Troubleshooting errors in SAML 2.0 federations

Error when creating a new userError when creating a new user

An attempt to add a new user to a federation has failed because the auto user creation option is disabled. Add a user manually or enable the Automatically create users option in the federation settings.

SAMLResponse assertions not encryptedSAMLResponse assertions not encrypted

The Sign authentication requests option is enabled in the federation. With this option on, SAMLResponse assertions must be encrypted.

The resulting XML is not a SAMLResponseThe resulting XML is not a SAMLResponse

The response received from the IdP server is a valid XML but not a valid SAMLResponse. You can learn more about SAMLResponse requirements in the SAML V2.0 standard.

SAMLResponse is an incorrect XMLSAMLResponse is an incorrect XML

XML recognition error occurred. SAMLResponse data is incomplete or corrupt.

SAMLResponse contains no assertionsSAMLResponse contains no assertions

The resulting SAMLResponse contains no assertions. The error message must contain an up-to-date status code, e.g., No assertions found in response. The status code is 'Responder'.

Make sure the identity provider's response contains the correct SAML. Learn more about setting up a SAML application on the IdP server side.

Error handling the responseError handling the response

Failed to decode a SAMLResponse string.

Invalid sender addressInvalid sender address

SAMLResponse sender address does not match the URL address of the SamlRequest recipient. You can learn more about the requirements in the SAML V2.0 specification.

Incorrect SAMLResponse assertionsIncorrect SAMLResponse assertions

SAMLResponse assertions failed required authentication checks.

Invalid response signatureInvalid response signature

Invalid SAMLResponse signature.

Assertions contain no subject elementAssertions contain no subject element

There is no subject element in SAMLResponse.

Assertion contains an incorrect subject elementAssertion contains an incorrect subject element

SAMLResponse contains a subject element, but there is no NameID or EncryptedID field in it.

Decryption errorDecryption error

Failed to decrypt an assertion or name ID in SAMLResponse. Check the certificates.

Incorrect Issuer elementIncorrect Issuer element

SAMLResponse contains an incorrect Issuer element. You can learn more about this element in the SAML V2.0 specification.

SAMLResponse parameter not foundSAMLResponse parameter not found

No SAMLResponse parameter found in the IdP response. This parameter is required and must be included in the HTTP response body.

RelayState parameter not foundRelayState parameter not found

No RelayState parameter found in the IdP response. This parameter is required and must be included in the HTTP response body.

Federation not supportedFederation not supported

This type of federation is no longer supported. Contact support.

Invalid SSO URL protocolInvalid SSO URL protocol

Sso url: isn't valid schema. The scheme must be HTTPS or HTTP

Invalid SSO URLInvalid SSO URL

Sso url: isn't valid (the link to the IdP login page)

Invalid NameIDInvalid NameID

The NameID value must follow this format: "^[a-z0-9A-Z/@_.\\-=+*\\\\]+$".