Hi there folks,
With Auth0 acting as a SAML IDP, and when the saml response indicates a failure, the XML that Auth0 produces is not valid. For instance consider the following message:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_anid" InResponseTo="_authnreq_id" Version="2.0" IssueInstant="2021-01-04T09:21:52.037Z" Destination="https://the.sp.acs.here"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:tenant.auth0.com</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/><samlp:StatusMessage Value="user is blocked"/></samlp:Status></samlp:Response>
The problem is that StatusMessage is not allowed to have any attributes as it is supposed to be a simple type. For reference, the xsd is available here
<samlp:StatusMessage Value="user is blocked"/>
should be
<samlp:StatusMessage>user is blocked</samlp:StatusMessage>
When a SP that does schema validation, attempts to parse this message it will fail, for instance, in Java, SAXParser throws
SAXParseException[cvc-type.3.1.1: Element 'samlp:StatusMessage' is a simple type, so it cannot have attributes, excepting those whose namespace name is identical to 'http://www.w3.org/2001/XMLSchema-instance' and whose [local name] is one of 'type', 'nil', 'schemaLocation' or 'noNamespaceSchemaLocation'. However, the attribute, 'Value' was found.];)
Thanks,
Ioannis