Solving SAML Error: Exception while processing SAML response: Issuer in Response is Invalid

This will show you the things to check in your SAML configuration to solve the error "Issuer in Response is Invalid".

To troubleshoot this error, you must be able to get the SAML response. Please view SuiteAnswers Article "Capture the SAML response on Firefox using SAML Tracer" (Solution ID: 27348) that will show you one way to obtain the SAML response.

Possible Cause # 1:       The user is not using the correct endpoint for the Assertion Consumer Service (ACS).
Since NetSuite has different data centers, the correct data center has to be obtained when registering NetSuite as a service provider. To do that, one must access the sp.xml file from Setup > Integration > SAML Single Sign On.  The ACS URL can be found in that XML file.

 
 
For more information, please go to SuiteAnswers Article: "Register NetSuite Service Provider MetaData  in SAML SSO" (Solution ID: 28360)

Example: 

The following tags from the NetSuite metadata shows that the ACS URL Location that shows on the sp.xml is https://system.na1.netsuite.com/saml2/acs 

        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
        <AssertionConsumerService isDefault="true" index="0"
                                  Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                  Location="https://system.na1.netsuite.com/saml2/acs" />
        <AssertionConsumerService index="1"
                                  Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                  Location="https://system.netsuite.com/saml2/acs" />
        <AssertionConsumerService index="3"
                                  Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                  Location="https://system.na1.netsuite.com/saml2/acs" />
    </SPSSODescriptor>

However, the SAML response reflects the following URL because it is the URL that you set in your configuration:

Solution: The user must go to the IDP configuration page and correct the Assertion Consumer Services (ACS) URL.

Possible Cause # 2:       The Issuer showing in the SAML response does not match the entity ID saved in the NetSuite database.
The user has to make sure that the SAML response matches the entity ID saved in NetSuite.

Example:

Figure below shows that the Entity ID showing in Setup > Integration > SAML Setup is "testdrive".

However, when reviewing the SAML response, the entity ID showing is "leatestdrive".

One of the reasons for this is that the user has multiple configurations in the IDP and might have uploaded the incorrect metadata file when he went to Setup > Integratoin > SAML Single Sign-on.

Solution: The user must go to Setup > Integration > SAML Single Sign-on and upload the right IDP metadata file. The correct Entity ID must get reflected after uploading the file and it should match with what is showing in the SAML response.