Just for the sake of documentation and the rare chance that someone else runs into this:
If the SAML server sends back a SAMLRequest that fails the User_SAML plugin’s validation process, rather than showing that validation error, it just proceeds as if it hadn’t received ANY attributes back from the SAML response.
Why? I don’t know. But, in my case, my SAML server was setting an incorrect “Destination” value in the SAMLResponse. So, even though it was redirecting to the correct ACS endpoint, the validation failed. So, the User_SAML plugin would see an empty set of attributes. So, when it would go to look up a user account, it would fail. Hence, “Account Not Provisioned.”
I had to dig into the OneLogin SAML2 code to figure this out…