SSO Error codes

There are a number of places where you might see temporary or permanent errors when trying set up or to use Single Sign On within SmartSurvey. 

Setup Page

On the setup page, there is an option to test the discovery endpoint. If this fails, an error code is displayed which is the HTTP status code of the response.

  • 0: An error meant that the attempted connection was not made to the destination server. This might be because there is no public Domain Name Server (DNS) entry for your Identity Provider (IdP), so the lookup failed, it might also be because Cross-Origin Resource Sharing (CORs) does not permit the smartsurvey domain (app.smartsurvey.co.uk) to use your identity provider.
  • 401: This means that the endpoint is setup to require authorisation but none was provided. It is not standard for the discovery endpoint to require authorisation and we do not support any mechanism to pass credentials to the discovery endpoint to do this. You will need to disable authorisation on the discovery endpoint.
  • 403: This should never be returned but implies that credentials were supplied but do not have permission to access the endpoint. It is possible that this response is hard-coded for some reason in the identity provider application. If this happens, it is most likely that the IdP needs configuration to allow Discovery to be made.
  • 404: The host server was correctly looked up with DNS but a request did not then reach a valid endpoint and so the destination server returned "not found (404)". This might be because your system does not use discovery (it should be at a well-known location: www.yourdomain.com/.well-known/openid-configuration). If you cannot access this internally, then you will need to contact your IdP support team to help you set it up. It is also possible that the origin url is incorrect, for example, you might have put www.yourdomain.com where you needed to put accounts.yourdomain.com.
  • 500: Internal server error. We were able to call an endpoint but your system generated an error. This is unexpected in normal usage, even if we were not permitted to access the endpoint. This means that there is probably a problem on the IdP. Details about exactly what will usually be found in the IdP server logs for that system.
  • 503: This is usually returned by your server when it has been switched off temporarily, e.g. for maintenance, and it should succeed once the server is switched back on.

Other Setup Errors

Other errors that might cause an error to appear if the endpoint cannot be contacted and which will need to be resolved include:

  • A firewall might be blocking the call, which will usually drop the packet. This could cause a timeout, or will return some kind of error.
  • If you have rate limiting enabled, a 429 might be returned, although we wouldn't expect to call the IdP often enough to see this.
  • If the document returned is not correctly formed, you might see an error like "Could not find 'issuer' property in response".
  • The issuer in the returned document must match the origin URL.

Was this guide helpful?