View auto-provisioning errors

When configuring auto-provisioning for your SAML-based apps, you may see these errors:

Read below about how to debug and resolve these errors.

Note: If you can't resolve a failure using the steps given here, please call Support.

Configuration time failures

Authorization code error

You'll see this error when the authorization code couldn't be exchanged for a refresh token. This can happen if your authorization code was incorrect or if you wait too long between authorizing and clicking Save Changes. Reauthorizing and saving the changes should solve this error.

Error message Resolution
Authorization token could not be generated. Retry authorization and save changes again.

Stale page error

Stale page errors occur when the user browser page hasn't been refreshed and the configuration has changed outside of this browser session (either from a different browser window or by a different user). Here are the associated errors that you could see:

Error message Resolution
Your page is stale. Provisioning setup exists. Refresh to override existing setup.
Your page is stale. Provisioning setup does not exist. Refresh to override existing setup.
Your page is stale. Can't activate an unconfigured provisioning setup. Refresh to override existing setup.
Your page is stale. Can't delete an unconfigured provisioning setup. Refresh to override existing setup.

 

Transient page error

These errors are transient and should resolve if you refresh the page or retry the action after a period of time. 

Error message Resolution
Couldn't fetch provisioning setup  Refresh the page. 
Couldn't fetch provisioning pre-configuration Refresh the page. 
Couldn't fetch provisioning status Refresh the page.
Provisioning activation failed Retry activating provisioning.
Error deleting provisioning setup Retry deleting the configuration.
Provisioning setup couldn't be created Create your provisioning setup again and save your changes.
Provisioning setup couldn't be updated Update your provisioning setup again and save your changes.
Couldn't fetch custom attributes Retry saving your custom attributes.
Couldn't update attribute mapping Update your attribute mapping again.
Couldn't update the group settings for auto provisioning Update your group settings again.
Couldn't update the deprovisioning configuration Update your deprovisioning configuration again.
Delete configuration succeeded but couldn't revoke API client access

When deleting the configuration, we revoke the permissions that allow your application to access your Google side data.

If this fails for some reason, manually revoke access by accessing “Manage API client access” under the Security section.

If you deleted the configuration and plan to set it up again, you don’t need to take any action. 

Error while updating provisioning configuration Refresh the page. 
Authentication failed The authentication credentials (e.g. bearer token) provided in the configuration are incorrect. Enter the correct credentials.
SCIM Endpoint URL provided is invalid The target endpoint provided was invalid. Enter the correct URL.
Error enabling provisioning Move the Auto-provisioning slider to Active
Error deleting provisioning setup
  1. Click Auto-provisioning to open Settings.
  2. Under Delete configuration, click Delete
Couldn't fetch attributes from your target Service Provider
  1. Click Auto-provisioning to open Settings.
  2. Under Attribute mapping, click Edit.
  3. Edit service provider mappings as needed.
Couldn't fetch your target resource schema Verify the Endpoint URL provided during auto-provisioning setup and retry mapping Cloud Directory attributes to the target application attributes.

Auto-provisioning runtime failures

Auto-provisioning runtime failures may occur due to API access, authorization, or configuration issues.

Google internal services errors

Error code Description and resolution
17003
17006
17008

Description: 

Couldn't authenticate with Google internal services.

Reason:

Permissions were revoked from this user provisioning client ID:

910835873219-es01p47a1ks618hgp59q26cnc6sv33r3.apps.googleusercontent.com

Resolution: 

Ensure that this ID has permissions to these scopes:

https://www.googleapis.com/auth/admin.directory.user.readonly,
https://www.googleapis.com/auth/admin.directory.userschema.readonly,
https://www.googleapis.com/auth/admin.directory.group.member.readonly

In the Admin console, use "Manage API client access" under SecurityAdvanced Settings to verify that the Client ID has these scopes or to add these scopes to this client ID.

17007

Description:

Couldn't grant access to apps that support auto-provisioning using domain-wide delegation of authority.

Couldn’t grant domain-wide delegation authority to the auto-provisioning service. This is critical for the auto-provisioning service to be able to read Google directory.

Reasons:

Reason 1: Permissions were revoked from the user provisioning client ID.

Resolutions:

In the Admin console, use "Manage API client access" under Security > Advanced Settings to add the following Client ID and scopes:

Client ID:
910835873219-es01p47a1ks618hgp59q26cnc6sv33r3.apps.googleusercontent.com

Scopes:

https://www.googleapis.com/auth/admin.directory.user.readonly,
https://www.googleapis.com/auth/admin.directory.userschema.readonly,
https://www.googleapis.com/auth/admin.directory.group.member.readonly

An alternate resolution is to delete the app in question and then re-add the app.

Reason 2: Unexpected system errors

Resolution:

In most cases, this error will resolve automatically. However, if the problem persists after some hours, then either add the client ID and scopes or delete and re-add the app, as mentioned for Reason 1, above.

Auth token errors

Error code Description and reason Resolution
17010

There are insufficient credentials to make calls to your SCIM endpoint.

Reason: The auth token is revoked.

Try reauthorizing again by clicking Auto-provisioning to open Settings, then Reauthorize.
17013

There was an error fetching an access token from your service provider.

Reason: The auth token is revoked.

If this error doesn't automatically resolve after some time, try reauthorizing again by clicking Auto-provisioning to open Settings, then Reauthorize.

Access token errors

Error code Description and reason Resolution
17002
17011

Couldn't generate an access token.

Reason: Some Google internal services are unavailable at this time.

This error should resolve automatically after some time.
17009 Access token generation from refresh token failed. Try reauthorizing again by clicking Auto-provisioning to open Settings, then Reauthorize.

General errors

Error code Description and reason Resolution
1200x

Internal Error

This error should resolve automatically after some time.
25001 Google backend/service temporarily unavailable. Set up auto-provisioning again.
25002

Google backend/service temporarily unavailable. 

Reason: The app is not installed for the customer.

Install the application and then set up auto-provisioning again.
25005 Google backend/service temporarily unavailable. This error should resolve automatically after some time.
25016 Google backend/service temporarily unavailable. Set up auto-provisioning again.
50001 Internal Error This error should resolve automatically after some time.
50003 Internal Error This error should resolve automatically after some time.
50005 A deleted group is present in the configured group filters. Remove the deleted group from the provisioning scope configuration.
50006 Internal Error This error should resolve automatically after some time. 

Resource-level failures

If the Auto-provisioning section on the SAML app settings page shows Failures, click Download list. The downloaded file lists failed create, delete, or update actions, and an error code and description for each failure.

These errors only affect the specified resources in the file. 

Error code Error description Resolution
45003

The resource update, create, or delete request was not accepted by your SCIM-based application. Look at the details of the error in the downloaded error file.

Possible reasons:

  1. License Limit Exceeded—You have licenses to create only 5 users on your SCIM-based application and you turned on auto-provisioning for 6 users.
  2. Value Too Long—Your value e.g. email ID is too long and is not acceptable for your SCIM-based application.
  3. Must have at least one entitlement, one of which must be profile ID.
  4. The username already exists. It must be unique across the entire organization.
  5. Resource (User) not found on the service provider (SP) side.
  6. Invalid SCIM user ID value.
Correct the error and retry after saving changes.
45004

An error has occurred between the service provider and Google as identity provider. The error text is "Internal error - Quota Exceeded".

Possible reasons:

  • An outage that affects the service provider.
  • The service provider server is down.
Contact the service provider.
45005 The SCIM endpoint you configured is not reachable. Check the SCIM endpoint you provided in the Admin console. Correct the error and retry after saving changes.
45006

The resource update, create, delete request was not built correctly or was not accepted by the SCIM-based application. Look at the details of the error in the downloaded error file.

Possible reasons:

  1. Value Too Long
  2. Insufficient licenses
  3. Invalid License
  4. Entitlement value doesn’t exist
Correct the error and retry after saving changes.
45016

The resource update, create, or delete request was not accepted by your SCIM-based application because you didn't enter a required field. Look at the details of the error in the downloaded error file.

Correct the error and retry after saving changes.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu