Processing of SAML messages and assertions is often limited to a specific time window which e.g. prevents possibilities of replay attacks. Validation of messages can fail when internal clocks of the IDP and SP machines are not synchronized. Make sure to use a time synchronization service on all systems in the federation.

Make sure that application uses the same HttpSession during sending of the request and reception of the response. Typically, this problem arises when the auhentication request is initialized from localhost address or http scheme, while response is received at a public host name or https scheme. E.g., when initializing authentication from URL https://host:port/app/saml/login, the response must be received at https://host;port/app/saml/SSO, not http://host:port/app/saml/SSO or https://localhost:port/app/saml/SSO.

The checking of the InResponseToField can be disabled by re-configuring the context provider as follows:

<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl">
  <property name="storageFactory">
    <bean class="org.springframework.security.saml.storage.EmptyStorageFactory"/>
  </property>
</bean>

In case you use automatic metadata generation make sure to set property entityBaseURL on bean MetadataGenerator to e.g. http://server:port/yourapp or use pre-generated metadata.

Make sure the Unlimited Strength Jurisdiction Policy Files are correctly installed in your JDK. See Section 4.1, “Pre-requisites” for details.

This is typically caused by misconfiguration of certificates. Either your metadata or keyStore do not contain the correct leaf certificates or CA certificates, or your certificates are invalid. You can get additional information by starting your application with flag -Djavax.net.debug=all.