When configuring auto-provisioning for your SAML-based apps, you may see these errors:
Read below about how to debug and resolve these errors.
Note: If you can't resolve a failure using the steps given here, please call Support.
Configuration time failures
Authorization code error
You'll see this error when the authorization code couldn't be exchanged for a refresh token. This can happen if your authorization code was incorrect or if you wait too long between authorizing and clicking Save Changes. Reauthorizing and saving the changes should solve this error.
| Error message | Resolution |
|---|---|
| Authorization token could not be generated. | Retry authorization and save changes again. |
Stale page error
Stale page errors occur when the user browser page hasn't been refreshed and the configuration has changed outside of this browser session (either from a different browser window or by a different user). Here are the associated errors that you could see:
| Error message | Resolution |
|---|---|
| Your page is stale. Provisioning setup exists. | Refresh to override existing setup. |
| Your page is stale. Provisioning setup does not exist. | Refresh to override existing setup. |
| Your page is stale. Can't activate an unconfigured provisioning setup. | Refresh to override existing setup. |
| Your page is stale. Can't delete an unconfigured provisioning setup. | Refresh to override existing setup. |
Transient page error
These errors are transient and should resolve if you refresh the page or retry the action after a period of time.
When deleting the configuration, we revoke the permissions that allow your application to access your Google side data.
If this fails for some reason, manually revoke access by accessing “ Manage API client access
” under the Securitysection.
If you deleted the configuration and plan to set it up again, you don’t need to take any action.
- Click Auto-provisioningto open Settings.
- Under Delete configuration, click Delete.
- Click Auto-provisioningto open Settings.
- Under Attribute mapping, click Edit.
- Edit service provider mappings as needed.
Auto-provisioning runtime failures
Auto-provisioning runtime failures may occur due to API access, authorization, or configuration issues.
Google internal services errors
| Error code | Description and resolution |
|---|---|
| 17003 17006 17008 |
Description: Couldn't authenticate with Google internal services. Reason: Permissions were revoked from this user provisioning client ID: 910835873219-es01p47a1ks618hgp59q26cnc6sv33r3.apps.googleusercontent.com Resolution: Ensure that this ID has permissions to these scopes: https://www.googleapis.com/auth/admin.directory.user.readonly, In the Admin console, use " Manage API client access " under Security> Advanced Settingsto verify that the Client ID has these scopes or to add these scopes to this client ID. |
| 17007 | Description: Couldn't grant access to apps that support auto-provisioning using domain-wide delegation of authority. Couldn’t grant domain-wide delegation authority to the auto-provisioning service. This is critical for the auto-provisioning service to be able to read Google directory. Reasons: Reason 1:Permissions were revoked from the user provisioning client ID. Resolutions: In the Admin console, use " Manage API client access " under Security> Advanced Settingsto add the following Client ID and scopes: Client ID:910835873219-es01p47a1ks618hgp59q26cnc6sv33r3.apps.googleusercontent.com Scopes: https://www.googleapis.com/auth/admin.directory.user.readonly, An alternate resolution is to delete the app in question and then re-add the app. Reason 2:Unexpected system errors Resolution: In most cases, this error will resolve automatically. However, if the problem persists after some hours, then either add the client ID and scopes or delete and re-add the app, as mentioned for Reason 1, above. |
Auth token errors
| Error code | Description and reason | Resolution |
|---|---|---|
|
17010
|
There are insufficient credentials to make calls to your SCIM endpoint. Reason: The auth token is revoked. |
Try reauthorizing again by clicking Auto-provisioningto open Settings, then Reauthorize. |
|
17013
|
There was an error fetching an access token from your service provider. Reason: The auth token is revoked. |
If this error doesn't automatically resolve after some time, try reauthorizing again by clicking Auto-provisioningto open Settings, then Reauthorize. |
Access token errors
| Error code | Description and reason | Resolution |
|---|---|---|
|
17002
17011 |
Couldn't generate an access token. Reason: Some Google internal services are unavailable at this time. |
This error should resolve automatically after some time. |
|
17009
|
Access token generation from refresh token failed. | Try reauthorizing again by clicking Auto-provisioningto open Settings, then Reauthorize. |
General errors
| Error code | Description and reason | Resolution |
|---|---|---|
|
1200x
|
Internal Error |
This error should resolve automatically after some time. |
|
25001
|
Google backend/service temporarily unavailable. | Set up auto-provisioning again. |
|
25002
|
Google backend/service temporarily unavailable. Reason: The app is not installed for the customer. |
Install the application and then set up auto-provisioning again. |
|
25005
|
Google backend/service temporarily unavailable. | This error should resolve automatically after some time. |
|
25016
|
Google backend/service temporarily unavailable. | Set up auto-provisioning again. |
|
50001
|
Internal Error | This error should resolve automatically after some time. |
|
50003
|
Internal Error | This error should resolve automatically after some time. |
|
50005
|
A deleted group is present in the configured group filters. | Remove the deleted group from the provisioning scope configuration. |
|
50006
|
Internal Error | This error should resolve automatically after some time. |
Resource-level failures
If the Auto-provisioning section on the SAML app settings page shows Failures , click Download list. The downloaded file lists failed create, delete, or update actions, and an error code and description for each failure.
These errors only affect the specified resources in the file.
The resource update, create, or delete request was not accepted by your SCIM-based application. Look at the details of the error in the downloaded error file.
Possible reasons:
- License Limit Exceeded—You have licenses to create only 5 users on your SCIM-based application and you turned on auto-provisioning for 6 users.
- Value Too Long—Your value e.g. email ID is too long and is not acceptable for your SCIM-based application.
- Must have at least one entitlement, one of which must be profile ID.
- The username already exists. It must be unique across the entire organization.
- Resource (User) not found on the service provider (SP) side.
- Invalid SCIM user ID value.
An error has occurred between the service provider and Google as identity provider. The error text is "Internal error - Quota Exceeded".
Possible reasons:
- An outage that affects the service provider.
- The service provider server is down.
The resource update, create, delete request was not built correctly or was not accepted by the SCIM-based application. Look at the details of the error in the downloaded error file.
Possible reasons:
- Value Too Long
- Insufficient licenses
- Invalid License
- Entitlement value doesn’t exist
The resource update, create, or delete request was not accepted by your SCIM-based application because you didn't enter a required field. Look at the details of the error in the downloaded error file.
