A number of different error messages may appear, all originating from the WSS error page. The main strings to look for are:
Note: No browsing will be possible unless unauthenticated users are allowed through.
The recent WSS update shipped with a new SAML feature which allows an admin define whether or not the SAML AuthnRequests are signed or not. As this feature was enabled by default, the AuthnRequests generated by WSS SAML SP could not be processed on the SAML IDP server side unless it has access to the signing certificate. Since the IDP server was unchanged and no certificate imported to validate the signature, the IDP server would respond with a status of "Responder" and not include any assertion info about the user.
Disable the option to Sign Authentication Requests on the SAML Configutration tab as shown below:
Note that this option has been removed temporarely and will be included in future release.