Troubleshooting SSO Errors

  • Updated on Dec 10, 2025
  • Published on Mar 11, 2024
  • 15 minute(s) read
Prev Next

When you test your SSO connection with the Test Connection button, you might receive an error code after or during setup. This article lists the possible errors you might get and solutions to these errors:

After SSO setup

You might encounter the following error when you try to log in to your account after completing your SSO setup.

This error might be caused by different reasons. Please examine the following reasons and solutions, and try each solution if necessary.

ReasonSolution
There is no user provisioning enabled (JIT or SCIM), and a new user is trying to log in.JIT/SCIM must be enabled.
There is a replay attack happening.The user should wait for a while before trying again.
The name ID was not correctly configured on IdP.You should check the values of the user on the IdP.
@insiderone.com user is trying to log in.Insider One employees cannot log in through SSO.
IdP Configuration might have changed.The customer can try to click the Test Connection button on Inone Settings > Security to see if everything is set up correctly.

During SSO setup

While setting up SSO, you may encounter issues during the “Test Connection” step. Depending on the error code you receive, you can check the corresponding explanation and solution options to troubleshoot it.

Your title goes here
The solutions provided in this guide are general guidelines, and the specific steps to resolve the error may vary depending on your SAML integration implementation and the Identity Provider you use. You can contact Insider One team if you still have issues after implementing the solutions.

UNSUPPORTED_SAML_VERSION 

The SAML version used is not supported. Identity Providers should ensure compatibility with SAML 2.0.

Solutions

  • Verify that the Identity Provider supports SAML 2.0.
  • If the Identity Provider only supports an older version of SAML, consider upgrading or finding an alternative Identity Provider that supports SAML 2.0.

MISSING_ID

The ID attribute is missing in the SAML response. You should verify that the ID attribute is included in the response.

Solutions

  • Check the SAML response structure from the Identity Provider and ensure that the ID attribute is included.
  • If the ID attribute is missing, contact the Identity Provider's support team to investigate and resolve the issue.

MISSING_STATUS

The SAML response does not contain a status element. You should check that the status element is included in the response.

Solutions

  • Validate the SAML response structure from the Identity Provider and ensure it contains the required status element.
  • If the status element is missing, contact the Identity Provider for assistance in correcting the response.

MISSING_STATUS_CODE

The SAML response does not contain a status code. You should ensure that the response includes a status code.

Solutions

  • Verify that the SAML response includes a status code from the Identity Provider.
  • If the status code is missing, contact the Identity Provider and request that they include the appropriate status code in the response.

STATUS_CODE_IS_NOT_SUCCESS

The status code in the SAML response indicates a failure. You should follow the error message and take appropriate action.

Solutions

  • Follow the error code guidelines provided by the Identity Provider to troubleshoot and resolve the issue.
  • Contact the Identity Provider's support team for further assistance.

WRONG_SIGNED_ELEMENT

The signed element in the SAML response does not match the expected element. You should verify the correct element to be signed.

Solutions

  • Review the expected signed element specified in the integration documentation.
  • Ensure that the Identity Provider is signing the correct element in the SAML response.
  • Update the integration configuration to match the expected signed element from the Identity Provider.

ID_NOT_FOUND_IN_SIGNED_ELEMENT

The ID attribute is not found in the signed element. You should ensure that the ID attribute is present.

Solutions

  • Confirm that the ID attribute is present in the signed element.
  • If the ID attribute is missing, contact the Identity Provider and request that they include it in the signed element.

DUPLICATED_ID_IN_SIGNED_ELEMENTS

Duplicate IDs are found in the signed elements. You should ensure that each element has a unique ID value.

Solutions

  • Validate that each signed element in the SAML response has a unique ID value.
  • If duplicate IDs are found, reach out to the Identity Provider and request that they generate unique IDs for each signed element.

INVALID_SIGNED_ELEMENT

The signed element in the SAML response is invalid or corrupted. You should validate the integrity of the signed element.

Solutions

  • Verify that the signed element conforms to the SAML specification.
  • If the signed element is invalid or corrupted, contact the Identity Provider for assistance in resolving the issue.

DUPLICATED_REFERENCE_IN_SIGNED_ELEMENTS

Duplicate references to signed elements are found. You should ensure each signed element has a unique reference value.

Solutions

  • Ensure each signed element in the SAML response has a unique reference value.
  • If duplicate references are found, contact the Identity Provider and request that they generate unique references for each signed element.

UNEXPECTED_SIGNED_ELEMENTS

Unexpected or unknown signed elements are found. You should verify the expected signed elements.

Solutions

  • Review the expected signed elements documented by the Identity Provider
  • If unexpected or unknown signed elements are present, contact the Identity Provider and request clarification on the correct set of signed elements.

WRONG_NUMBER_OF_SIGNATURES_IN_RESPONSE

The number of signatures in the response does not match the expected count. You should ensure the correct number of signatures.

Solutions

  • Check the integration configuration and ensure the expected number of signatures is configured.
  • If the number of signatures in the response does not match, contact the Identity Provider and verify the signing process or update the configuration accordingly.

WRONG_NUMBER_OF_SIGNATURES_IN_ASSERTION

The number of signatures in the assertion does not match the expected count. You should verify the correct number of signatures.

Solutions

  • Validate the expected number of signatures for the SAML assertion.
  • If the number of signatures in the assertion is incorrect, contact the Identity Provider for guidance on resolving the discrepancy.

INVALID_XML_FORMAT

The response's XML format is invalid. You should check for XML formatting errors.

Solutions

  • Verify that the SAML response adheres to XML formatting rules.
  • Check for any syntax errors or malformed XML tags.
  • If the XML format is invalid, carefully review the response for any missing or misplaced XML elements and correct them accordingly.
  • Consider using XML validators or parsing tools to identify and rectify XML formatting issues.

WRONG_INRESPONSETO

The "InResponseTo" attribute does not match the expected value. You should compare the attribute with the corresponding request ID.

Solutions

  • Compare the "InResponseTo" attribute in the SAML response with the corresponding request ID.
  • If they do not match, ensure the request ID is correctly included in the original authentication request sent to the Identity Provider.
  • If the mismatch persists, contact the Identity Provider for further assistance with troubleshooting.

NO_ENCRYPTED_ASSERTION

The response does not contain an encrypted assertion. You should ensure that an encrypted assertion is included.

Solutions

  • Check the encryption configuration and requirements of the Identity Provider.
  • Ensure that the Identity Provider encrypts the SAML assertion in accordance with the agreed encryption standards.
  • If encryption is expected but not provided, contact the Identity Provider and request that they encrypt the SAML assertion.

NO_ENCRYPTED_NAMEID

The response does not contain an encrypted NameID. You should verify the presence of an encrypted NameID.

Solutions

  • Confirm that the Identity Provider encrypts the NameID in the SAML response.
  • If encryption is required but not provided, contact the Identity Provider and request that they encrypt the NameID.

MISSING_CONDITIONS

The response does not include the necessary conditions element. You should ensure the inclusion of the conditions element.

Solutions

  • Validate that the SAML response includes the necessary conditions element.
  • If the conditions element is missing, contact the Identity Provider to ensure they include it in the response.

ASSERTION_TOO_EARLY

The assertion is issued before the allowed timeframe. You should check the timestamps and adjust the clock settings if needed.

Solutions

  • Check the timestamps in the SAML response to ensure that the assertion is not being issued before the allowed timeframe.
  • Adjust the clock settings on the Identity Provider or synchronize time between systems if necessary.

ASSERTION_EXPIRED

The assertion has expired. You should check the timestamps and consider authentication.

Solutions

  • Verify the timestamps in the SAML response and ensure that the assertion has not expired.
  • If the assertion has expired, contact the Identity Provider to investigate the issue and request a valid assertion.

WRONG_NUMBER_OF_AUTHSTATEMENTS

The number of authentication statements does not match the expected count. You should validate the expected number.

Solutions

  • Validate the expected number of authentication statements in the SAML response.
  • If the number of authentication statements is incorrect, contact the Identity Provider to clarify the expected format or adjust the configuration accordingly.

ENCRYPTED_ATTRIBUTES

Attributes are encrypted. You should handle encrypted attributes in accordance with the agreed encryption standards.

Solutions

  • Confirm the encryption requirements and capabilities of the Identity Provider regarding attributes.
  • Ensure the Identity Provider encrypts any sensitive or confidential attributes in accordance with the agreed encryption standards.

WRONG_DESTINATION

The destination URL specified does not match the expected URL. You should ensure the correct destination URL.

Solutions

  • Check the destination URL specified in the SAML response and verify that it matches the expected URL for your application.
  • If the destination URL is incorrect, contact the Identity Provider to ensure they provide the correct destination URL.

EMPTY_DESTINATION

The destination attribute is missing or empty. You should ensure that a non-empty destination attribute is included.

Solutions

  • Validate that the SAML response includes a non-empty destination attribute.
  • If the destination attribute is missing or empty, contact the Identity Provider to ensure they include the appropriate destination attribute.

WRONG_AUDIENCE

The audience value specified does not match the expected value. You should verify the audience's value.

Solutions

  • Verify that the audience value specified in the SAML response matches the expected audience for your application.
  • If the audience value is incorrect, contact the Identity Provider to ensure they provide the correct audience value.

ISSUER_MULTIPLE_IN_RESPONSE

Multiple issuer elements are found in the response. You should ensure only one issuer element is present.

Solutions

  • Check for multiple issuer elements in the SAML response.
  • Ensure that there is only one issuer element present, and it matches the expected value.
  • If multiple issuers are found, contact the Identity Provider to investigate and rectify the issue.

ISSUER_NOT_FOUND_IN_ASSERTION

The issuer specified in the SAML assertion is not found. You should verify the presence and correctness of the issuer information.

Solutions

  • Verify that the issuer specified in the SAML assertion matches the expected value.
  • If the issuer is not found or does not match, contact the Identity Provider to ensure they provide the correct issuer information.

WRONG_ISSUER

The issuer value in the response is incorrect. You should verify the issuer value.

Solutions

  • Check the issuer value in the SAML response and compare it with the expected issuer for your application.
  • If the issuer value is incorrect, contact the Identity Provider to rectify the issuer configuration.

SESSION_EXPIRED

The session has expired. You should check the session duration and expiration settings.

Solutions

  • Check the session duration and expiration settings on the Identity Provider's side.
  • If the session has expired, prompt the user to reauthenticate or initiate a new login session with the Identity Provider.

WRONG_SUBJECTCONFIRMATION

The subject confirmation method used is incorrect. You should verify the correct subject confirmation method.

Solutions

  • Validate the subject confirmation method used in the SAML response.
  • Ensure that the subject confirmation method matches the expected value or format.
  • If the subject confirmation method is incorrect, contact the Identity Provider to investigate and resolve the issue.

NO_SIGNED_MESSAGE

The SAML response does not contain a signed message. You should ensure a signed message is present.

Solutions

  • Ensure that the Identity Provider signs the SAML response.
  • If the response is expected to be signed but is not, contact the Identity Provider to rectify the signing configuration.

NO_SIGNED_ASSERTION

The SAML response does not contain a signed assertion. You should ensure that a signed assertion is present.

Solutions

  • Verify that the Identity Provider signs the SAML assertion.
  • If the assertion is expected to be signed, contact the Identity Provider to rectify the signing configuration.

NO_SIGNATURE_FOUND

No signature is found in the SAML response. You should ensure that a valid digital signature is present.

Solutions

  • Check for a digital signature in the SAML response.
  • If no signature is found, contact the Identity Provider to ensure they sign the SAML response as required.

KEYINFO_NOT_FOUND_IN_ENCRYPTED_DATA

The key information is not found in the encrypted data. You should verify that the key information is present.

Solutions

  • Ensure that the encrypted data in the SAML response includes the necessary key information.
  • Contact the Identity Provider to rectify the encryption configuration if the key information is missing.

NO_NAMEID

The response does not contain a NameID element. You should ensure that a NameID element is present.

Solutions

  • Verify that the SAML response includes a NameID element.
  • If the NameID element is missing, contact the Identity Provider to ensure it is included in the response.

EMPTY_NAMEID

The NameID element in the response is empty. You should ensure a non-empty NameID element.

Solutions

  • Validate that the NameID element in the SAML response is not empty.
  • If the NameID element is empty, contact the Identity Provider to rectify the issue.

SP_NAME_QUALIFIER_NAME_MISMATCH

The SP NameQualifier value does not match. You should verify the correctness of the SP NameQualifier value.

Solutions

  • Ensure that the SP NameQualifier value in the SAML response matches the expected value for your application.
  • If there is a mismatch, contact the Identity Provider to ensure they provide the correct SP NameQualifier value.

DUPLICATED_ATTRIBUTE_NAME_FOUND

Duplicated attribute names are found. You should ensure unique attribute names.

Solutions

  • Verify that each attribute in the SAML response has a unique name.
  • Contact the Identity Provider to ensure they provide unique attribute names if duplicate attribute names are found.

INVALID_SIGNATURE

The signature in the response is invalid. You should verify the signature integrity.

Solutions

  • Validate the signature integrity and verify that the SAML response's signature is valid.
  • If the signature is deemed invalid, contact the Identity Provider to investigate and resolve the signature verification issue.

WRONG_NUMBER_OF_SIGNATURES

The number of signatures does not match the expected count. You should ensure the correct number of signatures.

Solutions

  • Check the integration configuration and ensure the expected number of signatures is configured and enforced.
  • If the number of signatures in the SAML response does not match the expected count, contact the Identity Provider to investigate and rectify the issue.

RESPONSE_EXPIRED

The response has expired. You should check the timestamps and consider requesting a new response.

Solutions

  • Verify the timestamps in the SAML response and ensure that they are within the allowed timeframe.
  • If the response has expired, contact the Identity Provider to ensure they provide a valid and timely response.

UNEXPECTED_REFERENCE

Unexpected or unknown references are found. You should review the references in the response.

Solutions

  • Check for unexpected or unknown references in the SAML response.
  • Ensure that all references in the response are expected and known.
  • If unexpected references are found, contact the Identity Provider to investigate and rectify the issue.

NOT_SUPPORTED

The feature or functionality is not supported. You should consider alternative solutions or contact the Identity Provider for guidance.

Solutions

  • Check the supported features and specifications of the Identity Provider.
  • If the error code indicates that a particular feature or functionality is not supported, consider alternative solutions or contact the Identity Provider for further guidance.

KEY_ALGORITHM_ERROR

There is an error with the key algorithm used. You should ensure the use of a supported key algorithm.

Solutions

  • Verify that the key algorithm used in the SAML response is supported and compatible with your application.
  • If the key algorithm is not supported, contact the Identity Provider to investigate and rectify the issue.

MISSING_ENCRYPTED_ELEMENT

An expected encrypted element is missing. You should ensure that all necessary encrypted elements are present.

Solutions

  • Ensure that all necessary elements in the SAML response that should be encrypted are properly encrypted by the Identity Provider.
  • If an expected element is missing encryption, contact the Identity Provider to rectify the encryption configuration.

SETTINGS_FILE_NOT_FOUND

The settings file is not found. You should verify the existence and accessibility of the settings file.

Solutions

  • Confirm that the required settings file for the SAML integration is present and accessible.
  • Try re-uploading the XML configuration file from the Inone Settings page.

SETTINGS_INVALID_SYNTAX

The syntax of the settings file is invalid. You should ensure that the file follows the correct syntax.

Solutions

  • Check the syntax and formatting of the settings file used for the SAML integration.
  • Ensure that the file adheres to the expected structure and syntax.
  • Review the documentation if the syntax is invalid or contact the Identity Provider for a valid settings file example.
  • Try re-uploading the XML configuration file from the Inone Settings page.

SETTINGS_INVALID

The settings provided are invalid. You should validate the settings and correct any invalid configurations.

Solutions

  • Validate the settings and configuration parameters provided for the SAML integration.
  • Ensure that all required settings are correctly specified and match the Identity Provider's and our requirements.
  • If the settings are invalid, contact the Identity Provider for assistance in rectifying the configuration.
  • Try re-uploading the XML configuration file from the Inone Settings page.

CERT_NOT_FOUND

The certificate file is not found. You should ensure the availability and accessibility of the certificate file.

Solutions

  • Verify that the required certificate files for the SAML integration are present and accessible.
  • If the certificate files are missing, ensure they are correctly configured and available at the specified locations.
  • Try re-uploading the XML configuration file from the Inone Settings page.

REDIRECT_INVALID_URL

The redirect URL is invalid. You should verify the correctness and format of the redirect URL.

Solutions

  • Validate the redirect URL used in the SAML integration.
  • Ensure that the URL is correctly formatted and accessible.
  • If the URL is invalid, update the configuration with the correct redirect URL provided by the Identity Provider.

PUBLIC_CERT_FILE_NOT_FOUND

The public certificate file is not found. You should ensure the availability and accessibility of the public certificate file.

Solutions

  • Confirm that the public certificate file used for SAML integration is present and accessible.
  • If the public certificate file is missing, ensure it is correctly configured and available at the specified location.
  • Try re-uploading the XML configuration file from the Inone Settings page.

PRIVATE_KEY_FILE_NOT_FOUND

The private key file is not found. You should verify the availability and accessibility of the private key file.

Solutions

  • Verify that the private key file used for SAML integration is present and accessible.
  • If the private key file is missing, ensure it is correctly configured and available at the specified location.
  • Try re-uploading the XML configuration file from the Inone Settings page.

SAML_RESPONSE_NOT_FOUND

The SAML response is not found. You should check the integration setup to receive and process the response.

Solutions

  • Check if your application is correctly receiving the SAML response.
  • Ensure the integration is configured correctly to capture and process the SAML response.
  • If the SAML response is not found, review your application's integration setup and ensure that the necessary endpoints and mechanisms are in place to receive and process the response from the Identity Provider.

SAML_LOGOUTMESSAGE_NOT_FOUND

The SAML Logout Message is not found. You should ensure the setup to receive and process the Logout Message.

Solutions

  • Verify that your application receives the SAML Logout Message correctly during the logout process.
  • Ensure the integration is configured correctly to handle and process the Logout Message.
  • If the Logout Message is not found, review your application's integration setup and ensure that the necessary endpoints and mechanisms are in place to receive and process the Logout Message from the Identity Provider.

SAML_LOGOUTREQUEST_INVALID

The SAML Logout Request received is invalid. You should verify the validity and structure of the Logout Request.

Solutions

  • Verify that the Identity Provider supports SAML 2.0.
  • If the Identity Provider only supports an older version of SAML, consider upgrading or finding an alternative Identity Provider that supports SAML 2.0.

SAML_SINGLE_LOGOUT_NOT_SUPPORTED

Single Logout functionality is not supported. You should consider alternative logout mechanisms or contact the Identity Provider for guidance.

Solutions

  • Verify that the Identity Provider supports Single Logout functionality.
  • If the Identity Provider does not support Single Logout, consider alternative logout mechanisms or contact the Identity Provider for further guidance.

PRIVATE_KEY_NOT_FOUND

The private key required for the SAML integration is not found. You should ensure the availability and accessibility of the private key.

Solutions

  • Confirm that the private key required for the SAML integration is present and accessible.
  • Ensure the private key is correctly configured and available at the specified location.
  • Review the configuration and ensure the correct file is specified if the private key is not found.
Related articles