Skip to main content

Error Handling during Single Sign-on

Reference of error codes and how to handle them

When users attempt to log in via Single Sign-on (SSO) using Scalekit, any issues encountered will result in error details being sent to your application's redirect URI via the error and error_description query parameters. Proper error handling ensures a better user experience.

If there is any issue between Scalekit and your application, the following errors may occur:

tip

Ideally, you would want to catch these errors in the development environments. These errors are not meant to be exposed to your customers in the production environments.

ErrorError DescriptionPossible Resolution Strategy
invalid_redirect_uriRedirect URI is not part of the pre-approved list of Redirect URIs.Add the valid URL in the Scalekit Dashboard before using it
invalid_connection_selectorMissing organization_id (or) connection_id (or) domain (or) provider in the Authorization URL.Include at least one of these parameters in the request.
no_active_connectionsThere are no active SSO Connections configured to process the Single Sign-on requestEnsure active SSO connections are set up.
connection_not_activeThe configured connection is not activeEnable the SSO connection in the Scalekit Dashboard.
no_configured_connectionsNo active SSO connections configuredEnsure active SSO connections are set up
invalid_organization_idInvalid organization IDVerify and use a valid organization ID
invalid_connection_idInvalid connection IDVerify and use a valid connection ID
domain_not_foundNo domain specified for the SSO connection(s)Check domain configuration in Scalekit Dashboard
invalid_user_domainUser's domain not allowed for this SSO connectionEnsure user domain is part of the allowed domains list
server_erroractual error description from the serverThis must be a rare occurence. Please reach out to us via your private slack channel or via email

If SSO configuration issues arise, you will encounter the following errors:

tip

Ideally, these errors should have been caught and handled by your customer’s IT admin at the time of SSO configuration. If your customers encounter problems with the Single Sign-On (SSO) setup, they will have the opportunity to review and correct the configuration during the "Test Connection" step.

Once your customer configures the SSO settings properly, tests the configuration and enables it - you shouldn’t receive these errors unless something has been modified, tampered or changed with Identity Provider.

Error CodeError DescriptionPossible Resolution Strategy
mandatory_attribute_missingMissing mandatory user attributesEnsure all the mandatory user attributes are configured properly
invalid_id_tokenInvalid ID tokenCheck the identity provider's functioning
failed_to_exchange_tokenToken exchange failure due to incorrect client_secretUpdate the client_secret with the correct value
user_info_retrieve_failedUser info retrieval failed, possibly due to an incorrect client_secret or other issues.Update the client_secret with the correct value. If unsuccessful, investigate further. Please reach out to us via your private slack channel or via email
invalid_saml_metadataIncorrect SAML metadata configurationUpdate SAML metadata URL with the correct value
invalid_saml_responseInvalid SAML responseReview and fix SAML configuration settings
signature_validation_failedFailed signature validationReview and update the ACS URL in the identity provider's settings
invalid_acs_urlInvalid ACS URLReview and update the ACS URL in the identity provider's settings
invalid_statusInvalid StatusReview and update the SAML configuration settings in the identity provider
malformed_saml_responsemarshalling errorEnsure SAML response is properly formatted
assertion_expiredExpired SAML assertionWe received an expired SAML assertion. This could be because of clock skew between the identity provider's server and our servers. Please reach out to us via your private slack channel or via email
response_expiredExpired SAML responseWe received an expired SAML response. This could be because of clock skew between the identity provider's server and our servers. Please reach out to us via your private slack channel or via email

Is this page helpful? Yes No