[ISSUE-11725] Add secondary statusCode messages on error

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java

@@ -26,6 +26,9 @@ import java.util.HashMap;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
+import java.util.HashSet;
+import java.util.Arrays;
 import java.util.function.Consumer;
 
 import javax.annotation.Nonnull;
@@ -94,6 +97,8 @@ import org.springframework.util.LinkedMultiValueMap;
 import org.springframework.util.MultiValueMap;
 import org.springframework.util.StringUtils;
 
+import static org.opensaml.saml.saml2.core.StatusCode.*;
+
 /**
  * Implementation of {@link AuthenticationProvider} for SAML authentications when
  * receiving a {@code Response} object containing an {@code Assertion}. This
@@ -621,7 +626,17 @@ public final class OpenSaml4AuthenticationProvider implements AuthenticationProv
 		if (response.getStatus().getStatusCode() == null) {
 			return StatusCode.SUCCESS;
 		}
-		return response.getStatus().getStatusCode().getValue();
+
+		Set<String> statusCodes = new HashSet<>(Arrays.asList(REQUESTER, RESPONDER, VERSION_MISMATCH));
+		StatusCode parentStatusCode = response.getStatus().getStatusCode();
+		String parentStatusCodeValue = parentStatusCode.getValue();
+		if (statusCodes.contains(parentStatusCodeValue)) {
+			StatusCode childStatusCode = parentStatusCode.getStatusCode();
+			String childStatusCodeValue = childStatusCode.getValue();
+			return parentStatusCodeValue + childStatusCodeValue;
+		}
+
+		return parentStatusCodeValue;
 	}
 
 	private Converter<AssertionToken, Saml2ResponseValidatorResult> createDefaultAssertionSignatureValidator() {