Our SP is having an issue in parsing the '&' character from the SAML attributes. The login is failing for the users whose attribute value contains this character. We have reported this bug and are waiting for the fix.
Till we get the fix we are asking the IDPs to not release the attribute which contains the '&' character. The most likely attribute to contain this character is urn:mace:dir:attribute-def:ou.