|Applies To||RSA Product Set: SecurID Access|
RSA Product/Service Type: Cloud Authentication Service, Identity Router
|Issue||A SAML assertion unexpectedly contains no InResponseTo field and is rejected by the requesting Service Provider.|
The IDR's /var/log/symplified.log contains errors similar to the example below.
|Cause||The SAML Binding Method (POST or Redirect) is configured inconsistently between the Service Provider (SP) and the Cloud Authentication Service's application configuration.|
The IDR rejects the SAML authentication request and treats the scenario as IdP-initiated (thus no InResponseTo field).
|Resolution||Ensure that the SAML binding method that the 3rd Party application (SP) is using (POST or Redirect) is also configured in the Administration Console Application -> My Applications -> Edit -> Connection Profile -> Binding Method for SAML Request.|
|Notes||Alternatively, configuring the 3rd Party application as a Relying Party will not encounter this issue as incoming SAML requests are processed with either SAML binding method.|
Reference the section on Relying Parties in the RSA SecurID Access Cloud Authentication Service documentation.