SAML Error Codes

This topic documents the error codes and messages that are generated when your IdP returns an invalid SAML response during user login through SSO. The messages can be used to troubleshoot configuration issues related to federated authentication and your IdP.

The errors are displayed with each failed login attempt. They are also stored for up to 7 days in the Snowflake Information Schema and can be queried using the LOGIN_HISTORY , LOGIN_HISTORY_BY_USER table functions.

Error Code Error Message Explanation
390133 SAML_RESPONSE_INVALID The SAML response was invalid for an unspecified reason, although it is most likely malformed (this is also used if there is an error on parsing).
390165 SAML_RESPONSE_INVALID_SIGNATURE The SAML response contains an invalid Signature.
390166 SAML_RESPONSE_INVALID_DIGEST_METHOD The SAML response contains an invalid “DigestMethod” attribute or omits it entirely.
390167 SAML_RESPONSE_INVALID_SIGNATURE_METHOD The SAML response contains an invalid “SignatureMethod” or omits it entirely.
390168 SAML_RESPONSE_INVALID_DESTINATION The “Destination” attribute in the SAML response does not match a valid destination URL on the account.
390169 SAML_RESPONSE_INVALID_AUDIENCE The SAML response does not contain exactly one audience or the audience URL does not match what we expect the audience URL to be.
390170 SAML_RESPONSE_INVALID_MISSING_INRESPONSETO The “InResponseTo” attribute in the SAML assertion is missing.
390171 SAML_RESPONSE_INVALID_RECIPIENT_MISMATCH The “Recipient” attribute does not match a valid destination URL.
390172 SAML_RESPONSE_INVALID_NOTONORAFTER_VALIDATION This typically indicates that the time in which the SAML assertion is valid has expired.
390173 SAML_RESPONSE_INVALID_NOTBEFORE_VALIDATION This typically indicates that the time in which the SAML assertion is valid has not yet come.
390174 SAML_RESPONSE_INVALID_USERNAMES_MISMATCH The login names do not match during re-authentication.
390175 SAML_RESPONSE_INVALID_SESSIONID_MISSING During re-authentication, we were unable to find a session corresponding to the user.
390176 SAML_RESPONSE_INVALID_ACCOUNTS_MISMATCH During re-authentication, the names of the accounts were found to not match.
390177 SAML_RESPONSE_INVALID_BAD_CERT The x.509 certificate contained in the SAML response is either malformed or does not match the expected certificate.