General Errors

Error Message: CSIAC6274E Authentication failed due to a configured policy.

Problem: Federated users are getting error "CSIAC6274E Authentication failed due to a configured policy." during IBMid login process and are unable to land on the target IBM application.

Cause: CSIAC6274E indicates a configured policy issue of the user. The company’s identity provider(IdP) admin needs to review and configure the SAML claim of user attributes to meet the IBMid Enterprise Federation support requirement found here: https://www.ibm.com/docs/en/ief?topic=welcome-requirements-sso

Resolution: To debug the issue, the user can use the following steps to capture the SAMLResponse value during the login process by following these steps to generate a HAR file on their browser: https://help.salesforce.com/s/articleView?id=000385988&type=1

To debug the issue, the user can use the following steps to capture the SAMLResponse value during the login process by following these steps to generate a HAR file on their browser: https://help.salesforce.com/s/articleView?id=000385988&type=1

Open the captured HAR file in a text editor and search for the "SAMLResponse" and its value. Decode the response value with a Base64 tool.

Review user attributes that are included with the SAMLResponse. Example:

js
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                Destination="https://login.ibm.com/saml/sps/saml20sp/saml20/login" ... >
       ....
        <saml:AttributeStatement>
            <saml:Attribute Name="country"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:string">ca</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="emailAddress"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:string">user@company_email</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="firstName"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:string">FirstName</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="lastName"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:string">LastName</saml:AttributeValue>
            </saml:Attribute>
            .....
         </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>
Make sure the required SAML attributes are configured as:
  • A) NameID Format as emailAddress (Your organization's Identity Provider (IdP) must be set to equal the valid email address for the organizational users email address).
  • B) Require attributes with the exact name as follow (Case sensitive):
    • firstName
    • lastName
    • emailAddress
    • country
    Note: For country, the expectation is to receive 2 characters per ISO Alpha-2 standard. (For example : US for United States, AU for Australia, GB for United Kingdom).

Error Message: CSIAC4572E Authentication failed at the identity provider.

Problem: Federated users are getting error “CSIAC4572E Authentication failed at the identity provider”. during IBMid login process and are unable to land on the target IBM application.

Cause: The SAML status included in the authentication response message indicates that authentication failed at the identity provider.

Resolution: Examine the trace logs on the identity provider that issued the response message to see why the authentication operation failed.

Error Message: CSIAC4566E The assertion issued by partnerProvider could not be validated or decrypted.

Problem: Federated users are getting error "CSIAC4566E The assertion issued by partnerProvider could not be validated or decrypted.” during IBMid login process and are unable to land on the target IBM application.

Cause: The assertion could not be validated or decrypted. Typically, there is either a mismatch on the SAML SSO Signing or Encryption Certificate on IBM’s or the identity provider (IdP) side due to invalid or expired certificates.

Resolution: Make sure that the validation keys, decryption keys and decryption parameters are configured properly for the provider that issued the assertion. The trace log will indicate which operation failed, validation or decryption. Validate the SAML SSO Signing or Encryption Certificates used by IBM and your identity provider (IdP).

Error Message: CSIAQ0287E The system cannot process your request because the transaction has been idle for too long

Problem: Users are getting error “CSIAQ0287E The system cannot process your request because the transaction has been idle for too long”. during IBMid login process and are unable to land on the target IBM application.

Cause: This error message usually results from one of the following:
  • The target URL is invalid.
  • The login webpage is idle for an extended time.
  • There is a saved bookmark that the IBMid user is accessing which has expired cookies

Resolution: To correct this error message, try using the valid application URL instead of the one that appears on the login webpage. Try authenticating with your IBMid account in a new browser session.

Error Message: CSIAC4568E The SAML message signature could not be validated.

Problem: Users are getting error “CSIAC4568E The SAML message signature could not be validated”. during IBMid login process and are unable to land on the target IBM application.

Cause: The SAML message signature could not be validated. This error occurs when IBMid or App ID cannot verify the signature that is sent by SAML.

Resolution: Make sure that the validation key is configured properly for the provider that sent the message. In App ID, verify that you have Inbound Signature set to None in your configuration.

Error Message: CSIAC5140E You are not authorized to access this protected resource.

Problem: Users are getting error “CSIAC5140E You are not authorized to access this protected resource.” during IBMid login process and are unable to land on the target IBM application.

Cause: This resource can only be access by an authorized user.

Resolution: Ensure that the authorization endpoint is properly configured and secured.

Error Message: CSIAC6276E User account is disabled.

Problem: Users are getting an error: “CSIAC6276E User account is disabled”. during IBMid login process and are unable to land on the target IBM application.

Cause: Existing IBMid user account is disabled.

Resolution:Please contact the IBMid Worldwide Helpdesk support team for assistance via: https://www.ibm.com/docs/en/ibmid?topic=welcome-contact-support.