Customer recently set-up SSO login for one of the clients to support IDP-Initiated SSO Journey.

SSO login is failing due to smauthreason 50. Reviewed setup steps.  Signature verification is successful. Need help diagnosing the failure.

Applicable to Access Gateway

12.8.X

Smauthreason 50 is Sm_Api_Reason_FederationUnacceptedMessage = 50

As this is an authentication error, the Policy Server smtrace log needs to be reviewed. The relevant messages were found:

[Saml2Validator.java][smAuthenticate][][][][][][][][][][][][Plugin is configured? true][15178][12:44:32.939]

[Saml2Validator.java][smAuthenticate][][][][][][][][][][][][Authentication status code: 0    Detail=][15178][12:44:32.939]

[MessageConsumerPluginCache.java][getMessageConsumerPlugin][][][][][][][][][][][][Found cached instance for com.XXXX.XXXX.sso.inbound.clientid.ClientIdRestrictionPlugin][15178][12:44:32.939]

[Saml2Validator.java][smAuthenticate][][][][][][][][][][][][Call out to the plugin to authenticate the user.
ClassName=com.XXXX.XXXX.sso.inbound.clientid.ClientIdRestrictionPluginParameters=XXXXX][15178][12:44:32.939]

[Saml2Validator.java][smAuthenticate][][][][][][][][][][][][Plugin returns authentication status code: 50][15178][12:44:32.948]

A Message Consumer Plugin is configured and returning the final authentication status. 

Instructed customer to review custom plugin and make necessary changes for their restrictions to allow the users to authenticate. Once this was done, SAML SSO was successful.