FAQ: How-to resolve "Error invalid_response" SSO

Christina Dobryzynski
Christina Dobryzynski Expensify Success Coach - Admin, Expensify Team, Expensify Student Ambassador Posts: 267 Expensify Team
edited December 2019 in Advanced Admin Controls

"Error invalid_response"

There are a few reasons why this error occurs, but it all boils down to the fact that the response sent by your SAML provider doesn't match what Expensify is expecting given the setup.

  • For ADFS: This is usually caused by misconfiguration on the ADFS IdP side. You'll want to clean out your current configuration and carefully follow the instructions here again.
  • For AzureAD: It's likely the wrong certificate setting in Azure AD is set and you just need to check the Make new certificate active checkbox:
  • For Centrify: You'll need to make sure you've added use="signing" to the KeyDescriptor label so it looks like this <KeyDescriptor use="signing">
  • For all others, this could be due to either a malformed x.509 certificate in the domain metadata in Expensify or there may actually be more than one certificate in the metadata. Check your SAML metadata in Expensify and make sure that there are not two different certificates in the same metadata.