Troubleshooting unsolicited responses

[krompaco]

Microsoft.Owin packages are 4.2.1 and site is using:

<package id="Sustainsys.Saml2" version="2.9.0" targetFramework="net48" />
<package id="Sustainsys.Saml2.Owin" version="2.9.0" targetFramework="net48" />

When investigating traffic that gets the _?error=accessdenied querystring, and turning on logging it looks like these are the exceptions that correlates: Sustainsys.Saml2.Exceptions.Saml2ResponseFailedValidationException: Unsolicited responses are not allowed for idp

We have logging using Application Insights and custom events sent that shows that these can be a bit random, it seems like users that get these loggings can also try again and authenticate successfully or have succeeded before.

Going through occurrences it seems like it's mainly Webkit browsers that receive this. It's very odd to see Firefox going through the occurrences but that might just be the current browser trend.

We have some custom code both in AuthenticationRequestCreated and in AcsCommandResultCreated and we need to call some APIs in the latter that sometimes needs to use a couple of seconds.

I'm hoping for some suggestions and pointers on what to look for more and good places to add more logging.

Thanks!

[AndersAbel]

Please turn up the log levels so that you get the full Saml response in the logs. Once you have a complete Saml response together with the error message it is easier to investigate.

To me, it looks like an Idp is sending Saml responses without an InResponseTo attribute set.