SAML response state does not have corresponding request id

We have SAML auth configured for 3 of our ES clusters. When SSO'ing to Kibana, we sometimes get a 401 "access token expired" error. Retrying the SSO will give us a different 401, "SAML response state does not have corresponding request id."

Any further attempts to SSO will give us the same error. The only workaround we have found is to clear cookies for the found.io domain. After clearing cookies, SSO works normally.

This happens every couple days for each of our clusters. Is there a problem with our configuration that is causing this? How do we resolve it?

In case it is useful, here is the full text of the first error message:
{"statusCode":401,"error":"Unauthorized","message":"[security_exception] token expired, with { header={ WWW-Authenticate=\"Bearer realm=\\\"security\\\", error=\\\"invalid_token\\\", error_description=\\\"The access token expired\\\"\" } }"}

And the second error message:
{"statusCode":401,"error":"Unauthorized","message":"SAML response state does not have corresponding request id."}

The relevant ES configuration:
xpack.security.authc.realms.saml.saml1:
order: 2
idp.metadata.path: "https://portal.sso.us-east-2.amazonaws.com/saml/metadata/[REDACTED]"
idp.entity_id: "https://portal.sso.us-east-2.amazonaws.com/saml/assertion/[REDACTED]"
sp.entity_id: "https://[REDACTED].us-east-1.aws.found.io/"
sp.acs: "https://[REDACTED].us-east-1.aws.found.io/api/security/v1/saml"
sp.logout: "https://[REDACTED].us-east-1.aws.found.io/logout"
attributes.principal: "nameid"

And the relevant Kibana configuration:
xpack.security.authc.providers: [saml, basic]
server.xsrf.whitelist: [/api/security/v1/saml]
xpack.security.authc.saml.realm: saml1

What version are you on @Jesse_Bye? This

When SSO'ing to Kibana, we sometimes get a 401 "access token expired" error.

sounds like https://github.com/elastic/kibana/issues/59629 that we resolved recently and will be released in the next version. But refreshing the page should have resolved the issue when you come across it, not lead to the next error you're seeing.

If you can open a support ticket so that you can share your debug kibana logs and the elasticsearch trace logs for SAML , we will be able to give you a more qualified RCA.

Hmm, that does seem similar to our problem, except refreshing doesn't resolve it. We're on v7.7.0; should it be fixed on that version? Or only v7.7.1 and greater?

Also, I tried creating a support ticket for this before and they redirected me here :slight_smile:

Apologies for that @Jesse_Bye, I wasn't aware that you had already gone via support.

We just merged the fixes after 7.7.0 was releases so this fix should be available in the next minor or patch release that is released

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.