Problem

In the end of the SAML authentication process, the user gets the following error messages: 

Expected SAML-message with status urn:oasis:names:tc:SAML:2.0:status:Success, but the status was urn:oasis:names:tc:SAML::2.0:status:Responder

Solution

To be able to do an SSO authentication, the SAML add-on needs to get back the SAML Response status code urn:oasis:names:tc:SAML:2.0:status:Success from the Identity Provider. The status urn:oasis:names:tc:SAML:2.0:status:Responder indicates, that the Identity Provider blocked the authentication because of wrong/missing user permissions or service provider configurations. 

If only a couple of users are affected

Check the user's permissions on the Identity Provider. Mostly a permission (very often a group) to get access to the SAML SSO service provider is missing, which leads to this error.

If many or all users are affected

The SAML Request signing can sometimes lead to Responder error messages. Try to turn it off and check if it helps:

1. Disable the Sign Authentication Requests checkbox (SAML SSO configurations -> Identity Providers -> Security Settings).

2. Switch to the Service Provider settings and disable the Include Signing Certificate in Metadata checkbox (under Signing and encryption).

3. Update the SAML SSO Service Provider settings on your Identity Provider with the changed SAML SSO Metadata information (For ADFS: Select the associated Reyling Party -> Update from Federation Metadata...  Ensure that after updating, the Signature is correctly removed and now empty: Relying Party properties -> Signature)

4. Try the Single Sign On again.

To find the main reason

Try to get Identity Provider log information and search for the apporpriate user login attempt lines. Check why the Identity Provider denies the access for the user/s. For additional help, create a support request in our customer portal and attach your Identity Provider log file to the request: Customer Portal