When configuring auto-provisioning for your SAML-based apps, you may see these errors:
Read below about how to debug and resolve these errors.
Note: If you can't resolve a failure using the steps given here, please call Support.
Configuration time failures
Authorization code error
You'll see this error when the authorization code couldn't be exchanged for a refresh token. This can happen if your authorization code was incorrect or if you wait too long between authorizing and clicking Save Changes. Reauthorizing and saving the changes should solve this error.
Error message | Resolution |
---|---|
Authorization token could not be generated. | Retry authorization and save changes again. |
Stale page error
Stale page errors occur when the user browser page hasn't been refreshed and the configuration has changed outside of this browser session (either from a different browser window or by a different user). Here are the associated errors that you could see:
Error message | Resolution |
---|---|
Your page is stale. Provisioning setup exists. | Refresh to override existing setup. |
Your page is stale. Provisioning setup does not exist. | Refresh to override existing setup. |
Your page is stale. Can't activate an unconfigured provisioning setup. | Refresh to override existing setup. |
Your page is stale. Can't delete an unconfigured provisioning setup. | Refresh to override existing setup. |
Transient page error
These errors are transient and should resolve if you refresh the page or retry the action after a period of time.
Error message | Resolution |
---|---|
Couldn't fetch provisioning setup | Refresh the page. |
Couldn't fetch provisioning pre-configuration | Refresh the page. |
Couldn't fetch provisioning status | Refresh the page. |
Provisioning activation failed | Retry activating provisioning. |
Error deleting provisioning setup | Retry deleting the configuration. |
Provisioning setup couldn't be created | Create your provisioning setup again and save your changes. |
Provisioning setup couldn't be updated | Update your provisioning setup again and save your changes. |
Couldn't fetch custom attributes | Retry saving your custom attributes. |
Couldn't update attribute mapping | Update your attribute mapping again. |
Couldn't update the group settings for auto provisioning | Update your group settings again. |
Couldn't update the deprovisioning configuration | Update your deprovisioning configuration again. |
Delete configuration succeeded but couldn't revoke API client access |
When deleting the configuration, we revoke the permissions that allow your application to access your Google side data. |
Error while updating provisioning configuration | Refresh the page. |
Authentication failed | The authentication credentials (e.g. bearer token) provided in the configuration are incorrect. Enter the correct credentials. |
SCIM Endpoint URL provided is invalid | The target endpoint provided was invalid. Enter the correct URL. |
Error enabling provisioning | Move the Auto-provisioning slider to Active. |
Error deleting provisioning setup |
|
Couldn't fetch attributes from your target Service Provider |
|
Couldn't fetch your target resource schema | Verify the Endpoint URL provided during auto-provisioning setup and retry mapping Cloud Directory attributes to the target application attributes. |
Auto-provisioning runtime failures
Auto-provisioning runtime failures may occur due to API access, authorization, or configuration issues.
Google internal services errors
Error code | Description and resolution |
---|---|
17003 17006 17008 |
Description: Couldn't authenticate with Google internal services. Reason: Permissions were revoked from this user provisioning client ID: 910835873219-es01p47a1ks618hgp59q26cnc6sv33r3.apps.googleusercontent.com Resolution: Ensure that this ID has permissions to these scopes: https://www.googleapis.com/auth/admin.directory.user.readonly, In the Admin console, use "Manage API client access" under Security > Advanced Settings to verify that the Client ID has these scopes or to add these scopes to this client ID. |
17007 |
Description: Couldn't grant access to apps that support auto-provisioning using domain-wide delegation of authority. Couldn’t grant domain-wide delegation authority to the auto-provisioning service. This is critical for the auto-provisioning service to be able to read Google directory. Reasons: Reason 1: Permissions were revoked from the user provisioning client ID. Resolutions: In the Admin console, use "Manage API client access" under Security > Advanced Settings to add the following Client ID and scopes: Client ID: Scopes: https://www.googleapis.com/auth/admin.directory.user.readonly, An alternate resolution is to delete the app in question and then re-add the app. Reason 2: Unexpected system errors Resolution: In most cases, this error will resolve automatically. However, if the problem persists after some hours, then either add the client ID and scopes or delete and re-add the app, as mentioned for Reason 1, above. |
Auth token errors
Error code | Description and reason | Resolution |
---|---|---|
17010 |
There are insufficient credentials to make calls to your SCIM endpoint. Reason: The auth token is revoked. |
Try reauthorizing again by clicking Auto-provisioning to open Settings, then Reauthorize. |
17013 |
There was an error fetching an access token from your service provider. Reason: The auth token is revoked. |
If this error doesn't automatically resolve after some time, try reauthorizing again by clicking Auto-provisioning to open Settings, then Reauthorize. |
Access token errors
Error code | Description and reason | Resolution |
---|---|---|
17002 17011 |
Couldn't generate an access token. Reason: Some Google internal services are unavailable at this time. |
This error should resolve automatically after some time. |
17009 | Access token generation from refresh token failed. | Try reauthorizing again by clicking Auto-provisioning to open Settings, then Reauthorize. |
General errors
Error code | Description and reason | Resolution |
---|---|---|
1200x |
Internal Error |
This error should resolve automatically after some time. |
25001 | Google backend/service temporarily unavailable. | Set up auto-provisioning again. |
25002 |
Google backend/service temporarily unavailable. Reason: The app is not installed for the customer. |
Install the application and then set up auto-provisioning again. |
25005 | Google backend/service temporarily unavailable. | This error should resolve automatically after some time. |
25016 | Google backend/service temporarily unavailable. | Set up auto-provisioning again. |
50001 | Internal Error | This error should resolve automatically after some time. |
50003 | Internal Error | This error should resolve automatically after some time. |
50005 | A deleted group is present in the configured group filters. | Remove the deleted group from the provisioning scope configuration. |
50006 | Internal Error | This error should resolve automatically after some time. |
Resource-level failures
If the Auto-provisioning section on the SAML app settings page shows Failures, click Download list. The downloaded file lists failed create, delete, or update actions, and an error code and description for each failure.
These errors only affect the specified resources in the file.
Error code | Error description | Resolution |
---|---|---|
45003 |
The resource update, create, or delete request was not accepted by your SCIM-based application. Look at the details of the error in the downloaded error file. Possible reasons:
|
Correct the error and retry after saving changes. |
45004 |
An error has occurred between the service provider and Google as identity provider. The error text is "Internal error - Quota Exceeded".
|
Contact the service provider. |
45005 | The SCIM endpoint you configured is not reachable. Check the SCIM endpoint you provided in the Admin console. | Correct the error and retry after saving changes. |
45006 |
The resource update, create, delete request was not built correctly or was not accepted by the SCIM-based application. Look at the details of the error in the downloaded error file. Possible reasons:
|
Correct the error and retry after saving changes. |
45016 |
The resource update, create, or delete request was not accepted by your SCIM-based application because you didn't enter a required field. Look at the details of the error in the downloaded error file. |
Correct the error and retry after saving changes. |