In the end of the SAML authentication process, the user gets the following error messages:
Expected SAML-message with status urn:oasis:names:tc:SAML:2.0:status:Success, but the status was urn:oasis:names:tc:SAML::2.0:status:Responder
To be able to do an SSO authentication, the SAML add-on needs to get back the SAML Response status code urn:oasis:names:tc:SAML:2.0:status:Success from the Identity Provider. The status urn:oasis:names:tc:SAML:2.0:status:Responder indicates, that the Identity Provider blocked the authentication because of wrong/missing user permissions or service provider configurations.
If only one/a couple of users are affected
Check the user's permissions at the Identity Provider. Mostly a permission to get access to the SAML SSO service provider is missing, which leads to this error.
If (almost) all users are affected
- Very often there is a lack of SAML SSO specific information missing on the Identity Provider's Service Provider configurations. In this case, please update your Identity Provider with the newest SAML SSO metadata information (...plugins/servlet/samlsso/metadata).
- The SAML Request signing can sometimes lead to Responder error messages. Try to turn it off and check if it helps:
- Disable the Sign Authentication Requests checkbox (SAML SSO configurations -> Identity Providers -> Security Settings).
- Switch to the Service Provider settings and disable the Include Signing Certificate in Metadata checkbox (under Signing and encryption).
- Update the SAML SSO Service Provider settings on your Identity Provider with the changed SAML SSO Metadata information (For ADFS: Select the associated Reyling Party -> Update from Federation Metadata... Ensure that after updating, the Signature is correctly removed and now empty: Relying Party properties -> Signature)
- Try the Single Sign On again.