This article describes how to fix SAML issues with an SAML tracer error 'InResponseToField of the Response doesn't correspond to sent message'.
Scope
This specifically affects environments with an on-premises FortiEDR Central Manager as an SP and FortiAuthenticator as an IDP.
Solution
The principal (end user browser) makes a request to the service provider. The service provider then requests authentication from the identity provider. The identity provider sends an SAML response with an assertion to the service provider, and the service provider can then send a response to the principal. If the principal (the user) was not already logged in, the identity provider may prompt them to log in before sending an SAML assertion.
Due to the aforementioned workflow, it is very important for the principal to make sure that the initial request to SP and Metadata of SP uploaded to IDP should be either in the format of IP or FQDN.
Example:
The principal makes a request to the SP using the IP https://10.0.0.1.
If the uploaded metadata of the SP’s entity ID is in the FQDN format, such as https://fortiedr.lab.local, the assertion response will contain an FQDN instead of an original request, which is an IP address. As a result, the response will not correspond to the initial request sent by the principal to the SP.
There are two options to work around this issue:
Edit the downloaded Metadata file from the SP and change FQDN to the respective IP address that the principal is going to use to access the FortiEDR Central Manager.
Edit the download Metadata file from the SP, record the FQDN, and publish an A record of the FQDN in the internal DNS server. Access the FortiEDR Central Manager using the FQDN instead of an IP address.
If there are still any issues during the installation, open a new technical support ticket for further assistance: Fortinet Support.
