Federated Authentication & SSO Error Codes

This topic documents the error codes and messages that are generated during an unsucessful user login attempt. The messages can be used to troubleshoot configuration issues related to federated authentication and your IdP.

The errors are displayed with each failed login attempt. Historical data is also available in Information Schema and Account Usage:

Federated Authentication Error Codes

The table below contains the error codes and messages related to federated authentication.

Error Code

Error

Description

390135

FED_AUTHN_DISABLED

Federated authentication method is not enabled for your account. Contact Snowflake support.

390136

FED_REAUTH_PENDING

Authentication response is pending from IDP.

390137

FED_REAUTH

Federated authentication request URL is generated.

390138

FED_REAUTH_TIMEOUT

Timeout waiting for authentication response from IDP.

390139

AUTHENTICATOR_NOT_SUPPORTED

The specified authenticator is not accepted by your Snowflake account configuration. Please contact your local system administrator to get the correct URL to use.

390140

FED_PASSWORD_EXPIRED

Snowflake password has expired. Password must be changed using your Snowflake’s credential via the Snowflake web console.

390191

USERNAMES_MISMATCH

The user you were trying to authenticate as differs from the user currently logged in at the IDP.

390192

FED_AUTHN_USER_DISABLED

Federated authentication method is not enabled for your user. Contact Snowflake support.

SAML Error Codes

The table below contains the error codes and messages that are generated when your IdP returns an invalid SAML response during user login through SSO.

Error Code

Error

Description

390133

SAML_RESPONSE_INVALID

The SAML response was invalid for an unspecified reason, although it is most likely malformed (this is also used if there is an error on parsing).

390165

SAML_RESPONSE_INVALID_SIGNATURE

The SAML response contains an invalid Signature.

390166

SAML_RESPONSE_INVALID_DIGEST_METHOD

The SAML response contains an invalid “DigestMethod” attribute or omits it entirely.

390167

SAML_RESPONSE_INVALID_SIGNATURE_METHOD

The SAML response contains an invalid “SignatureMethod” or omits it entirely.

390168

SAML_RESPONSE_INVALID_DESTINATION

The “Destination” attribute in the SAML response does not match a valid destination URL on the account.

390169

SAML_RESPONSE_INVALID_AUDIENCE

The SAML response does not contain exactly one audience or the audience URL does not match what we expect the audience URL to be.

390170

SAML_RESPONSE_INVALID_MISSING_INRESPONSETO

The “InResponseTo” attribute in the SAML assertion is missing.

390171

SAML_RESPONSE_INVALID_RECIPIENT_MISMATCH

The “Recipient” attribute does not match a valid destination URL.

390172

SAML_RESPONSE_INVALID_NOTONORAFTER_VALIDATION

This typically indicates that the time in which the SAML assertion is valid has expired.

390173

SAML_RESPONSE_INVALID_NOTBEFORE_VALIDATION

This typically indicates that the time in which the SAML assertion is valid has not yet come.

390174

SAML_RESPONSE_INVALID_USERNAMES_MISMATCH

The login names do not match during re-authentication.

390175

SAML_RESPONSE_INVALID_SESSIONID_MISSING

During re-authentication, we were unable to find a session corresponding to the user.

390176

SAML_RESPONSE_INVALID_ACCOUNTS_MISMATCH

During re-authentication, the names of the accounts were found to not match.

390177

SAML_RESPONSE_INVALID_BAD_CERT

The x.509 certificate contained in the SAML response is either malformed or does not match the expected certificate.

390178

SAML_RESPONSE_INVALID_PROOF_KEY_MISMATCH

The proof keys do not match with respect to the authentication request ID.

390179

SAML_RESPONSE_INVALID_INTEGRATION_MISCONFIGURATION

The SAML IdP configuration is invalid.

390180

SAML_RESPONSE_INVALID_REQUEST_PAYLOAD

During authentication, using an invalid payload or using an invalid federated OAuth connection string.

390181

SAML_RESPONSE_INVALID_MISSING_SUBJECT_CONFIRMATION_BEARER

The Subject confirmation with Bearer method is missing and cannot be validated.

390182

SAML_RESPONSE_INVALID_MISSING_SUBJECT_CONFIRMATION_DATA

The Subject confirmation data is missing in the assertion.

390183

SAML_RESPONSE_INVALID_CONDITIONS

The SAML assertion is not valid for a reason that is different than the preceding conditions in this table.

390184

SAML_RESPONSE_INVALID_ISSUER

The SAML Response contained an issuer/entityID value different from the one configured in the SAML IDP Configuration.