Error Handing for the SAML Session Provider
Active clients (non-browser) use SOAP calls using the WS-Trust standard for authenticating connecting users. In case anything has been set up wrong, different error messages may be provided by the Identity Provider (IdP).
If present, these errors will be logged in the SAML Session Provider log.
| HTTP Status | Description |
|---|---|
| 200 (OK) | A successful login contains a RequestSecurityTokenResponse signed by the IdP. |
| 500 (Internal Server Error) | SOAP Faults returned. See descriptions below. |
| 503 (Service Unavailable) |
The 503 status is returned if the service is not available on the server. That can mean that the WS-Trust usernamemixed service is deactivated in AD FS. Indicates configuration issues. Ensure that in AD FS the Endpoint "/adfs/services/trust/13/usernamemixed" for WS-Trust 1.3 is both Enabled and Proxy Enabled. |
|
502 (Connection Failed) 502 (DNS Lookup Failed) |
The 502 status can mean that the server does not listen to that port (Connection Failed) or that the server could not be found (DNS Lookup Failed). Indicates configuration issues. |
| SOAP Fault | Description |
|---|---|
| ID3242: The security token could not be authenticated or authorized | Logon failed. Either the username does not exist or the password was wrong or the user does not have access to the application. |
| ID3082: The request scope is not valid or is unsupported. | This response is returned if the service provider RelyingPartyTrustIdentifier defined in the send SOAP message does not exist or is configured wrong. This can mean that the setup failed and that AD FS and IFS are not correctly configured. It may also mean that the Session Provider Entity ID is wrong in the SAMLSessionProvider properties in the grid. |
| MSIS3127: The specified request failed. | This response is returned if the ADFS could not understand the XML request part of the SOAP message. |