I'm configuring a PingFederate IdP with a Shibboleth Service Provider. When I click on the SSO Application Endpoint in the SP connection of Ping, after entering the username password I get this error message in my SP logs:
ERROR: InResponseTo does not match any of the possible request IDs (expected [])
The response does not have an InResponseTo attribute. What could be causing this error?
Using the link at the top of the SP connection will start an IdP-initiated SSO transaction. By spec, IdP-initiated responses are considered "unsolicited responses", and cannot contain InResponseTo. You will need to fix your SP so that it requires InResponseTo only when your SP initiates the transaction.