SSO SAML Error Messages – LaunchDarkly

Affected: Single sign-on

Overview

Reference this document when experiencing issues when signing on through SSO and you see SAML assertion consumer errors.

Topics

*Occurs before or after authentication?

Errors before authentication of LaunchDarkly account: These errors occur before a LaunchDarkly account has been connected to the assertion consumer service URL.
Errors after authentication of LD account: These errors occur after an LD account has been connected to the assertion consumer service URL.

Error Code	Full error message	*Occurs before or after authentication	Reason for error
401	`Error (401) - invalid_request: SSO authentication failed.`	Before	A 401 error suggests one of the following: The x.509 certificate in your LaunchDarkly configurations is incorrect. The certificate in your SSO configuration is incorrect. The SAML response is not signed correctly.
736	`ACS received invalid 'id' parameter`	Before	The assertion consumer service URL provided by LaunchDarkly in the `Edit your SAML configuration` modal does not have an account `id` in the required `bson ObjectId` format. This is likely a copy/paste error.
924	`ACS could not find account`	Before	The assertion consumer service URL provided by LaunchDarkly in the `Edit your SAML configuration` modal does not have an account `id` connected to a LaunchDarkly account. This is likely a copy/paste/typo error.
925	`ACS received a duplicate SAMLResponse`	Before	The provided SAML is a duplicate of a previous request, which could be a replay attack. A reasonable request wouldn’t reuse the same data.
847	`Unable to parse X.509 certificate for the account`	After	The `X.509` certificate provided by LaunchDarkly on the `Edit your SAML configuration modal`, under `SAML identity provider details`, could not be parsed. This is likely a copy/paste/typo error.
729	`X.509 certificate is not set for the account`	After	There isn’t a `X.509` certificate connected to the LaunchDarkly account. This means that the SSO configuration has not been set up.
972	`Name ID element must be email addresss`	After	The `Name ID` element is not an email address. See the official documentation for Name ID field formatting. These issues can take two forms. It will either be the NameID field is incorrect, or you are sending the wrong attribute map.
701	`missing %s attribute on %s element` OR `missing %s element` OR `could not verify certificate against trusted certs`	After	This error code indicates that there is a problem with the `SAML Assertion` document that was sent with the request. Missing attributes or elements could include: `NameID`, `Subject`, or `AttributeStatements` (if required by the IdP). This is likely related to a mismatch in attribute mapping or an invalid `x509` certificate.
None	`SSO authentication failed: Configure SAML on LaunchDarkly.`	After	The LD account connected to the provided `assertion consumer service URL` does not have SSO configured. This means that either the account’s `SAML Configuration` does not exist, or it exists but is currently not enabled OR in test-mode.

Resources

SSO: SCIM Error Messages