Notifications

4772 views

SAML2Error: SAML failed to login, Status code is urn:oasis:names:tc:SAML:2.0:status:Requester

Problem
When SSO is enabled, some SAML request will fail with SAML2Error: SAML failed to login, Status code is urn:oasis:names:tc:SAML:2.0:status:Requester 

 

Symptoms
You notice this problem because reviewing the instance system logs (syslog table), it shows: 
  • Source: SAML2
  • Error: SAML2Error: SAML failed to login, Status code is urn:oasis:names:tc:SAML:2.0:status:Requester. When it is supposed to be urn:oasis:names:tc:SAML:2.0:status:Success

  

Cause
When your IdP (e.g. ADFS) responds with with a status of oasis:names:tc:SAML:2.0:status:Requester, it means it did not like something with the request sent to it. I am afraid the SAML response received from the IdP on most cases does not provide further the details for the error.

 

Resolution
Once you understand the error from the IdP event/system logs, you could either tune the instance SAML settings or update the IdP settings to avoid the problem.
To understand the SAML request sent, you can use your browser development tools or contact your IdP for more details.

For debugging, we recommend to install SAML debugging tools (e.g. SAML tracer for Firefox, or SAML Chrome panel for Chrome browsers) to access the SAML information sent and received in a more friendly manner.

To troubleshoot:

  1. Install the debugging tools in the browser you will use to validate the problem.
  2. Reproduce the problem.
  3. Review the SAML request sent to the IdP (e.g. ADFS). Please provide this to your IDP administrator.
  4. Contact your IdP to understand the reason for the urn:oasis:names:tc:SAML:2.0:status:Requester.

 

Note: urn:oasis:names:tc:SAML:2.0:status:Requester means the IdP did not like the SAML request sent, so it will respond with "Requester" instead of "Success".

 

 

Article Information

Last Updated:2018-01-05 08:31:29
Published:2017-12-04