Problem

In the end of the SAML authentication process, the user gets the following error messages: 

Expected SAML-message with status urn:oasis:names:tc:SAML:2.0:status:Success, but the status was urn:oasis:names:tc:SAML::2.0:status:Responder

Solution

To be able to do a SSO authentication, the SAML add-on needs to get back the SAML Response status code urn:oasis:names:tc:SAML:2.0:status:Success from the Identity Provider.
The status urn:oasis:names:tc:SAML:2.0:status:Responder indicates, that the Identity Provider blocked the authentication because of wrong/missing user permissions or service provider configurations. 

If only one/a couple of users are affected

Check the user's permissions at the Identity Provider. Mostly a permission to get access to the SAML SSO service provider is missing, which leads to this error.

If (almost) all users are affected

  • Very often there is a lack of SAML SSO specific information missing on the Identity Provider's Service Provider configurations. In this case, please update your Identity Provider with the newest SAML SSO metadata information (...plugins/servlet/samlsso/metadata).

  • The SAML Request signing can sometimes lead to Responder error messages. Try to turn it off and check if it helps:
    1. Disable the Sign Authentication Requests checkbox (SAML SSO configurations -> Identity Providers -> Security Settings).
    2. Switch to the Service Provider settings and disable the Include Signing Certificate in Metadata checkbox (under Signing and encryption).
    3. Update the SAML SSO Service Provider settings on your Identity Provider with the changed SAML SSO Metadata information (For ADFS: Select the associated Reyling Party -> Update from Federation Metadata...  Ensure that after updating, the Signature is correctly removed and now empty: Relying Party properties -> Signature)
    4. Try the Single Sign On again. 

Turning off the SAML Request Signing ist not recommended, because it reduces the authentications security. We highly recommend to turn it on again after your tests. If the problem is actually related to the authentication signing, please have a look to your Identity Provider's settings/logs and try to figure out why it's not supporting/accepting signed authentication request. For additional help, create a support request in our customer portal and attach your Identity Provider log file to the request: Customer Portal