SAML Error Codes

This topic documents the error codes and messages that are generated when your IdP returns an invalid SAML response during user login through SSO. The messages can be used to troubleshoot configuration issues related to federated authentication and your IdP.

The errors are displayed with each failed login attempt. They are also stored for up to 7 days in the Snowflake Information Schema and can be queried using the LOGIN_HISTORY , LOGIN_HISTORY_BY_USER table functions.

Error Code

Error Message

Explanation

390133

SAML_RESPONSE_INVALID

The SAML response was invalid for an unspecified reason, although it is most likely malformed (this is also used if there is an error on parsing).

390165

SAML_RESPONSE_INVALID_SIGNATURE

The SAML response contains an invalid Signature.

390166

SAML_RESPONSE_INVALID_DIGEST_METHOD

The SAML response contains an invalid “DigestMethod” attribute or omits it entirely.

390167

SAML_RESPONSE_INVALID_SIGNATURE_METHOD

The SAML response contains an invalid “SignatureMethod” or omits it entirely.

390168

SAML_RESPONSE_INVALID_DESTINATION

The “Destination” attribute in the SAML response does not match a valid destination URL on the account.

390169

SAML_RESPONSE_INVALID_AUDIENCE

The SAML response does not contain exactly one audience or the audience URL does not match what we expect the audience URL to be.

390170

SAML_RESPONSE_INVALID_MISSING_INRESPONSETO

The “InResponseTo” attribute in the SAML assertion is missing.

390171

SAML_RESPONSE_INVALID_RECIPIENT_MISMATCH

The “Recipient” attribute does not match a valid destination URL.

390172

SAML_RESPONSE_INVALID_NOTONORAFTER_VALIDATION

This typically indicates that the time in which the SAML assertion is valid has expired.

390173

SAML_RESPONSE_INVALID_NOTBEFORE_VALIDATION

This typically indicates that the time in which the SAML assertion is valid has not yet come.

390174

SAML_RESPONSE_INVALID_USERNAMES_MISMATCH

The login names do not match during re-authentication.

390175

SAML_RESPONSE_INVALID_SESSIONID_MISSING

During re-authentication, we were unable to find a session corresponding to the user.

390176

SAML_RESPONSE_INVALID_ACCOUNTS_MISMATCH

During re-authentication, the names of the accounts were found to not match.

390177

SAML_RESPONSE_INVALID_BAD_CERT

The x.509 certificate contained in the SAML response is either malformed or does not match the expected certificate.