What is a SAML status code?

It is a URI in the element of a SAML response that reports the outcome of the request. A single top-level StatusCode states success or who is at fault, and an optional nested second-level StatusCode adds the specific reason.

What is the difference between Requester and Responder?

Requester means the failure is the requesting party's fault — usually the service provider sent something malformed or disallowed. Responder means the identity provider itself failed, for example a backend error, independent of the request's correctness.

Does a Success status mean the user is authenticated?

Not by itself. A top-level Success means the protocol exchange completed. You must still inspect the assertion — its AuthnStatement, Conditions (NotBefore/NotOnOrAfter) and AudienceRestriction — to confirm a valid, in-date authentication for your SP.

What does NoPassive mean?

It is returned when the SP requested IsPassive=true (no visible user interaction) but the IdP cannot authenticate the user silently — for instance there is no active session. The SP should retry without IsPassive to allow an interactive login.

Where do the status code URIs come from?

They are defined by the OASIS SAML 2.0 Core specification under the urn:oasis:names:tc:SAML:2.0:status: namespace. Comparing the full URI rather than a short label avoids ambiguity, which is why this tool lets you copy the exact value.

SAML 2.0 Status Codes

Diagnose SAML responses by status code

Every SAML 2.0 response carries a <Status> element whose StatusCode URI tells you the outcome. The top-level code is one of Success, Requester, Responder or VersionMismatch, and an optional nested second-level code explains the specific reason — AuthnFailed, NoPassive, RequestDenied and so on. This tool lists every standard code with its full URI, level and which party it blames, so you can read a failed SSO response quickly.

How it works

SAML status codes live under the urn:oasis:names:tc:SAML:2.0:status: namespace. The first StatusCode is the top-level verdict: Success means the exchange completed, Requester points to a fault in the request sent by the service provider, Responder blames a problem at the identity provider, and VersionMismatch flags an unsupported SAML version. When more detail is needed, a second-level StatusCode is nested inside the first. For example a top-level Responder paired with a second-level AuthnFailed tells you the IdP ran fine but could not authenticate the user. Because a top-level Success only confirms the protocol completed, you still validate the assertion’s signature, time Conditions and AudienceRestriction before trusting it.

Tips and notes

When debugging a broken login, read the second-level code first — it is where the actionable detail lives. A Requester failure means fix your SP request (NameID policy, attributes, metadata); a Responder failure means look at the IdP side. If you see NoPassive, retry the authentication without IsPassive=true. Compare the full status URI rather than a short name to avoid confusing similarly named codes, and log the complete <StatusMessage> the IdP returns alongside the code, since it often contains a vendor-specific explanation.

SAML 2.0 Status Codes

Email me this result

Diagnose SAML responses by status code

How it works

Tips and notes