Problem

In the end of the SAML authentication process, the user gets the following error messages: 

Expected SAML-message with status urn:oasis:names:tc:SAML:2.0:status:Success, but the status was urn:oasis:names:tc:SAML::2.0:status:Responder

Solution

To be able to do a SSO authentication, the SAML add-on for Atlassian Data Center and Server applications needs to get back the SAML Response status code urn:oasis:names:tc:SAML:2.0:status:Success from the Identity Provider.
The status urn:oasis:names:tc:SAML:2.0:status:Responder indicates, that the Identity Provider blocked the authentication because of wrong/missing user permissions or service provider configurations. 

If only one/a couple of users of the Atlassian Data Center app are affected

Check the user's permissions at the Identity Provider. Mostly a permission to get access to the SAML SSO service provider is missing, which leads to this error.

Below are some examples of what you see in the SAML Response, which you can check in the Authentication Tracker of a failed login.

You basically need to look for the samlp:StatusCode and/or samlp:StatusMessage tags in the SAML Response (under the samlp:Response tag).

<samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:AuthnFailed\"/> </samlp:StatusCode>
<samlp:StatusMessage>Authentication Failed</samlp:StatusMessage>

<samlp:StatusMessage>Sorry! you are not authorized</samlp:StatusMessage>
<samlp:StatusDetail>\n<Cause>org.sourceid.saml20.domain.AuthorizationException: Authorization failed (Sorry! you are not authorized)</Cause>\n</samlp:StatusDetail>

If (almost) all users of the Atlassian Data Center app are affected

• Very often there is a lack of SAML SSO specific information missing on the Identity Provider's Service Provider configurations. In this case, please update your Identity Provider with the newest SAML SSO metadata information (...plugins/servlet/samlsso/metadata).
  Here is an example of what you see in the SAML Response in the Authentication Tracker of a failed login:

  <samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:RequestDenied\"/> </samlp:StatusCode>   
  <samlp:StatusMessage>The AuthnRequest could not be validated</samlp:StatusMessage>

  CODE
• The SAML Request signing can sometimes lead to Responder error messages. Try to turn it off and check if it helps:
• 1. Disable the Sign Authentication Requests checkbox (SAML SSO configurations -> Identity Providers -> Security Settings).
  2. Switch to the Service Provider settings and disable the Include Signing Certificate in Metadata checkbox (under Signing and encryption).
  3. Update the SAML SSO Service Provider settings on your Identity Provider with the changed SAML SSO Metadata information (For ADFS: Select the associated Reyling Party -> Update from Federation Metadata...  Ensure that after updating, the Signature is correctly removed and now empty: Relying Party properties -> Signature)

  4. Try the Single Sign On again.
     

     

     Turning off the SAML Request Signing ist not recommended, because it reduces the authentications security. We highly recommend to turn it on again after your tests. If the problem is actually related to the authentication signing, please have a look to your Identity Provider's settings/logs and try to figure out why it's not supporting/accepting signed authentication request. For additional help, create a support request in our customer portal and attach your Identity Provider log file to the request: Customer Portal

• The NameID Format in the request is not correct. That could be seen in the below message in the SAML Response:

  <samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy\"/>\n</samlp:StatusCode>

  CODE

  In that case, please do the following:

  
  
  1. Go to the SAML SSO configuration page
  2. In the Identity Providers tab, scroll down to the Request settings section
  3. For NameIdFormat in Request choose NONE
  4. Save the configuration