Federated Authentication & SSO Error Codes¶
This topic documents the error codes and messages that are generated during an unsucessful user login attempt. The messages can be used to troubleshoot configuration issues related to federated authentication and your IdP.
The errors are displayed with each failed login attempt. Historical data is also available in Snowflake Information Schema and Account Usage:
Information Schema provides data from within the past 7 days and can be queried using the LOGIN_HISTORY , LOGIN_HISTORY_BY_USER table functions.
The Account Usage LOGIN_HISTORY View provides data from within the past year.
Federated Authentication Error Codes¶
The table below contains the error codes and messages related to federated authentication.
Error Code |
Error |
Description |
|---|---|---|
390135 |
FED_AUTHN_DISABLED |
Federated authentication method is not enabled for your account. Contact Snowflake support. |
390136 |
FED_REAUTH_PENDING |
Authentication response is pending from IDP. |
390137 |
FED_REAUTH |
Federated authentication request URL is generated. |
390138 |
FED_REAUTH_TIMEOUT |
Timeout waiting for authentication response from IDP. |
390139 |
AUTHENTICATOR_NOT_SUPPORTED |
The specified authenticator is not accepted by your Snowflake account configuration. Please contact your local system administrator to get the correct URL to use. |
390140 |
FED_PASSWORD_EXPIRED |
Snowflake password has expired. Password must be changed using your Snowflake’s credential via the Snowflake web console. |
390191 |
USERNAMES_MISMATCH |
The user you were trying to authenticate as differs from the user currently logged in at the IDP. |
390192 |
FED_AUTHN_USER_DISABLED |
Federated authentication method is not enabled for your user. Contact Snowflake support. |
SAML Error Codes¶
The table below contains the error codes and messages that are generated when your IdP returns an invalid SAML response during user login through SSO.
Error Code |
Error |
Description |
|---|---|---|
390133 |
SAML_RESPONSE_INVALID |
The SAML response was invalid for an unspecified reason, although it is most likely malformed (this is also used if there is an error on parsing). |
390165 |
SAML_RESPONSE_INVALID_SIGNATURE |
The SAML response contains an invalid Signature. |
390166 |
SAML_RESPONSE_INVALID_DIGEST_METHOD |
The SAML response contains an invalid “DigestMethod” attribute or omits it entirely. |
390167 |
SAML_RESPONSE_INVALID_SIGNATURE_METHOD |
The SAML response contains an invalid “SignatureMethod” or omits it entirely. |
390168 |
SAML_RESPONSE_INVALID_DESTINATION |
The “Destination” attribute in the SAML response does not match a valid destination URL on the account. |
390169 |
SAML_RESPONSE_INVALID_AUDIENCE |
The SAML response does not contain exactly one audience or the audience URL does not match what we expect the audience URL to be. |
390170 |
SAML_RESPONSE_INVALID_MISSING_INRESPONSETO |
The “InResponseTo” attribute in the SAML assertion is missing. |
390171 |
SAML_RESPONSE_INVALID_RECIPIENT_MISMATCH |
The “Recipient” attribute does not match a valid destination URL. |
390172 |
SAML_RESPONSE_INVALID_NOTONORAFTER_VALIDATION |
This typically indicates that the time in which the SAML assertion is valid has expired. |
390173 |
SAML_RESPONSE_INVALID_NOTBEFORE_VALIDATION |
This typically indicates that the time in which the SAML assertion is valid has not yet come. |
390174 |
SAML_RESPONSE_INVALID_USERNAMES_MISMATCH |
The login names do not match during re-authentication. |
390175 |
SAML_RESPONSE_INVALID_SESSIONID_MISSING |
During re-authentication, we were unable to find a session corresponding to the user. |
390176 |
SAML_RESPONSE_INVALID_ACCOUNTS_MISMATCH |
During re-authentication, the names of the accounts were found to not match. |
390177 |
SAML_RESPONSE_INVALID_BAD_CERT |
The x.509 certificate contained in the SAML response is either malformed or does not match the expected certificate. |
390178 |
SAML_RESPONSE_INVALID_PROOF_KEY_MISMATCH |
The proof keys do not match with respect to the authentication request ID. |
390179 |
SAML_RESPONSE_INVALID_INTEGRATION_MISCONFIGURATION |
The SAML IdP configuration is invalid. |
390180 |
SAML_RESPONSE_INVALID_REQUEST_PAYLOAD |
During authentication, using an invalid payload or using an invalid federated OAuth connection string. |
390181 |
SAML_RESPONSE_INVALID_MISSING_SUBJECT_CONFIRMATION_BEARER |
The Subject confirmation with Bearer method is missing and cannot be validated. |
390182 |
SAML_RESPONSE_INVALID_MISSING_SUBJECT_CONFIRMATION_DATA |
The Subject confirmation data is missing in the assertion. |
390183 |
SAML_RESPONSE_INVALID_CONDITIONS |
The SAML assertion is not valid for a reason that is different than the preceding conditions in this table. |
390184 |
SAML_RESPONSE_INVALID_ISSUER |
The SAML Response contained an issuer/entityID value different from the one configured in the SAML IDP Configuration. |