Documentation Center

Troubleshooting Single Sign-on

The following table contains error codes you may encounter while setting up or using single sign-on to authenticate your users and provides further troubleshooting and solution information.

Issue/Error MessageSolution
5200 unknown errorCheck the log files on both the web server and ADFS.

The ADFS logs are found under C:\Windows\System32\winevt\Logs\ AD FS 3.0%4Admin

5201 received SAML token is empty (after base64 decode)Check logs on the ADFS server for more information.

These logs are located in C:\Windows\System32\winevt\Logs\ AD FS 3.0%4Admin.

5202 internal error - error occurred while processing SAML Response tokenThis is the process of un-marshalling SAML Response object out of the SAML Response token. This error may occur for many reasons.

Check the exist.log file on the web server.

5204 error occurred while generating public key spec for signing certificateIf this error appears consistently, export and install a new signing certificate.
5205 could not locate SAML token signing certificateCheck that the token signing certificate file specified in the lc.properties (look for sso.token_signing_certificate_path) is readable.
5206 error occurred while generating Signature Validator for assertion tokenIf this error appears consistently, install a new signing certificate.
5207 assertion token within SAML Response token is nullCheck logs on the ADFS server for more information.

These logs are located in C:\Windows\System32\winevt\Logs\ AD FS 3.0%4Admin.

5208 signature contained in assertion token is invalidThe integrity of the received assertion token cannot be trusted; therefore, the subject related to this token cannot be authenticated.
5209 clock difference between identity provider and web server is off limit defined in lc.properties fileCheck the current time on both the ADFS server and web server. If the different in the times on the servers is greater than the limit in the lc.properties file (look for sso.clock_skew), synchronize the time on the servers.
5210 assertion token is holding invalid timestampThis error occurs when the SAML token contains either an outdated timestamp or a timestamp set too far in the future.
5211 error occurred when trying to get the session object to set user informationThis error occurs when Tridion Docs attempts to create a new session or sets an attribute for an existing session object.

Check exist.log on web server for more details.

5212 assertion token does not have assertion IDAs Legacy Content Delivery parses the assertion ID from SAML token, this error occurs if the parsed assertion ID is empty.

Check the ADFS logs for more information.

5213 assertion token does not have user nameAs Legacy Content Delivery parses the SAML token to get user name, this error occurs when if user name is empty.

Check the ADFS logs for more information.

5214 could not locate lc.properties file in single sign-on modeCheck that the lc.properties file is in the correct location (LiveContent\WEB-INF), and is readable.
5215 error occurred while associating user to databaseUser is authenticated and authorized to Legacy Content Delivery . This error occurs when Legacy Content Delivery calls AuthFunctions to authorize the user to the Exist database.

Check exist.log under Tomcat to see if all five parameters are passed in correctly when calls AuthFunctions.

5216 user is not authorized to the Content Delivery application (may appear as 401 Permission Denied)User is authenticated, but does not have permission to use Legacy Content Delivery .

Check Active Directory to make sure the user is member of the LiveContent.UseApplication group.