<< Back to previous view

[QB-3766] SSO Exception with AzureAD Received invalid SAML response: The Response has an InResponseTo attribute: ONELOGIN....
Created: 26/Jul/21  Updated: 29/Jul/21

Status: Closed
Project: QuickBuild
Component/s: None
Affects Version/s: 11.0.7
Fix Version/s: 11.0.10

Type: Bug Priority: Major
Reporter: Thrasys Admin Assigned To: Robin Shen
Resolution: Fixed Votes: 0
Remaining Estimate: Unknown Time Spent: Unknown
Original Estimate: Unknown


 Description   
To recreate "the Response has an InResponseTo attribute" error in the QB logs by leaving QuickBuild at the login page for +40 seconds
without logging in and then attempting to use SSO to log in.
Also sometimes get the error if I sign out of QuickBuild and then try to log back in quickly, but for the most part sign out/wait 40 seconds/try to log in seems to break it every time.

When it fails, the client then gets an error like this and is not logged into QB:
Message: invalid_response
The Response has an InResponseTo attribute: ONELOGIN_ea35ba25-0bcf-458f-b3fa-1e92574af60a while no InResponseTo was expected

Root cause:

com.pmease.quickbuild.QuickbuildException: invalid_response
The Response has an InResponseTo attribute: ONELOGIN_ea35ba25-0bcf-458f-b3fa-1e92574af60a while no InResponseTo was expected
at com.pmease.quickbuild.plugin.ssoprovider.saml.SamlProvider.processLoginResponse(SamlProvider.java:165)
at com.pmease.quickbuild.plugin.ssoprovider.saml.SamlProvider$$EnhancerByCGLIB$$501621d3.CGLIB$processLoginResponse$3(<generated>)
at com.pmease.quickbuild.plugin.ssoprovider.saml.SamlProvider$$EnhancerByCGLIB$$501621d3$$FastClassByCGLIB$$b6d7c027.invoke(<generated>)
at net.sf.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:228)
at com.pmease.quickbuild.DefaultScriptEngine$Interpolator.intercept(DefaultScriptEngine.java:261)
at com.pmease.quickbuild.plugin.ssoprovider.saml.SamlProvider$$EnhancerByCGLIB$$501621d3.processLoginResponse(<generated>)
at com.pmease.quickbuild.web.page.SSOLoginPage.<init>(SSOLoginPage.java:36)
at jdk.internal.reflect.GeneratedConstructorAccessor160.newInstance(Unknown Source).....

If you click "Back to Dashboard" and try to log in again (within 40 seconds), it works fine and you are able to stay connected/logged into QB just fine. FYI - I was able to create this issue in QB10 as well as QB11.
These articles might be related:
https://confluence.atlassian.com/confkb/received-invalid-saml-response-the-response-has-an-inresponseto-attribute-onelogin_-abc-de-fg-while-no-inresponseto-was-expected-after-session-times-out-while-re-authenticating-to-azure-sso-1050548417.html

https://confluence.atlassian.com/jirakb/problems-with-logging-in-with-saml-1018774372.html


 

 Comments   
Comment by Robin Shen [ 26/Jul/21 11:53 PM ]
This normally happens when the url currently accessing is not the same as registered at SAML side. Please make sure all of below are the same:
1. The server url specified in system setting
2. The url you are visiting
3. The url you registered at SAML side (plus various suffix such as "sso-login" and "saml" of course)
Comment by Thrasys Admin [ 27/Jul/21 06:37 PM ]
We have verified all those settings.
It works fine if you don't let login page sit for 1 minute before clicking sso button..
Seems after that it fails.
Then it works fine the second time.
Comment by Robin Shen [ 27/Jul/21 11:07 PM ]
Please check QB system setting to see what is the session timeout value is defined as.
Comment by Thrasys Admin [ 27/Jul/21 11:52 PM ]
I believe it is the default:
1800
Comment by Robin Shen [ 29/Jul/21 01:53 AM ]
Looks like for security reason, Chrome does not allow cookie to live for more than 1 minute when redirect back from other sites with POST requests. To solve the problem, the session tracking cookie will be re-generated at the time of clicking the "SSO login" button. The fix is released in QB 11.0.10:
https://build.pmease.com/build/5347

Please test if this works for you.
Comment by Thrasys Admin [ 29/Jul/21 10:50 PM ]
yes that fixes this issue. thanks
Generated at Fri Nov 01 00:16:01 UTC 2024 using JIRA 189.