[#QB-3766] SSO Exception with AzureAD Received invalid SAML response: The Response has an InResponseTo attribute: ONELOGIN....

QuickBuild

SSO Exception with AzureAD Received invalid SAML response: The Response has an InResponseTo attribute: ONELOGIN....

Created: 26/Jul/21 05:26 PM Updated: 29/Jul/21 11:14 PM

Component/s:

None

Affects Version/s:

11.0.7

Fix Version/s:

11.0.10

Original Estimate:

Unknown

Remaining Estimate:

Unknown

Time Spent:

Unknown

Description

« Hide

To recreate "the Response has an InResponseTo attribute" error in the QB logs by leaving QuickBuild at the login page for +40 seconds
without logging in and then attempting to use SSO to log in.
Also sometimes get the error if I sign out of QuickBuild and then try to log back in quickly, but for the most part sign out/wait 40 seconds/try to log in seems to break it every time.

When it fails, the client then gets an error like this and is not logged into QB:
Message: invalid_response
The Response has an InResponseTo attribute: ONELOGIN_ea35ba25-0bcf-458f-b3fa-1e92574af60a while no InResponseTo was expected

Root cause:

com.pmease.quickbuild.QuickbuildException: invalid_response
The Response has an InResponseTo attribute: ONELOGIN_ea35ba25-0bcf-458f-b3fa-1e92574af60a while no InResponseTo was expected
at com.pmease.quickbuild.plugin.ssoprovider.saml.SamlProvider.processLoginResponse(SamlProvider.java:165)
at com.pmease.quickbuild.plugin.ssoprovider.saml.SamlProvider$$EnhancerByCGLIB$$501621d3.CGLIB$processLoginResponse$3(<generated>)
at com.pmease.quickbuild.plugin.ssoprovider.saml.SamlProvider$$EnhancerByCGLIB$$501621d3$$FastClassByCGLIB$$b6d7c027.invoke(<generated>)
at net.sf.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:228)
at com.pmease.quickbuild.DefaultScriptEngine$Interpolator.intercept(DefaultScriptEngine.java:261)
at com.pmease.quickbuild.plugin.ssoprovider.saml.SamlProvider$$EnhancerByCGLIB$$501621d3.processLoginResponse(<generated>)
at com.pmease.quickbuild.web.page.SSOLoginPage.<init>(SSOLoginPage.java:36)
at jdk.internal.reflect.GeneratedConstructorAccessor160.newInstance(Unknown Source).....

If you click "Back to Dashboard" and try to log in again (within 40 seconds), it works fine and you are able to stay connected/logged into QB just fine. FYI - I was able to create this issue in QB10 as well as QB11.
These articles might be related:
https://confluence.atlassian.com/confkb/received-invalid-saml-response-the-response-has-an-inresponseto-attribute-onelogin_-abc-de-fg-while-no-inresponseto-was-expected-after-session-times-out-while-re-authenticating-to-azure-sso-1050548417.html

https://confluence.atlassian.com/jirakb/problems-with-logging-in-with-saml-1018774372.html

Description

To recreate "the Response has an InResponseTo attribute" error in the QB logs by leaving QuickBuild at the login page for +40 seconds without logging in and then attempting to use SSO to log in. Also sometimes get the error if I sign out of QuickBuild and then try to log back in quickly, but for the most part sign out/wait 40 seconds/try to log in seems to break it every time. When it fails, the client then gets an error like this and is not logged into QB: Message: invalid_response The Response has an InResponseTo attribute: ONELOGIN_ea35ba25-0bcf-458f-b3fa-1e92574af60a while no InResponseTo was expected Root cause: com.pmease.quickbuild.QuickbuildException: invalid_response The Response has an InResponseTo attribute: ONELOGIN_ea35ba25-0bcf-458f-b3fa-1e92574af60a while no InResponseTo was expected at com.pmease.quickbuild.plugin.ssoprovider.saml.SamlProvider.processLoginResponse(SamlProvider.java:165) at com.pmease.quickbuild.plugin.ssoprovider.saml.SamlProvider$$EnhancerByCGLIB$$501621d3.CGLIB$processLoginResponse$3(<generated>) at com.pmease.quickbuild.plugin.ssoprovider.saml.SamlProvider$$EnhancerByCGLIB$$501621d3$$FastClassByCGLIB$$b6d7c027.invoke(<generated>) at net.sf.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:228) at com.pmease.quickbuild.DefaultScriptEngine$Interpolator.intercept(DefaultScriptEngine.java:261) at com.pmease.quickbuild.plugin.ssoprovider.saml.SamlProvider$$EnhancerByCGLIB$$501621d3.processLoginResponse(<generated>) at com.pmease.quickbuild.web.page.SSOLoginPage.<init>(SSOLoginPage.java:36) at jdk.internal.reflect.GeneratedConstructorAccessor160.newInstance(Unknown Source)..... If you click "Back to Dashboard" and try to log in again (within 40 seconds), it works fine and you are able to stay connected/logged into QB just fine. FYI - I was able to create this issue in QB10 as well as QB11. These articles might be related: https://confluence.atlassian.com/confkb/received-invalid-saml-response-the-response-has-an-inresponseto-attribute-onelogin_-abc-de-fg-while-no-inresponseto-was-expected-after-session-times-out-while-re-authenticating-to-azure-sso-1050548417.html https://confluence.atlassian.com/jirakb/problems-with-logging-in-with-saml-1018774372.html

Show »

All

Comments

Work Log

Change History

Sort Order:

[ Permlink | « Hide ]

Thrasys Admin [29/Jul/21 10:50 PM]

yes that fixes this issue. thanks

[ Permlink | « Hide ]

Robin Shen [29/Jul/21 01:53 AM]

Looks like for security reason, Chrome does not allow cookie to live for more than 1 minute when redirect back from other sites with POST requests. To solve the problem, the session tracking cookie will be re-generated at the time of clicking the "SSO login" button. The fix is released in QB 11.0.10:
https://build.pmease.com/build/5347

Please test if this works for you.

[ Permlink | « Hide ]

Thrasys Admin [27/Jul/21 11:52 PM]

I believe it is the default:
1800

[ Permlink | « Hide ]

Robin Shen [27/Jul/21 11:07 PM]

Please check QB system setting to see what is the session timeout value is defined as.

[ Permlink | « Hide ]

Thrasys Admin [27/Jul/21 06:37 PM]

We have verified all those settings.
It works fine if you don't let login page sit for 1 minute before clicking sso button..
Seems after that it fails.
Then it works fine the second time.

[ Permlink | « Hide ]

Robin Shen [26/Jul/21 11:53 PM]

This normally happens when the url currently accessing is not the same as registered at SAML side. Please make sure all of below are the same:
1. The server url specified in system setting
2. The url you are visiting
3. The url you registered at SAML side (plus various suffix such as "sso-login" and "saml" of course)