SAML: Screen stuck at Initializing SSO ? Unable to validate Response. Error: null (Mendix 7.6.0)

We're currently encountering errors with a SAML2.0 integration at a client's site. We've succesfully setup the configuration for the SAML module as per the instructions mentioned in the module's documentation. What we see is that if we navigating to /SSO/ on a laptop of one of the internal users, we get a redirect to /SSO/assertion, after which a white page appears with the text "Initializing SSO...", and nothing else happens.  In our system log we can see the following error: Unable to validate Response, see SAMLRequest overview for detailed response. Error: null java.lang.NullPointerException at saml20.implementation.wrapper.MxSAMLAssertion.getNameID( at saml20.implementation.ArtifactHandler.handleSAMLResponse( at saml20.implementation.ArtifactHandler.handleRequest( at saml20.implementation.SAMLRequestHandler.processRequest( at com.mendix.externalinterface.connector.RequestHandler.doProcessRequest( at com.mendix.external.connector.MxRuntimeConnector$1.execute( at com.mendix.external.connector.MxRuntimeConnector$1.execute( at com.mendix.util.classloading.Runner.doRunUsingClassLoaderOf( at com.mendix.external.connector.MxRuntimeConnector.processRequest( at com.mendix.basis.impl.MxRuntimeImpl.processRequest( at com.mendix.m2ee.appcontainer.server.handler.RuntimeHandler.handle( at org.eclipse.jetty.server.handler.HandlerList.handle( at org.eclipse.jetty.server.handler.HandlerWrapper.handle( at org.eclipse.jetty.server.Server.handle( at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest( at org.eclipse.jetty.server.AbstractHttpConnection.content( at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content( at org.eclipse.jetty.http.HttpParser.parseNext( at org.eclipse.jetty.http.HttpParser.parseAvailable( at org.eclipse.jetty.server.AsyncHttpConnection.handle( at at$ at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob( at org.eclipse.jetty.util.thread.QueuedThreadPool$ at Unfortunately, this is the most detailed information we can get from our logging, even with the SAML_SSO lognode set to Trace. The IdP has been setup with "Use NameID" for the assertion, "Disable NameID policy" checked and Authentication context "Minimum (stronger than)". For Authentication Context Classes, we have "Integrated Windows Authentication" selected. All these settings are as per the answer provided by Jasper as most commonly encountered setups in this topic. Does anyone have a clue what's going wrong here? Edit:  Eric, here's a sample XML response <removed>   Edit 2: Thanks for all the input everybody. In the end the cause was a configuration error at the system administrator (ADFS) side. They had not properly setup the claim rules. Thanks for the pointer in the right direction regarding the SAML response. The important thing I noticed was that the Subject tags didn't have any NameID attribute set and included in the response.   Edit 3: I can't close my topic?
2 answers

Posting a modified version of my comment as an answer so you can accept it and close the topic:

Are you able to see any SAML requests or responses in the SAML Log tab? It's accessible from the SAML admin page. By the looks of it, the NameID might not be populated in your SAML response, which would indicate either:

  • incorrect configuration at the identity provider
  • that some other field is being used as the primary key

Could it be the same problem as this one:

I already have a support feature request for this one.