Error "SAML response reported an IdP error" after Login

Krinetzki, Stephan Krinetzki at
Fri Jun 9 13:45:15 UTC 2023

Hi Scott and Hi Ulf,

The time settings on the servers (Shibboleth SP and Shibboleth IdP) are identical and have no deviation.

According to the log, the login also went through successfully, or am I missing something here?

IDP_PROCESS|2023-06-08 16:28:27,461|INFO|[net.shibboleth.idp.authn.impl.LDAPCredentialValidator:163]|XXX.XXX.XXX.XXX|JSESSIONID|Credential Validator ldap: Login by 'USER' succeeded
IDP_PROCESS|2023-06-08 16:28:27,462|INFO|[net.shibboleth.idp.authn.impl.FinalizeAuthentication:196]|XXX.XXX.XXX.XXX|JSESSIONID|Profile Action FinalizeAuthentication: Principal USER authenticated
IDP_PROCESS|2023-06-08 16:28:27,619|INFO|[Shibboleth-Audit.SSO:338]|XXX.XXX.XXX.XXX|JSESSIONID|XXX.XXX.XXX.XXX|2023-06-08T14:27:52.625420Z|2023-06-08T14:28:27.619125Z|USER|SP|_608ee17ec4b811d1772d11ba3cf00ed0|password|2023-06-08T14:28:27.462712Z|eduPersonEntitlement,rwthSystemIDs_LMS,organizationName,eduPersonScopedAffiliation,mail,surname,schacHomeOrganization,rwthRufname|AAdzZWNyZXQxVn5AgkKyPxAvRkVX3hT0dQRFpjEcrv3+VG02R5YJ3hAoSuTxFgeqmGVg9neSgFS8cgWauZn19P9QKN6qrG/0iyMZITzE+YTpuxxRlhNBrzgynaxkPuZS+4lOMhWl1q5BxE1t9dipjls=|transient|false|false|AES128-GCM|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST||Success||85d35935d0dc7a84f69ec4b0c2c5ecd3055a07708c2bcbff061b579615ca363e|Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36 Edg/114.0.1823.41
IDP_PROCESS|2023-06-08 16:32:23,488|ERROR|[org.springframework.webflow.execution.repository.NoSuchFlowExecutionException:91]|XXX.XXX.XXX.XXX|JSESSIONID|

The error in the last line should have nothing to do with the login (notice the 4 minutes time difference).

The Shibboleth Service Provider however displays the user the following Error:

Please include the following message in any email:

opensaml::FatalProfileException at (

SAML response reported an IdP error.

Error from identity provider:

*Status:* urn:oasis:names:tc:SAML:2.0:status:Responder
*Message:* An error occurred.

In the shibd.log of the SP:

2023-06-08 16:27:52 INFO Shibboleth.SessionCache [5104] [APP]: new session created: ID (_d590d2ddeb8ede18f5eccefd38145c47) IdP (IDP) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (XXX.XXX.XXX.XXX)

The transaction.log:

2023-06-08 16:27:52|Shibboleth-TRANSACTION.Login||_d590d2ddeb8ede18f5eccefd38145c47|IDP|_864e6684a60caf42066a1d09dc3c19ea|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|2023-06-08T16:27:51|RONID(1),affiliation(1),entitlement(1),rwthSystemIDs(1)|AAdzZWNyZXQxqfxy0PgmwVCahfqsts+nl6PyHY+fIHrQIuaJWLspKrbxqrGVEjBxtaElUSx5V1/gBDqi+iSspMPtDl6Cp99+RpNidSXfSuMaDMoK4S7CSvIk1fkgbk6j2Hsi3JIFspN6IW+4iqcXUMd9/WTN8I+E2tbu|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST||urn:oasis:names:tc:SAML:2.0:status:Success|||Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0|XXX.XXX.XXX.XXX

Seems tob e pretty normal.

Any ideas where i can debug further?



Stephan Krinetzki
IT Center
Gruppe: Anwendungsbetrieb und Cloud
Abteilung: Systeme und Betrieb
RWTH Aachen University
Seffenter Weg 23 
52074 Aachen
Tel: +49 241 80-24866
Fax: +49 241 80-22134
krinetzki at

Social Media Kanäle des IT Centers:​

-----Original Message-----
From: users <users-bounces at> On Behalf Of Cantor, Scott via users
Sent: Tuesday, June 6, 2023 2:22 PM
To: Shib Users <users at>
Cc: Cantor, Scott <cantor.2 at>
Subject: Re: Error "SAML response reported an IdP error" after Login

> I already looked into the IdP logs and I don't see any error there. 

If it's not a bad error message, there is, without any doubt, something in the log about it. That doesn't make it an "ERROR" from a logging perspective, as logging categories have a very specific meaning.

If the IdP is returning a SAML error, it has a reason and it will say so, not to mention it being audited if configured to record the relevant field.

Of course, the SP could also simply be broken and not reporting the issue accurately.

-- Scott

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6358 bytes
Desc: not available
URL: <>

More information about the users mailing list