CAS SAML2 Integration Issue with Amazon Cognito (InResponseTo mismatch)
13 views
Skip to first unread message
Arkady Keppert
Jun 23, 2026, 9:18:13 AM (2 days ago) Jun 23
to CAS Community
Hello everyone,
I'm experiencing an issue with a SAML2 integration and I’ve run out of ideas on what might be wrong.
Setup I am using:
Apereo CAS 7.3.7
Acting as SAML Identity Provider (IdP)
Behind HAProxy
Integrating with Amazon Cognito as the Service Provider (SP)
They provided the following configuration:
Audience URI (EntityID):
urn:amazon:cognito:sp:us-west-2_xxxxxxx
Assertion Consumer Service (ACS) URL: https://xxx-xxxx.login.moodys.com/saml2/idpresponse
Required SAML Attributes
The SP requires the following attributes (case-sensitive):
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress → user email (required)
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname → first name (required)
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname → last name (required)
http://schemas.xmlsoap.org/claims/Group → groups (recommended)
corp_id → optional identifier
Flow description
The login flow is as follows:
I open a login link provided by Cognito, I enter my email address Cognito redirects me to CAS for authentication I successfully authenticate in CAS After successful authentication, Cognito returns an error:
"message": "An error occured during federate callback. Error: 'server_error',
ErrorDescription: 'Invalid SAML response received: InResponseTo attribute in the SAML response does not match the ID that was sent with the SAML authentication request'"
CAS logs warning
I also see the following warning in CAS logs:
WARN [org.opensaml.saml.common.binding.SAMLBindingSupport] -
Relay state exceeds 80 bytes:
[REDACTED - long encoded SAML state]
CAS SAML service configuration
{
"@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId": "urn:amazon:cognito:sp:us-west-2_xxxxxxx",
"name": "Moodys",
"id": 33,
"evaluationOrder": 33,
"description": "Moody's SAML Integration",
"metadataLocation": "file:/etc/cas/saml/sp-metadata/moodys.xml",
"skipGeneratingSubjectConfirmationInResponseTo": true,
"signAssertions": true,
"signResponses": true,
"encryptAssertions": false,
"attributeReleasePolicy": {
"@class": "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes": {
"@class": "java.util.TreeMap",
"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"imie": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"nazwisko": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
}
}
}
At the beginning, the SP did not want to provide metadata. Instead, they asked whether I could simply configure the ACS URL directly in the CAS service definition.
Later, they provided a metadata file generated using:
https://www.samltool.com/sp_metadata.php
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="urn:amazon:cognito:sp:us-west-2_xxxxxxx">
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://xxxx-xxxx.login.moodys.com/saml2/idpresponse"
index="0"
isDefault="true"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
I’m running out of ideas what could be wrong.
It seems that CAS successfully authenticates the user, but Cognito fails during the SAML callback with:
InResponseTo attribute in the SAML response does not match the ID that was sent with the SAML authentication request
Has anyone experienced a similar issue with CAS acting as IdP and Amazon Cognito as SP, especially in an IdP-initiated flow?
Any hints would be greatly appreciated.
I also have several other SAML integrations configured in CAS that work without any issues, so the CAS SAML setup in general is functional.
I'm experiencing an issue with a SAML2 integration and I’ve run out of ideas on what might be wrong.
Setup I am using:
Apereo CAS 7.3.7
Acting as SAML Identity Provider (IdP)
Behind HAProxy
Integrating with Amazon Cognito as the Service Provider (SP)
They provided the following configuration:
Audience URI (EntityID):
urn:amazon:cognito:sp:us-west-2_xxxxxxx
Assertion Consumer Service (ACS) URL: https://xxx-xxxx.login.moodys.com/saml2/idpresponse
Required SAML Attributes
The SP requires the following attributes (case-sensitive):
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress → user email (required)
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname → first name (required)
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname → last name (required)
http://schemas.xmlsoap.org/claims/Group → groups (recommended)
corp_id → optional identifier
Flow description
The login flow is as follows:
I open a login link provided by Cognito, I enter my email address Cognito redirects me to CAS for authentication I successfully authenticate in CAS After successful authentication, Cognito returns an error:
"message": "An error occured during federate callback. Error: 'server_error',
ErrorDescription: 'Invalid SAML response received: InResponseTo attribute in the SAML response does not match the ID that was sent with the SAML authentication request'"
CAS logs warning
I also see the following warning in CAS logs:
WARN [org.opensaml.saml.common.binding.SAMLBindingSupport] -
Relay state exceeds 80 bytes:
[REDACTED - long encoded SAML state]
CAS SAML service configuration
{
"@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId": "urn:amazon:cognito:sp:us-west-2_xxxxxxx",
"name": "Moodys",
"id": 33,
"evaluationOrder": 33,
"description": "Moody's SAML Integration",
"metadataLocation": "file:/etc/cas/saml/sp-metadata/moodys.xml",
"skipGeneratingSubjectConfirmationInResponseTo": true,
"signAssertions": true,
"signResponses": true,
"encryptAssertions": false,
"attributeReleasePolicy": {
"@class": "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes": {
"@class": "java.util.TreeMap",
"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"imie": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"nazwisko": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
}
}
}
At the beginning, the SP did not want to provide metadata. Instead, they asked whether I could simply configure the ACS URL directly in the CAS service definition.
Later, they provided a metadata file generated using:
https://www.samltool.com/sp_metadata.php
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="urn:amazon:cognito:sp:us-west-2_xxxxxxx">
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://xxxx-xxxx.login.moodys.com/saml2/idpresponse"
index="0"
isDefault="true"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
I’m running out of ideas what could be wrong.
It seems that CAS successfully authenticates the user, but Cognito fails during the SAML callback with:
InResponseTo attribute in the SAML response does not match the ID that was sent with the SAML authentication request
Has anyone experienced a similar issue with CAS acting as IdP and Amazon Cognito as SP, especially in an IdP-initiated flow?
Any hints would be greatly appreciated.
I also have several other SAML integrations configured in CAS that work without any issues, so the CAS SAML setup in general is functional.
Ray Bon
Jun 23, 2026, 1:34:44 PM (2 days ago) Jun 23
to cas-...@apereo.org
Arkady,
Use a browser plugin, like SAMLtracer, to see what is in the authn request and response.
Ray
From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Arkady Keppert <vtsu...@gmail.com>
Sent: June 23, 2026 02:42
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] CAS SAML2 Integration Issue with Amazon Cognito (InResponseTo mismatch)
Sent: June 23, 2026 02:42
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] CAS SAML2 Integration Issue with Amazon Cognito (InResponseTo mismatch)
|
You don't often get email from vtsu...@gmail.com.
Learn why this is important
|
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2bc62562-c00b-4d09-ab9e-cab8185590can%40apereo.org.
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2bc62562-c00b-4d09-ab9e-cab8185590can%40apereo.org.
Reply all
Reply to author
Forward
0 new messages