Saml2 response STILL not conforming to the spec

ZaphodB · July 29, 2025, 10:10am

Hi,
as per community post 55921 the issue that a SAML Response does not use a simple type for a StatusMessage was added to the backlog in 2021. Since we are currently getting such SAML Responses on a regular basis, what is the status of this backlog entry? Why do we still see such responses here:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_84e806cba6be8045dd7f" InResponseTo="_7db03859a514b9eb77fecba3396b64b8" Version="2.0" IssueInstant="2025-07-29T08:35:57.166Z" Destination="https://xxxxx/Shibboleth.sso/SAML2/POST">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
        urn:xxxxx.eu.auth0.com
    </saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
        <samlp:StatusMessage Value="ERROR MESSAGE"/>
    </samlp:Status>
</samlp:Response>

Where it should have been:

<samlp:StatusMessage>ERROR MESSAGE</samlp:StatusMessage>

The (SAML-spec-conforming) Service Provider on the other end is unable to process the error response from the Auth0 IdP because of this.

Thanks for your support.

dawid.matuszczyk · July 30, 2025, 3:51pm

Hi @ZaphodB

Welcome back to the Auth0 Community!

Thank you for bringing this to our attention. I’ve asked the engineering team for more details about the SAML issue. Thank you for your patience, and I apologize for the inconvenience!

Dawid

dawid.matuszczyk · July 31, 2025, 8:12pm

Thank you for your patience!

Our engineering team was informed about the issue, but I don’t yet have an ETA for fixing it. I will update you as soon as I have more details!

Thanks!
Dawid

ZaphodB · August 1, 2025, 6:31am

Thank you, Dawid. At least we’re not imagining things when we say it’s not up to spec. Unfortunately, our Service Provider software doesn’t allow us to work around this issue directly, so the user experience isn’t optimal in these cases. These occurrences are happening more frequently now for various (implementation) reasons than they were a couple of months ago. In short, the fix will be greatly appreciated.

ZaphodB · August 12, 2025, 11:38am

Sorry to bother you - but are there any updates yet?

If this topic gets auto-closed, I hope that doesn’t mean that it’s not getting fixed eventually…

Topic		Replies	Views
Saml2 response not conforming to the spec Get Help	4	3056	February 9, 2021
SAML 2.0 IDP: issuer problem Get Help saml	3	5274	March 2, 2018
SAML unknown error from provider: "The SAML response is not valid. Response do not contain signature." Knowledge Articles	1	781	August 3, 2023
Getting SAML Response instead of LogoutResponse for the LogoutResquest sent to Auth0 IdP Get Help saml	2	2372	December 22, 2022
Auth0 not validating SAML 2.0 message signature Get Help saml	1	4232	December 20, 2019

Saml2 response STILL not conforming to the spec

Related topics