Exception:
com.sun.identity.saml2.common.SAML2Exception
Possibility 1:
If preceeded in the log file by: SAML2Utils.isAuthnContextMatching: AuthnContextClassRef urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken is not supported.
Reason:
sp-extended.xml (spAuthncontextClassrefMapping) and idp-extended.xml (idpAuthncontextClassrefMapping) both have a list of supported 'login tokens'. The token sent from the IDP (usually the first in his list) must be in the list on the SP.
Possibility 2:
Stack trace shows:
com.sun.identity.saml2.plugins.DefaultSPAuthnContextMapper.getAuthLevel(...)
Reason:
It was SP-Initiated SSO where the SP usually requests a specific AuthnContext (either the one marked with "|default" in the sp-extended.xml -> "spAuthncontextClassrefMapping" or in absence of a default value, all of them). However, if the IDP chooses to send a different one than one of the requested ones, this error will occur. The solution is to add the missing one to this property and don't specify a default so that all are requested and acceptable. Another solution is to make sure that all have the same authlevel ("|0") and then use "minimum" as "spAuthncontextComparisonType"; this way, the SP will accept any AuthnContext having the same (or a higher authlevel) than the requested one.