/saml/acs returns error InResponseTo does not match any of the possible request IDs

[novalagung]

I use crewjam/saml on my application. It is working, when I accessed the privileged endpoints it is automatically redirected to the saml authentication page. I login on it, then this error occured.

Fyi, it's working fine when I use samltest. but when I use my idp metadata, error underneath appear.

2019-08-05T11:37:24Z ---> incoming request from 10.6.162.138:50486 POST /saml/acs
2019/08/05 11:39:52 ... invalid token signature is invalid
2019/08/05 11:39:52 RESPONSE: ===
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:enc="http://www.w3.org/2001/04/xmlenc#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Destination="https://internal-development-elb-app-external-2071421016.eu-west-1.elb.amazonaws.com/saml/acs" ID="id-WHdd7WDP1VG2I-oFMsrRZq--W4TIhRwHPJj1YmnI" InResponseTo="id-3ba9e72c77c98df838ccb584ac7214ff0e340de5" IssueInstant="2019-08-05T11:39:49Z" Version="2.0">
    <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://oamsit.global.standardchartered.com/oam/fed</saml:Issuer>
    <dsig:Signature>
        <dsig:SignedInfo>
            <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <dsig:Reference URI="#id-WHdd7WDP1VG2I-oFMsrRZq--W4TIhRwHPJj1YmnI">
                <dsig:Transforms>
                    <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </dsig:Transforms>
                <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <dsig:DigestValue>m2n1bQLWL3NYD9Emg67mE2/99gw=</dsig:DigestValue>
            </dsig:Reference>
        </dsig:SignedInfo>
        <dsig:SignatureValue>bla1HOyZv8Hx+a4Q/zLbEre8tk1NRm1448sVNeS1zdH2U5EYBd1+oYUFS3iF6X2Q/dp1l+4qlWzkSLIxknB8wyp71rbKxYQ+q4PpxbXMQF9Hbp+2d2K4Yt9y7Xr1ZZQwpFBg7pGM+zFVgAqMK8iyNaCJw8hAyY+HXaJ26LjW87uhMiiPWJ/2tWPov8rm5cIjWKpzjXYlhc35YJ0jTZdfka0FMC1jEdQfLbwDs5WwoVTE2seEsI8KgQScUO8VAWb68dn/WCvAE+o6ZjwPTcQuYjeyIKOvNzUE7SIJXKJo+XZWhps8/s4zFUCth1Er0bKTzrAVSBLudXGynEDK/XAl/g==</dsig:SignatureValue>
    </dsig:Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
            <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy" />
        </samlp:StatusCode>
    </samlp:Status>
</samlp:Response>
===
NOW: 2019-08-05 11:39:52.348786943 +0000 UTC
ERROR: `InResponseTo` does not match any of the possible request IDs (expected [id-e8243e71024e54d3f6ced56aff66377988624129])

This is what my saml setup looks like:

option := samlsp.Options{}
option.URL = *rootURL
option.Key = keyPair.PrivateKey.(*rsa.PrivateKey)
option.Certificate = keyPair.Leaf
option.IDPMetadata = idpMetadata

saml, err := samlsp.New(option)
if err != nil {
    log.Fatal("SAML Error:", err.Error())
    return
}

Additional informations that probably help:

• in my application, I had to install 4 certificates on the server. The certificates are provided by the IDP
• the application are deployed into multiple instances and configured using ELB

What should I do to solve this issue?

[novalagung]

this is happening when the SP uses saml 2.0 but the IDP use saml 1.1
#217

[crewjam]

Thanks for reporting this. Closing because #217 was merged. Please re-open if that is incorrect.