SAML Error Codes¶
This topic documents the error codes and messages that are generated when your IdP returns an invalid SAML response during user login through SSO. The messages can be used to troubleshoot configuration issues related to federated authentication and your IdP.
The errors are displayed with each failed login attempt. They are also stored for up to 7 days in the Snowflake Information Schema and can be queried using the LOGIN_HISTORY , LOGIN_HISTORY_BY_USER table functions.
Error Code |
Error Message |
Explanation |
|---|---|---|
390133 |
SAML_RESPONSE_INVALID |
The SAML response was invalid for an unspecified reason, although it is most likely malformed (this is also used if there is an error on parsing). |
390165 |
SAML_RESPONSE_INVALID_SIGNATURE |
The SAML response contains an invalid Signature. |
390166 |
SAML_RESPONSE_INVALID_DIGEST_METHOD |
The SAML response contains an invalid “DigestMethod” attribute or omits it entirely. |
390167 |
SAML_RESPONSE_INVALID_SIGNATURE_METHOD |
The SAML response contains an invalid “SignatureMethod” or omits it entirely. |
390168 |
SAML_RESPONSE_INVALID_DESTINATION |
The “Destination” attribute in the SAML response does not match a valid destination URL on the account. |
390169 |
SAML_RESPONSE_INVALID_AUDIENCE |
The SAML response does not contain exactly one audience or the audience URL does not match what we expect the audience URL to be. |
390170 |
SAML_RESPONSE_INVALID_MISSING_INRESPONSETO |
The “InResponseTo” attribute in the SAML assertion is missing. |
390171 |
SAML_RESPONSE_INVALID_RECIPIENT_MISMATCH |
The “Recipient” attribute does not match a valid destination URL. |
390172 |
SAML_RESPONSE_INVALID_NOTONORAFTER_VALIDATION |
This typically indicates that the time in which the SAML assertion is valid has expired. |
390173 |
SAML_RESPONSE_INVALID_NOTBEFORE_VALIDATION |
This typically indicates that the time in which the SAML assertion is valid has not yet come. |
390174 |
SAML_RESPONSE_INVALID_USERNAMES_MISMATCH |
The login names do not match during re-authentication. |
390175 |
SAML_RESPONSE_INVALID_SESSIONID_MISSING |
During re-authentication, we were unable to find a session corresponding to the user. |
390176 |
SAML_RESPONSE_INVALID_ACCOUNTS_MISMATCH |
During re-authentication, the names of the accounts were found to not match. |
390177 |
SAML_RESPONSE_INVALID_BAD_CERT |
The x.509 certificate contained in the SAML response is either malformed or does not match the expected certificate. |
390178 |
SAML_RESPONSE_INVALID_PROOF_KEY_MISMATCH |
The proof keys do not match with respect to the authentication request ID. |
390179 |
SAML_RESPONSE_INVALID_INTEGRATION_MISCONFIGURATION |
The SAML IdP configuration is invalid. |
390180 |
SAML_RESPONSE_INVALID_REQUEST_PAYLOAD |
During authentication, using an invalid payload or using an invalid federated OAuth connection string. |
390181 |
SAML_RESPONSE_INVALID_MISSING_SUBJECT_CONFIRMATION_BEARER |
The Subject confirmation with Bearer method is missing and cannot be validated. |
390182 |
SAML_RESPONSE_INVALID_MISSING_SUBJECT_CONFIRMATION_DATA |
The Subject confirmation data is missing in the assertion. |
390183 |
SAML_RESPONSE_INVALID_CONDITIONS |
The SAML assertion is not valid for a reason that is different than the preceding conditions in this table. |
390184 |
SAML_RESPONSE_INVALID_ISSUER |
The SAML Response contained an issuer/entityID value different from the one configured in the SAML IDP Configuration. |