SAML error with Kubernetes: 'InResponseToField of the Response doesn't correspond to sent message'

Hi everyone,

I am having a recurring issue with shinyproxy (currently 2.5.0) hosted within a kubernetes cluster (currenty a single node). I’m using Auth0 with SAML. Traffic goes through a Nginx ingress controller that does TLS termination and has a fairly basic configuration. What I don’t understand is that I will get the following error, but only once in a while. If I try to login, I will get the error, but then after that, if I go back to the login page and try to log in again, everything works fine.

  o.s.security.saml.log.SAMLDefaultLogger  : AuthNResponse;FAILURE;[Auth0 URN];;;org.opensaml.common.SAMLException: InResponseToField of the Response doesn't correspond to sent message a12g399012cidi7i2i3ha3ha4h6e6jc
        at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:175)
        at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:88)
        at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199)
        at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:219)
...

This made me think of a cookies problem, however adjusting the shinyproxy server/proxy configuration for cookies did not change anything. Shinyproxy configuration has:

server:
  secure-cookies: true
proxy:
  same-site-cookie: None

In the browser when I try to log in I get the following error message:

Error
Status code: 200

Message: Error validating SAML message

Stack Trace:
org.springframework.security.authentication.AuthenticationServiceException: Error validating SAML message
...

Anyone has an idea of what I am missing? I would really appreciate it! Thank you!

1 Like

similar issue here, but on shinyproxy-docker with AzureAD with SAML.