removed after that timeout if there was no communication from the IdP. When eventually a SAML response was sent back to UAA, UAA would try to find the corresponding SAML request in the cache associated to the session, but because the session was no longer there, it was raising that error.


Daniel Jones
 

Nice one for finding the reason, and also for taking the time to share it for the next person that stumbles across this post in search results :)

Regards,
Daniel 'Deejay' Jones - Managing Director
+44 (0)79 8000 9153
EngineerBetter Ltd - More than cloud platform specialists


On Tue, 23 Feb 2021 at 11:42, Enrique Cano <enrique.canocarballar@...> wrote:
I've found the issue. The parameter servlet.idle-timeout was set to 60 seconds. That meant the session was removed after that timeout if there was no communication from the IdP. When eventually a SAML response was sent back to UAA, UAA would try to find the corresponding SAML request in the cache associated to the session, but because the session was no longer there, it was raising that error.