Troubleshooting
Problem
Since the upgrade to Secret Server version 10.9, we've been experiencing intermittent SAML login errors.
Users go to https://XXXX.secretservercloud.com then get redirected to our on-prem SAML server.
A user enters their credentials and is prompted for their multi-factor authentication (MFA).
Upon successful entry, the following SAML error is displayed:
A problem occurred during your SAML login. Please see the system log or the SAML log for details.
Clicking the Continue button redisplays the same error.
The following is a sample of the login entries.
SAMLLog.csv
12/16/2020 8:37:10 AM,Web3,Processed successful SAML response
12/16/2020 8:37:10 AM,Web3,Processing login for user [user1@TEST]
12/16/2020 8:30:26 AM,Web6,The SAML message doesn't contain an InResponseTo attribute.
12/16/2020 8:28:17 AM,Web9,The SAML message doesn't contain an InResponseTo attribute.
12/16/2020 8:22:15 AM,Web2,The SAML message doesn't contain an InResponseTo attribute.
12/16/2020 8:14:43 AM,Web3,The SAML message doesn't contain an InResponseTo attribute.
12/16/2020 8:11:31 AM,Web3,The SAML message doesn't contain an InResponseTo attribute.
12/16/2020 8:11:09 AM,Web10,Processed successful SAML response
12/16/2020 8:11:09 AM,Web10,Processing login for user [user2@TEST]
12/16/2020 8:37:10 AM,Web3,Processed successful SAML response
12/16/2020 8:37:10 AM,Web3,Processing login for user [user1@TEST]
12/16/2020 8:30:26 AM,Web6,The SAML message doesn't contain an InResponseTo attribute.
12/16/2020 8:28:17 AM,Web9,The SAML message doesn't contain an InResponseTo attribute.
12/16/2020 8:22:15 AM,Web2,The SAML message doesn't contain an InResponseTo attribute.
12/16/2020 8:14:43 AM,Web3,The SAML message doesn't contain an InResponseTo attribute.
12/16/2020 8:11:31 AM,Web3,The SAML message doesn't contain an InResponseTo attribute.
12/16/2020 8:11:09 AM,Web10,Processed successful SAML response
12/16/2020 8:11:09 AM,Web10,Processing login for user [user2@TEST]
Secret_Server_SAML_Error_Log_Entry.txt
System Log Entry
System Log Entry
Date Recorded 12/16/2020 08:22 am
Log Level Alert
Correlation ID 36f84b53fc04debfd5ab8f6c0b664e75
Log Message
Problem with SAML Login: [Thycotic.ihawu.Business.SAML.ThycoticSamlException: The SAML message doesn't contain an InResponseTo attribute.
at Thycotic.ihawu.Business.SAML.SamlResponseProcessor.CheckPendingResponseState(SamlIdpConfiguration idp, String inResponseTo)
at Thycotic.ihawu.Business.SAML.SamlResponseProcessor.ValidateSamlResponse(HttpRequest request, XmlElement samlResponseXml, SamlIdpConfiguration& idp)
at Thycotic.ihawu.Business.SAML.SamlResponseProcessor.ReceiveSAMLResponse(HttpRequest request, SAMLResponse& samlResponse, String& relayState, SamlIdpConfiguration& idp)
at Thycotic.ihawu.Business.SAML.SamlResponseProcessor.ProcessSAMLResponse(HttpRequest request)
at Thycotic.webapp.Web.SAML.AssertionConsumerService.Page_Load(Object sender, EventArgs e)] Please see the system log or the SAML log for details.
Log Level Alert
Correlation ID 36f84b53fc04debfd5ab8f6c0b664e75
Log Message
Problem with SAML Login: [Thycotic.ihawu.Business.SAML.ThycoticSamlException: The SAML message doesn't contain an InResponseTo attribute.
at Thycotic.ihawu.Business.SAML.SamlResponseProcessor.CheckPendingResponseState(SamlIdpConfiguration idp, String inResponseTo)
at Thycotic.ihawu.Business.SAML.SamlResponseProcessor.ValidateSamlResponse(HttpRequest request, XmlElement samlResponseXml, SamlIdpConfiguration& idp)
at Thycotic.ihawu.Business.SAML.SamlResponseProcessor.ReceiveSAMLResponse(HttpRequest request, SAMLResponse& samlResponse, String& relayState, SamlIdpConfiguration& idp)
at Thycotic.ihawu.Business.SAML.SamlResponseProcessor.ProcessSAMLResponse(HttpRequest request)
at Thycotic.webapp.Web.SAML.AssertionConsumerService.Page_Load(Object sender, EventArgs e)] Please see the system log or the SAML log for details.
Resolving The Problem
To resolve, go to Admin > Configuration > SAML > Advanced Settings and check the box next to "Disable InResponseTo Check".
This should allow users to login using SAML correctly.
After additional research.....The InResponseTo is essentially a return from the IdP to Secret Server confirming the user authentication.
Secret Server is not receiving exactly what it expected from the IdP and so it is failing this InResponseTo check.
When we disabled this check the users no longer have to pass this secondary step to authentication to login.
The root cause of this is usually due to a load balancer that causes a different set of information to be sent to Secret Server than expected and causes a hiccup like this. Especially since this is so intermittent we highly suspect that something is getting changed by theload balancer in the redirects and response from the IdP itself.
Document Location
Worldwide
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS2N2U","label":"IBM Security Verify Privilege"},"ARM Category":[{"code":"a8m0z0000001hc6AAA","label":"Secret Server"}],"ARM Case Number":"TS004685598","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"10.9.0"}]
Was this topic helpful?
Document Information
Modified date:
18 December 2020
UID
ibm16383718