FAQ: How-to resolve "Error invalid_response" SSO
There are a few reasons why this error occurs, but it all boils down to the fact that the response sent by your SAML provider doesn't match what Expensify is expecting given the setup.
- For ADFS: This is usually caused by misconfiguration on the ADFS IdP side. You'll want to clean out your current configuration and carefully follow the instructions here again.
- For AzureAD: It's likely the wrong certificate setting in Azure AD is set and you just need to check the Make new certificate active checkbox:
- For Centrify: You'll need to make sure you've added
use="signing"to the KeyDescriptor label so it looks like this
- For all others, this could be due to either a malformed x.509 certificate in the domain metadata in Expensify or there may actually be more than one certificate in the metadata. Check your SAML metadata in Expensify and make sure that there are not two different certificates in the same metadata.