If you encounter any Security Assertion Markup Language (SAML) app error messages, here are some troubleshooting steps to help you.
Encode or decode SAML requests and responses
To aid in troubleshooting, use the SAML encode/decode tool to process a SAML request and response in human readable form from the HTTP Archive Format (HAR) file. See https://toolbox.googleapps.com/apps/encode_decode/.
SAML App creation errors
While creating a SAML app in the Admin console, you might see the following 400 error:
400 duplicate entity id
You'll see this if you try to create an application with an already existing entity ID.
To resolve the 400 duplicate entity id error:
Use the already configured application or use a different entity ID.
500 errors for SAML app creation
While creating a SAML app in the Admin console, you might see the following 500 errors:
- In the Google Identity Provider details section, if you click the Download Certificate or Download Metadata button when the certificates service backend service is unavailable, a 500 error appears at the top of the screen.
- While loading the schemas in NameID Mapping or Attribute Mapping, if the schema service times out or displays a backend exception, a 500 error appears at the top of the screen.
- If the Service Provider Config service is unavailable a 500 error appears at the top of the screen when you click Finish.
To resolve any 500 errors for SAML app creation:
Wait for a while and then try the flow again. If errors still occur, contact Google Cloud Support.
SAML runtime errors
The following error scenarios might occur when you try out a SAML single sign-on (SSO) flow in identity provider (IdP) -initiated or service provider (SP)-initiated flows:
403 app_not_configured
This error can occur in these scenarios:
-
In an SP-initiated flow, the application corresponding to the entity ID mentioned in the request has not been created in the Admin console.
- In an SP-initiated flow, the entity ID provided in the SAMLRequest does not match any of the entity IDs of the currently installed apps. If someone tampers with the application ID (SP ID) mentioned in the IdP-initiated URL, then you will see an
app_not_configured
error.
To resolve the 403 app_not_configured error:
- Ensure that the application corresponding to the entity ID mentioned in the request has been installed before you initiate the request.
- Ensure that the entity ID provided in the SAMLRequest is correct and matches with the one you specified during app creation.
- Ensure that the SP ID being passed in the request URL is the same as app-id app_not_enabled.
403 app_not_configured_for_user
To resolve the 403 app_not_configured_for_user error:
Verify that the value in the saml:Issuer tag in the SAMLRequest matches the Entity ID value configured in the SAML Service Provider Details section in the Admin console. This value is case-sensitive.
403 app_not_enabled_for_user
To resolve the 403 app_not_enabled_for_user error:
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu AppsWeb and mobile apps.
- In the app list, locate the SAML app generating the error.
- Click the app to open its Settings page.
- Click User access.
- Turn the app ON for everyone or for the user’s organization.
400 saml_invalid_user_id_mapping
If an SP sends a NAMEID parameter in the SAMLRequest, then this parameter must be the same as that configured on the IdP side. Otherwise the SAMLRequest fails with this error.
To resolve the 400 saml_invalid_user_id_mapping error:
- Go to Basic Details and check the NAMEID parameter.
- Ensure that the NAMEID parameter being passed in the SAMLRequest is the same as the one configured on the IdP side.
400 saml_invalid_sp_id
This error occurs when the service provider ID in the URL of the IdP flow is incorrect, because of misconfiguration or tampering with the URL.
To resolve the 400 saml_invalid_sp_id error:
-
Go to Basic Details and check the app-id field.
-
Ensure that the SP ID being passed in the request URL is the same as app-id.
The SAML Response send back a status of DENIED for the following scenarios. You might see one of the following three related error messages.
SP-initiated Flow Invalid request, ACS URL in request $parameter doesn't match configured ACS URL $parameter.
In this case, the ACS URL specified in the SAMLRequest and the ACS URL configured in the Admin console for the corresponding application do not match.
To resolve the ACS URL in request $parameter doesn't match configured ACS URL $parameter error:
-
Go to Service Provider Details.
-
Check that the ACS URL is the same as in the SAMLRequest.
Invalid idpid provided in the url
The IdP ID (an obfuscated customer ID) provided in the URL has been tampered with and is incorrect.
To resolve the invalid IdP ID in URL error:
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu SecurityAuthenticationSSO with SAML applications.
You must be signed in as a super administrator for this task.
-
Get the idpid string from the end of the Entity ID URL.
- Ensure that the IdP ID in the Request URL is the same as the one in the Entity ID URL.
IdP-initiated Flow Invalid idpid provided in the request.
The caller user has tampered with the IdP-initiated SSO URL and changed the IdP ID to another customer ID (obfuscated).
To resolve the invalid IdP ID in request error:
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu SecurityAuthenticationSSO with SAML applications.
You must be signed in as a super administrator for this task.
-
Get the idpid string from the end of the Entity ID URL.
- Ensure that the IdP ID in the Request URL is the same as the one in the the Entity ID URL.
500 errors when testing a SAML SSO flow
When your users are testing a SAML SSO flow in IdP-initiated or SP-initiated flows, they may encounter one of several 500 errors due to backend processes being unavailable.
To resolve any 500 errors for testing a SAML SSO flow:
Wait and then try the flow again. If this still doesn’t work, contact Google Cloud Support.
SAML app access error messages
1000 on access of SAML app page
To resolve the SAML app page access error:
Contact Google Cloud Support.
1000 on access of SAML app settings
To resolve the SAML app settings access error:
Contact Google Cloud Support.
SAML app user schema deletion error message
400
This error occurs if you are trying to delete a custom schema that is associated as an attribute mapping for a SAML app that has already been deleted. If you have created the schema before this issue was fixed, this error can occur.
To resolve the SAML apps user schema deletion error:
Contact Google Cloud Support.