If you encounter any Security Assertion Markup Language (SAML) app error messages, here are some troubleshooting steps to help you. Show
Encode or decode SAML requests and responsesTo aid in troubleshooting, use the SAML encode/decode tool to process a SAML request and response in human readable form from the HTTP Archive Format (HAR) file. See https://toolbox.googleapps.com/apps/encode_decode/. SAML App creation errorsWhile creating a SAML app in the Admin console, you might see the following 400 error: 400 duplicate entity idYou'll see this if you try to create an application with an already existing entity ID. To resolve the 400 duplicate entity id error: Use the already configured application or use a different entity ID. 500 errors for SAML app creationWhile creating a SAML app in the Admin console, you might see the following 500 errors:
To resolve any 500 errors for SAML app creation: Wait for a while and then try the flow again. If errors still occur, contact . SAML runtime errorsThe following error scenarios might occur when you try out a SAML single sign-on (SSO) flow in identity provider (IdP) -initiated or service provider (SP)-initiated flows: 403 app_not_configuredThis error can occur in these scenarios:
To resolve the 403 app_not_configured error:
403 app_not_configured_for_userTo resolve the 403 app_not_configured_for_user error: Verify that the value in the saml:Issuer tag in the SAMLRequest matches the Entity ID value configured in the SAML Service Provider Details section in the Admin console. This value is case-sensitive. 403 app_not_enabled_for_userTo resolve the 403 app_not_enabled_for_user error:
400 saml_invalid_user_id_mappingIf an SP sends a NAMEID parameter in the SAMLRequest, then this parameter must be the same as that configured on the IdP side. Otherwise the SAMLRequest fails with this error. To resolve the 400 saml_invalid_user_id_mapping error:
400 saml_invalid_sp_idThis error occurs when the service provider ID in the URL of the IdP flow is incorrect, because of misconfiguration or tampering with the URL. To resolve the 400 saml_invalid_sp_id error:
The SAML Response send back a status of DENIED for the following scenarios. You might see one of the following three related error messages. SP-initiated Flow Invalid request, ACS URL in request $parameter doesn't match configured ACS URL $parameter.In this case, the ACS URL specified in the SAMLRequest and the ACS URL configured in the Admin console for the corresponding application do not match. To resolve the ACS URL in request $parameter doesn't match configured ACS URL $parameter error:
Invalid idpid provided in the urlThe IdP ID (an obfuscated customer ID) provided in the URL has been tampered with and is incorrect. To resolve the invalid IdP ID in URL error:
IdP-initiated Flow Invalid idpid provided in the request.The caller user has tampered with the IdP-initiated SSO URL and changed the IdP ID to another customer ID (obfuscated). To resolve the invalid IdP ID in request error:
500 errors when testing a SAML SSO flowWhen your users are testing a SAML SSO flow in IdP-initiated or SP-initiated flows, they may encounter one of several 500 errors due to backend processes being unavailable. To resolve any 500 errors for testing a SAML SSO flow: Wait and then try the flow again. If this still doesn’t work, contact . SAML app access error messages1000 on access of SAML app pageTo resolve the SAML app page access error: Contact . 1000 on access of SAML app settingsTo resolve the SAML app settings access error: Contact . SAML app user schema deletion error message400This error occurs if you are trying to delete a custom schema that is associated as an attribute mapping for a SAML app that has already been deleted. If you have created the schema before this issue was fixed, this error can occur. |