Skip Navigation
Common SSO Errors and how to troubleshoot
Answer ID 12238   |   Last Review Date 11/30/2022

I am receiving a SSO error, what does it mean?

Oracle B2C Service SSO
The Security Log can help you troubleshoot SSO errors.  This log can be accessed in the agent desktop via the Configuration button > Site Configuration folder > Logs > Security Log button in the ribbon.  You can use this log to see what error related to SSO is recorded to help you troubleshoot the issue. Below are some errors you may see recorded in the Security Log and tips on what to look for to resolve the error;
Click the plus sign next to the appropriate heading below to expand that section for viewing.
"Error validating the certificate used to sign the SSO token"
When this error presents, there are a few things you can check;
  • Is the signing certificate expired?
  • Is the signing certificate and certificate chain if applicable, uploaded into the File Manager?  If the 'Do Not Verify Trust Chain for Certificates' on the Identity provider in the Single Sign-On Configurations component is selected, you do not need to upload the full chain into the File Manager.
  • If the signing certificate includes a certificate chain (there are intermediate certificates), does the chain verify?  You can use openssl in Linux to check by using this command:  openssl verify -CAfile <root name>.pem -untrusted <intermediate>.pem <signing>.pem
  • For customer portal SSO, is the fingerprint of the signing certificate in the SAML_20_SIGN_CERTS configuration setting?  Remove extraneous fingerprints from this configuration setting. 
  • Is there more than one certificate in the File Manager with the same Issuer and Subject but different fingerprints?   See the 'Notes' section in this answer about two certificates uploaded in the File Manager with the same Issuer and Subject. 
"No account matching token reference found"
When this error presents, check the following on staff account on the Oracle B2C Service side;
  • Is the staff account active?
  • Confirm the parameter on the account you are using to authenticate matches what the IdP is passing for authentication. For example, if authenticating on login, does the login on the staff account match the login that the IdP is sending?  Oracle B2C Service is case sensitive for logins so the value in the login must match exactly what the IdP is sending, including any capital letters. 
 "Token or token reference is expired or not yet valid"
When this error presents, the IdP is sending the SAMLResponse too early or too late so it is not valid when it hits our servers. 
  • If you have an Identity Provider set up in the Single Sign-On Configurations component for agent login, you can add a skew to the Token Validity Offset (in seconds) field. 
  • If you are using IdP-initiated SSO for the agent desktop or for customer portal, work with your IdP to to add a time skew to the SAMLResponse.  The other option is to have the IdP sync to a clock.  
"Error validating SSO token subject (e.g. incorrect SAML recipient source or unsupported confirmation method)"
When this error presents, check the Subject in the SAMLResponse and look for the following;
  • Is the Recipient URL correct?  For example, if your site has end user SSL enabled, does the URL include https instead of http:  
  • Are there extra characters in the Recipient URL in the Subject?  For example, see the following Recipient URL with extra characters appended to the end of it.  This will need to be fixed on the IdP side: 
"The SSO token has an invalid nameid_format!"
When this error presents, there is a mismatch between the NameID Format set on the Identity Provider in the Single Sign-On Configurations component and the nameid-format in the SAMLResponse from the IdP. 
  • Check what you have set in the NameID Format field on your Identity Provider in the Single Sign-On Configurations component.  If you do not have a value set, validation is not enforced.  If you do have a value set, ensure that it matches the nameid-format specified in the Subject of the SAMLResponse
  • Also see Supported NameID formats in SAML response subject for supported formats in the Subject of the SAMLResponse
"Unable to validate the signature on the SSO token (e.g. corrupt signature or certificate is missing from the SSO token)"
When this error presents, it usually means the signing certificate is not included in the SAMLResponse
  • Capture the SAMLResponse from your IdP and verify if you see the signing certificate in it. 
"Error parsing the SSO token" 
When this error presents, it is typically due to the Subject not being included in the SAMLResponse and there is no value to validate against on the Oracle B2C Service side. 
  • Check the SAMLResponse to see if a Subject is present.
  • This error can also present if the Subject is missing certain information such as the nameid-format
Other troubleshooting scenarios to help diagnose the issue:
  • If you are not seeing any errors recorded to the Security Log, check the ACS URL.  If the ACS URL is incorrect, the POST of the assertion is not being processed on the Oracle B2C Service side and an error will not be recorded.
  • If you are attempting to log into the Browser User Interface (BUI) with SSO and the .NET console launches instead, ensure your IdP has set the relaystate.  For IdP-initiated SSO, the relaystate is very important.  If you are logging into the BUI, the relaystate needs to contain the URL for your BUI.  See also Using external identity provider (IdP) with Browser UI/BUI.
  • If you have set up a value in the PTA_EXTERNAL_LOGIN_URL that includes the %next_page% variable, the contact will not be redirected to the original page they were attempting to access before they were redirected to the IdP for SSO authentication.  This is due to customer portal does not support relay states or deep linking.  The %next_page% variable is essentially a relaystate.  See redirect alternatives in Redirect a user on customer portal after SSO authentication .
  • If your SAMLResponse is encrypted, you will not be able to see the details being passed for authentication. You will need to work with your IdP to get an unencrypted SAMLResponse.