Was this article helpful?
Thanks for your feedback.
What are the SAML Error Codes?
Feedback?Security Assertion Markup Language
What are the SAML error codes?
Where can I find a list of SAML Single Sign-On related error numbers?
SSO error code list
Solution:
See the table below for common Security Assertion Markup Language (SAML) errors:
| Error Code | Description of symptom | Possible Cause | Suggested resolution |
| 1 | SSO protocol error | This is general SSO exception, some run time exceptions are wrapped to this Error code | Check with Webex Technical Support |
| 4 | No X.509 certificate found in the system | The Webex administrator has not configured the certificate | Check Webex administration tool for 'Organization Certificate Management' and configure the certificate |
| 5 | Only POST request is supported | When IdP system send assertion to Webex Service, only the 'post' method is accepted | Check the trace, if it's the 'get' method, update the IdP configuration |
| 7 | The org is not allowed to use SSO | The Webex service is not SSO enabled, or the protocol configured is wrong | Contact Webex Technical Support to check if SSO is turned on and/or check administration tool if the protocol is correct |
| 8 | Incorrect X.509 certificate to validate SAML assertion | Webex service admin has configured the org certificate, but it doesn't match the certificate in IdP system | Refer to the section of 'Customer ID system Configuration' to see the certification mapping between the org admin and IdP system |
| 13 | Invalid SAML Assertion | Certificate is correct, but the assertion verification is fail | Check the assertion string, if it's complete. Take a trace and validate the assertion fields |
| 15 | X.509 certificate has expired | X.509 certificate has expired | Check administration tool 'Organization Certificate Management' and update the certificate |
| 19 | SAML assertion is expired | SAML assertion is expired. Normally caused by time mismatch between IdP and Webex service | Contact Webex Technical Support |
| 23 | Invalid digital signature | The digital signature in assertion is not correct | Take a trace and check the assertion, the digital signature is missing or invalid |
| 24 | Untrusted Issuer | The issuer ID doesn't match between IdP system and Webex service | Compare the issuer ID between two systems |
| 25 | Name Identifier format is incorrect | The name identifier format doesn't match between IdP system and Webex service | Compare the name identifier format between two systems |
| 26 | Unable to generate AuthnRequest | The Webex administration tool has checked the authnRequst, but failed to generate | Normally it's Webex certificate issue, check org admin 'Webex Certificate Management' |
| 28 | InResponseTo does not match the request ID | The 'InResponseTo' in assertion doesn't match the request, normally caused by the following: 1. the assertion is re-used, or page was flushed, assertion was sent again 2. the request sent from CAS server 1, but the response sent back to CAS server 2. and they don't share DB | 1. the assertion can't be reused. 2. check the IdP system, if the 'Assertion Consumer Service URL' is incorrect, point to wrong Webex server |
| 29 | Invalid Response message | 1. tag is missing from Assertion 2. tag is not first child of Response or Assertion 3. The Assertion is not base64 encoded when sent to Webex. 4. The name of the POST response is not set as SAMLResponse (case must match). 5. Double check that the AuthnContextstyleRef matches. Check character by character. On occasions a missing ':' has caused this issue. | Check the Assertion and confirm none of the possible causes exist. If the issue continues to occur once confirming/correcting these issues, contact Webex Technical Support. |
| 31 | Auto Account Creation failed | Can't find the user in Webex Service by nameid in the assertion | 1. the user exists, but the 'nameid' in assertion is incorrect, can't auto create because the email conflict 2. the user does not exist, but the mandatory attributes are missing: (firstname, lastname, email) |
| 32 | Auto Account Update failed | Anything that causes error 31 could also result in error 32 when updating accounts. The assertion contains an attribute value that is not supported by the site, or is not formatted properly. (Example: Meeting type (MT) sent in the assertion is not available on the Webex site.) | Review attributes being sent in the assertion and compare with the options available/required on the Webex site, correct as needed. |
For more SAML error codes, see:
SSO Error Codes
For help uploading an X.509 Certificate, see:
Was this article helpful?
