Saml2 response STILL not conforming to the spec

Hi,
as per community post 55921 the issue that a SAML Response does not use a simple type for a StatusMessage was added to the backlog in 2021. Since we are currently getting such SAML Responses on a regular basis, what is the status of this backlog entry? Why do we still see such responses here:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_84e806cba6be8045dd7f" InResponseTo="_7db03859a514b9eb77fecba3396b64b8" Version="2.0" IssueInstant="2025-07-29T08:35:57.166Z" Destination="https://xxxxx/Shibboleth.sso/SAML2/POST">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
        urn:xxxxx.eu.auth0.com
    </saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
        <samlp:StatusMessage Value="ERROR MESSAGE"/>
    </samlp:Status>
</samlp:Response>

Where it should have been:

<samlp:StatusMessage>ERROR MESSAGE</samlp:StatusMessage>

The (SAML-spec-conforming) Service Provider on the other end is unable to process the error response from the Auth0 IdP because of this.

Thanks for your support.

Hi @ZaphodB

Welcome back to the Auth0 Community!

Thank you for bringing this to our attention. I’ve asked the engineering team for more details about the SAML issue. Thank you for your patience, and I apologize for the inconvenience!

Dawid

Thank you for your patience!

Our engineering team was informed about the issue, but I don’t yet have an ETA for fixing it. I will update you as soon as I have more details!

Thanks!
Dawid

1 Like

Thank you, Dawid. At least we’re not imagining things when we say it’s not up to spec. Unfortunately, our Service Provider software doesn’t allow us to work around this issue directly, so the user experience isn’t optimal in these cases. These occurrences are happening more frequently now for various (implementation) reasons than they were a couple of months ago. In short, the fix will be greatly appreciated.