PingOne for Enterprise

Error code reference

The following table describes common error messages in PingOne for Enterprise and PingOne SSO for SaaS Apps.

Error message 1 is the text of the error message that displays to users. Error message 2 is the message that PingOne for Enterprise logs for internal review.

Error Code Description Error message 1 Error message 2

AUTHN_005

Invalid session.

It looks like your session has expired or is invalid. Please sign in (SSO) again.

It looks like your session has expired or is invalid. Please sign in (SSO) again.

AUTHN_209

OpenToken decoding error.

We received an error while decoding the authentication response. Check your configuration or contact Ping Identity Customer Support.

Error in decoding authentication response. Please verify your configuration.

AUTHZ_001

User is not in an authorized group for this application.

Sorry, you’re not authorized to access the requested resource. Check that you belong to one of the authorized groups.

You are not authorized to access the target resource. Please verify that you belong to one of the authorized group(s).

MFA_001

Multi-factor authentication (MFA) failure.

The multi-factor authentication was not successful. Please try again.

The multi-factor authentication was not successful.

MFA_003

Missing PPM response.

Missing PPMResponse

Missing PPMResponse

MFA_005

Unsigned PPM response.

The PPMResponse that we received is not signed.

The PPMResponse that we received is not signed.

MFA_006

Invalid signature for PPM response.

The signature of PPMResponse that we received is not valid. Please make sure that the key imported to PingOne matches the signing key configured in the authentication module.

The signature of PPMResponse that we received is not valid. Please make sure that the key imported to PingOne matches thesigning key configured in the authentication module.

MFA_008

Expired MFA response.

The assertion from 2nd factor authentication module has expired.

The assertion from 2nd factor authentication module has expired.

MFA_009

Invalid nonce in PPM Response.

The nonce in PPMResponse must be the same as the one in PPMRequest.

The nonce in PPMResponse must be the same as the one in PPMRequest.

MFA_010

Username in PPM response doesn’t match PPM request.

The user in PPMResponse must be the same as the one in PPMRequest.

The user in PPMResponse must be the same as the one in PPMRequest.

OIDC_001

Invalid ID token from IdP.

The id token from authorization service is invalid.

The id token from authorization service is invalid.

OIDC_002

Failed to get tokens from IdP.

Unable to retrieve tokens from authorization service. Please try again later.

Unable to retrieve tokens from authorization service. Please try again later.

OIDC_003

Invalid userinfo response from IdP.

The userinfo response from authorization service is invalid.

The userinfo response from authorization service is invalid.

OIDC_004

Invalid Google API credentials (Google IdP only).

A call to the Google Directory API service was rejected due to invalid credentials.

A call to the Google Directory API service was rejected due to invalid credentials.

REQ_001

Connection for this idpid and saasid combination is disabled or doesn’t exist.

We’re unable to process the SSO request. The request contains an invalid saasid or idpid value. Check that your registration is complete and the connection configured in PingOne is not disabled.

SSO request contained an invalid saasid or idpid. Please make sure the registration is complete and the connection is not disabled.

REQ_002

Missing saasid or idpid.

We are unable to determine which IdP to use for your SSO request. Check that you are using the idpid parameter in your SSO request (for example, https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=<idpid>;), and perform an IdP-initiated SSO or PingOne-initiated SSO first.

SSO request was missing a required parameter: saasid or idpid. An SSO request has following form https://sso.connect.pingidentity.com/sso/sp/initsso/?saasid=<saasid>&idpid=<idpid>;

REQ_004a

appurl or errorurl is not HTTPS.

We’re unable to process the SSO request. The request contains an invalid appurl or errorurl value. Check that the appurl and errorurl values you have specified use HTTPS.

Invalid appurl or errorurl: https is required.

REQ_004b

Invalid appurl or errorurl.

We’re unable to process the SSO request. The appurl or errorurl value contains a line feed. Line feeds are not allowed.

Invalid appurl or errorurl: line feed is not allowed.

REQ_008

AuthnRequest sent to wrong endpoint.

We’re unable to process the SSO request. Update your SP configuration to send the AuthnRequest to /sso/idp/SSO.saml2?idpid=<idpid>, where idpid is an optional parameter. If idpid is not specified, a user needs to perform an IdP-initiated SSO or PingOne-initiated SSO first.

Please update your SP configuration to send AuthnRequest to /sso/idp/SSO.saml2?idpid=<idpid>, where idpid is an optional parameter. If idpid is not specified, a user needs to perform an IdP-initiated SSO or PingOne-initiated SSO once first.

REQ_009

Connection for this service provider (SP) entityid and idpid combination is disabled or doesn’t exist.

We’re unable to process the SSO request. The request contains an invalid SP entityid or idpid. Check that your registration is complete and the connection to PingOne is not disabled.

SSO request contained an invalid sp entityid or idpid. Please make sure the registration is complete and the connection is not disabled.

REQ_011

Cross-site request forgery (CSRF) failure during IdP discovery.

CSRF validation failed.

CSRF validation failed.

SAML_001

Missing AuthnStatement in response from IdP.

We’re unable to process the SAML response. The response is missing an AuthnStatement.

Invalid SAML response. Missing AuthnStatement.

SAML_002

Invalid SAML response from IdP.

We’re unable to process the SAML response. The response is invalid. Contact your system administrator or Ping Identity Customer Support for more information.

Invalid SAML response

SAML_003

IdP returned failure.

We received an unsuccessful response from your IdP. Contact your administrator or an IdP administrator for more information.

Unsuccessful SAML response

SAML_003.1

No status in response from IdP.

We received a response with no status from your IdP. Contact your administrator or an IdP administrator for more information.

PingOne received a response with no status from your IdP. Please contact your administrator or authenticating authority for more information.

SAML_005

No application specified in response from IdP.

We’re unable to find a SaaS for the SAML response received. Send the saasid either as a relaystate value (https://pingone.com/1.0/<saasid>;) or as an ACS URL parameter (saasid=<saasid>). To find the saasid of the application, log into your APS account and view the application details.

Unable to find a SaaS for the SAML response received. Please send saasid either as a relaystate (https://pingone.com/1.0/<saasid>;) or as an ACS URL parameter (saasid=<saasid>). To find the saasid of the application, log into your APS account and view the application details.

SAML_006

Unable to find target for specified SP entity ID.

We’re unable to find the correct settings for the SAML response received. Verify that the Entity ID setting in your PingOne configuration matches the Entity ID of your identity bridge (IdP), and that the correct saasid parameter value is being sent with your SAML messages.

We’re unable to find the correct settings for the SAML response received. Verify that the Entity ID setting in your PingOne configuration matches the Entity ID of your identity bridge (IdP), and that the correct saasid parameter value is being sent with your SAML messages.

SAML_100

Invalid assertion from IdP.

We received an invalid assertion. Contact your administrator or Ping Identity Customer Support for more information.

Invalid assertion.

SAML_200

Invalid signature from IdP.

The Signature is invalid. Check that your signing certificate is the same certificate uploaded to PingOne.

Invalid Signature. Please make sure that your signing certificate matches the certificate uploaded to PingOne.

SAML_201

Invalid certificate for this connection.

The certificate is invalid. Check that your signing certificate has not expired.

Invalid Certificate. Please verify that the signing certificate is valid and that the certificate has not expired.

SAML_202

Invalid issuer from IdP.

The issuer is invalid. Check that the IdP entityid value matches the entityid value configured for the IdP in PingOne.

Invalid Issuer. Please verify that the IdP entityid matches the entityid that is configured for the IdP in PingOne.

SAML_202.1

Missing issuer in assertion from IdP.

There’s no issuer in the assertion we received.

No Issuer in the assertion.

SAML_202.2

Missing issuer in SAML response from IdP.

There’s no issuer specified in the SAML response we received.

No Issuer in the SAML response.

SAML_203

Invalid RelayState from IdP.

The RelayState value is not a valid URL. Check that the RelayState URL uses HTTPS and that the domain specified matches the configured domain for the application.

Invalid URL in RelayState. Please verify that the RelayState URL uses HTTPS and that the domain matches the configured domain for the application.

SAML_209

Missing signature in assertion from IdP.

It looks like the Signature is missing.

Missing Signature.

SAML_210

Missing nameid in assertion from IdP.

It looks like the NameID is missing.

Missing NameID.

SAML_211

Invalid XML from IdP.

We’re unable to parse the XML message.

Unable to parse the XML message.

SAML_212

Unable to decrypt assertion from IdP.

We’re unable to decrypt the assertion. Check that the PingOne certificate is used to encrypt the assertion from your IdP.

Unable to decrypt the assertion. Please make sure that the PingOne certificate is used to encrypt the assertion from your IdP.

SAML_213

Invalid RelayState from IdP.

The RelayState value is not valid. Check that the format for the RelayState value is: https://pingone.com/1.0/<saasid>?appurl=<appurl>;. Notice the delimiter between the saasid value and the appurl parameter. The RelayState value we received was:

Invalid RelayState. Please verify the format of the RelayState: https://pingone.com/1.0/<saasid>?appurl=<appurl>;. Pay close attention to the delimiter between the saasid and the appurl. The received RelayState was:

SAML_214

Certificate in assertion doesn’t match configuration.

There is a certificate mismatch. Your signing certificate does not match the certificate uploaded to PingOne.

Certificate mismatch. Your signing certificate does not match the certificate uploaded to PingOne.

SAML_218

Invalid single logout (SLO) request.

We’re unable to process the message received at the SLO endpoint. The request is missing either SAMLRequest or SAMLResponse.

Unknown message was received at SLO endpoint. Missing SAMLRequest or SAMLResponse.

SAML_219

Unable to verify SLO signature, no certificate configured.

It looks like the signing certificate has not been configured.

Missing certificate. Please check your configuration.

SAML_220

Invalid signature for SLO request.

The Signature for the SLO Request or Response is invalid. Check that your signing certificate matches the certificate uploaded to PingOne.

Invalid Signature for Logout Request/Response. Please make sure that your signing certificate matches the certificate uploaded to PingOne.

SAML_223

Expired request.

The request you sent is outdated. This can be due to an old entry in the browser cache or a bookmark to a transient login page. Try restarting your browser and using the application URL again.

The request you sent is outdated. This can be due to an old entry in the browser cache or a bookmark to a transient login page. Try restarting your browser and using the application URL again.

SAML_224

Invalid request to assertion consumer service (ACS) URL.

We received a request without a SAML Response. A request was made to the PingOne Assertion Consumer service, but we found no SAML Response message in the request.

Missing SAML Response. A request was made to PingOne Assertion Consumer service. However, SAML Response message was not found.

SSO_001

Unknown error occurred.

We’re unable to complete the authentication process with the Identity Provider (IdP). You can try to connect to the application again later or contact an administrator.

Generic exception

SSO_002

Invalid request.

Due to an invalid request, we’re unable to complete the authentication process with the Identity Provider (IdP). You can try to connect to the application again later or contact an administrator.

Invalid request exception

SSO_206

Missing required attribute from IdP.

The response from your IdP is missing a required attribute(s). Check that all necessary attributes are being sent by your IdP.

The response from your IdP was missing the required attribute(s). Please review the attributes sent by your IdP.

SSO_206c

Missing required attribute from IdP.

The response from your IdP or a secondary module is missing a required attribute(s). Check that all necessary attributes are being returned.

The response from your IdP or a secondary module was missing the required attribute(s). Please review the attributes returned.

SSO_208.1

Invalid advanced attribute mapping configuration.

We’ve had a system error: An unknown transformation function is being used in attribute mapping. Please update your attribute mapping configuration in PingOne.

System Error: An unknown transformation function is used in attribute mapping.

SSO_208.2

Invalid advanced attribute mapping configuration.

We’ve had a system error: An unknown builder function is being used in attribute mapping. Please update your attribute mapping configuration in PingOne.

System Error: An unknown builder function is used in attribute mapping.

SYS_001

Internal error.

We’re unable to complete Single Sign-On (SSO) at this time. Contact your system administrator or Ping Identity Customer Support for more information.

Internal server error

SYS_004

Unknown configuration error.

It looks like there’s a configuration error. Contact your administrator or Ping Identity Customer Support for help.

There is a configuration error.

SYS_404

Requested page doesn’t exist.

The resource you requested does not exist on this server.

The resource you requested does not exist on this server.

If you encounter an error not listed here, sign on to the Ping Identity Support Portal and open a case.