View automated user provisioning errors

As an administrator, while you configure user provisioning, you may see these errors:

Read below about how to debug and resolve these errors.

Note: Please call Support if a failure remains unresolved after following the resolution steps.

Configuration time failures

The following errors are tied to configuring user provisioning and are shown on the Admin console.

Authorization code error

You'll see this error when the authorization code couldn't be exchanged for a refresh token. This can happen if your authorization code was incorrect or if you wait too long between authorizing and clicking Save Changes. Reauthorizing and saving the changes should solve this error.

Error message Resolution
Authorization token could not be generated. Retry authorization and save changes again.

Stale page error

Stale page errors occur when the user browser page hasn't been refreshed and the configuration has changed outside of this browser session (either from a different browser window or by a different user). Here are the associated errors that you could see:

Error message Resolution
Your page is stale. Provisioning setup exists. Refresh to override existing setup.
Your page is stale. Provisioning setup does not exist. Refresh to override existing setup.
Your page is stale. Can't activate an unconfigured provisioning setup. Refresh to override existing setup.
Your page is stale. Can't delete an unconfigured provisioning setup. Refresh to override existing setup.

 

Transient page error

These errors are transient and are expected to resolve themselves by retrying the action after some time. These could be any of these:

Error message Resolution
Couldn't fetch provisioning setup  Refresh the page. 
Couldn't fetch provisioning pre-configuration Refresh the page. 
Couldn't fetch provisioning status Refresh the page.
Provisioning activation failed Retry activating your provisioning.
Error deleting provisioning setup Try to delete the configuration again.
Provisioning setup couldn't be created Create your provisioning setup again and save your changes.
Provisioning setup couldn't be updated Update your provisioning setup again and save your changes.
Couldn't fetch custom attributes Try saving your custom attributes again.
Couldn't update attribute mapping Update your attribute mapping again.
Couldn't update the group settings for auto provisioning Update your group settings again.
Couldn't update the deprovisioning configuration Update your deprovisioning configuration again.
Delete configuration succeeded but couldn't revoke API client access

When deleting the configuration, we revoke the permissions that allow your application to access your Google side data.

If this fails for some reason, manually revoke access by accessing “Manage API Client Access” under the Security section.

If you deleted the configuration and plan to set it up again, you don’t need to take any action. 

Error while updating provisioning configuration Refresh the page. 
Authentication failed The authentication credentials (e.g. bearer token) provided in the configuration are incorrect. Enter the correct credentials.
SCIM Endpoint URL provided is invalid The target endpoint provided was invalid. Enter the correct URL.
Error enabling provisioning Click Activate provisioning
Error deleting provisioning setup Click Delete provisioning
Couldn't fetch attributes from your target Service Provider Refresh the Attribute mapping page.
Couldn't fetch your target resource schema Verify the SCIM endpoint provided during user provisioning setup and retry mapping Cloud Directory attributes to the target application attributes.

User provisioning runtime failures

Note: Refer to this section if the Provisioning status for your user provisioning configuration is showing Error.


User provisioning runtime failures may occur due to issues in configuration parameters.


Here are the possible error codes, the descriptions, and actions you can take to resolve them:

Google internal services errors

Error code Description and resolution
17003

Description: 

Couldn't authenticate with Google internal services.

Reason:

Permissions were revoked from this user provisioning client ID:

910835873219-es01p47a1ks618hgp59q26cnc6sv33r3.apps.googleusercontent.com

Resolution: 

Ensure that this ID has permissions to these scopes:

https://www.googleapis.com/auth/admin.directory.user.readonly,
https://www.googleapis.com/auth/admin.directory.userschema.readonly,
https://www.googleapis.com/auth/admin.directory.group.member.readonly

Use "Manage API Client Access" under SecurityAdvanced Settings to verify that the Client ID has these scopes or to add these scopes to this client ID.

17006

Description: 

Couldn't authenticate with Google internal services.

Reason:

Permissions were revoked from this user provisioning client ID:

910835873219-es01p47a1ks618hgp59q26cnc6sv33r3.apps.googleusercontent.com

Resolution: 

Ensure that this ID has permissions to these scopes:

https://www.googleapis.com/auth/admin.directory.user.readonly,
https://www.googleapis.com/auth/admin.directory.userschema.readonly,
https://www.googleapis.com/auth/admin.directory.group.member.readonly

Use "Manage API Client Access" under SecurityAdvanced Settings to verify that the Client ID has these scopes or to add these scopes to this client ID.

17008

Description: 

Couldn't authenticate with Google internal services.

Reason:

Permissions were revoked from this user provisioning client ID:

910835873219-es01p47a1ks618hgp59q26cnc6sv33r3.apps.googleusercontent.com

Resolution: 

Ensure that this ID has permissions to these scopes:

https://www.googleapis.com/auth/admin.directory.user.readonly,
https://www.googleapis.com/auth/admin.directory.userschema.readonly,
https://www.googleapis.com/auth/admin.directory.group.member.readonly

Use "Manage API Client Access" under SecurityAdvanced Settings to verify that the Client ID has these scopes or to add these scopes to this client ID..

Auth token errors

Error code Description and reason Resolution
17010

There are insufficient credentials to make calls to your SCIM endpoint.

Reason: The auth token is revoked.

Try reauthorizing again by clicking Re-authorize App.
17013

There was an error fetching an access token from your service provider.

Reason: The auth token is revoked.

If this error doesn't automatically resolve after some time, try reauthorizing again by clicking Re-authorize App.

Access token errors

Error code Description and reason Resolution
17002/17007/17011

Couldn't generate an access token.

Reason: Some Google internal services are unavailable at this time.

This error should get resolved automatically after some time.
17009 Access token generation from refresh token failed. Try reauthorizing again by clicking Re-authorize App.

General errors

Error code Description and reason Resolution
1200x

Internal Error

This error should get resolved automatically after some time.
25001 Google backend/service temporarily unavailable. Set up auto provisioning again.
25002

Google backend/service temporarily unavailable. 

Reason: The app is not installed for the customer.

Install the application and then set up auto provisioning again.
25005 Google backend/service temporarily unavailable. This error should get resolved automatically after some time.
25016 Google backend/service temporarily unavailable. Set up auto provisioning again.
50001 Internal Error This error should get resolved automatically after some time.
50003 Internal Error This error should get resolved automatically after some time.
50005 A deleted group is present in the configured group filters. Remove the deleted group from the provisioning scope configuration.
50006 Internal Error This error should get resolved automatically after some time. 

Resource-level failures

Refer to this section if the Failed Provisioning Actions displays a number.
This number is a link to download an error details file. This file contains the Error code and Error description for each resource that wasn't created, deleted, or updated during provisioning.
These are resource-level errors and only affect the specified resources in the file. The Error description in the downloaded file explains the issue.

Here are the error codes and the descriptions from the error details file, and actions you can take to resolve them:

Error code Error description Resolution
45003

The resource update, create, or delete request was not accepted by your SCIM-based application. Look at the details of the error in the downloaded error file.

Possible reasons:

  1. License Limit Exceeded—You have licenses to create only 5 users on your SCIM-based application and you turned on user provisioning for 6 users.
  2. Value Too Long—Your value e.g. email ID is too long and is not acceptable for your SCIM-based application.
  3. Must have at least one entitlement, one of which must be profile ID.
  4. The username already exists. It must be unique across the entire organization.
  5. Resource (User) not found on the service provider (SP) side.
  6. Invalid SCIM user ID value.
Correct the error and retry after saving changes.
45005 The SCIM endpoint you configured is not reachable. Check the SCIM endpoint you provided in the Admin console. Correct the error and retry after saving changes.
45006

The resource update, create, delete request was not built correctly or was not accepted by the SCIM-based application. Look at the details of the error in the downloaded error file.

Possible reasons:

  1. Value Too Long
  2. Insufficient licenses
  3. Invalid License
  4. Entitlement value doesn’t exist
Correct the error and retry after saving changes.
45016

The resource update, create, or delete request was not accepted by your SCIM-based application because you didn't enter a required field. Look at the details of the error in the downloaded error file.

Correct the error and retry after saving changes.
Was this helpful?
How can we improve it?