cancel
Showing results for 
Search instead for 
Did you mean: 

SAML assertion is invalid

Anthony_Epron
Nimbostratus
Nimbostratus

Hello,

 

I try to configure saml with Keycloak and APM.

 

I am correctly redirected to the login page of Keycloak but when I'm come back to F5 my session is deny.

 

When I check on logs I can see "SAML assertion is invalid, error: Id of InResponseTo should match id of authentication request".

 

Someone have an idea of why I have this message ?

 

Thanks in advance all !

 

1 REPLY 1

AlexBCT
MVP
MVP

Hi Anthony,

 

Have you got SAML tracer available by any chance? (https://chrome.google.com/webstore/detail/saml-tracer/mpdajninpobndbfcldcmbpnnbhibjmch?hl=en - also available for Firefox)

That should give you insight in what the exact message is that you're getting back from Keycloak. Have a look specifically at the "InResponseTo=" field in the response and compare it with the "ID=" field in the original request from the F5 to Keycloak.

 

There may be some more useful information here; https://support.f5.com/csp/article/K05876945

 

Hope this helps.