SAML token validation failed. Please contact your system administrator. | X | | | Generic message that displays in the UI regardless of the underlying failure or error. | Check the logs for more information about the underlying reason for the failure. |
SAML Response cannot be found | | X | | The response from the IdP is not empty or null. UKG Workforce Central cannot proceed without SAML response. | Contact the IdP administrator to validate the IdP configuration. |
Signature can not befound in SAML Response! | | X | | The response from the IdPdoes not contain asignature, or the assertionwas not signed. UKG Workforce Central cannot proceedwithout correctly signedassertions in the SAMLresponse. | Contact the IdP administrator to validate the IdP configuration. Note that this error message only appears in v8.1.0 and v8.1.1. It will not appear in v8.1.2 and later. |
Signature validation exception | | X | X | The signature in the SAML response cannot be validated against the certificate information retrieved from certificate or metadata file. This happens when the signature information in the SAML response is not in synch with the certificate read from the files. | Contact the IdP administrator to get the latest certificate and metadata files. Make sure that the files are in the paths identified in the Security tab of Setup and restart UKG Workforce Central. |
No AttributeStatement found in SAML response. | | X | | (Optional) The SAML response can contain the principal in the Attribute field. Only if you use the Attribute field, the site.security.sso.saml. attribute.name system setting must be set. The error is generated if this system setting is set, but the response does not use the Attribute field. | Log on to UKG Workforce Central, select Setup, click the Security tab, and remove the value for:site.security.sso.saml attribute.name |
No Attribute found in SAML response. | | X | |
<<Attribute Name>> contains WFC logon is empty! | | X | |
<<Attribute Name>>, can not be found! | | X | |
Subject can not be found! | | X | | The subject is not available in the assertion of the SAML response. | Contact the IdP administrator. |
NameId can not be found! | | X | | The response contains the subject, but the NameId is missing. |
Subject NameID is empty! | | X | | The principal from the NameId is not available in the SAML response. |
Certificate source is not set, Cannot retrieve certificate for signature verification. Certificate Not found. Cannot create Signature Validator. So, returning error | | X | | The SAML module cannot create the Signature Validator because the certificate is not available from either the certificate file or the metadata file. | Contact the IdP administrator for the correct certificate and/or metadata file. |
IDP Metadata file Path is not set correctly: METADATA_FILE_PATH= <<metadata file path>> LIB_PATH = <<library path>> | | X | | The metadata file path is not configured in System Settings. | Log on to UKG Workforce Central, select Setup, click the Security tab, and enter the correct path in site.security. sso.saml.IdPmetadata.file.path. |
Cannot create Filesystem Metadata Provider: <<metadata file path>> | | X | X | The SAML module attempts to read the signature validation information from either the certificate file or metadata file. These errors occur when all of the following occurs:- The site.security.sso.
saml.IdPmetadata.file.path setting contains the location of metadata file. - The site.security.sso.
saml.certificate.file.path setting is empty. - The metadata file is corrupt or invalid.
| If the certificate file is available, try using it for creating the Signature Validator. This can be done by setting the value for site.security. sso.saml.certificate.file.path.If the certificate file is not available, contact the IdP administrator to obtain the valid metadata file or certificate file. |
Cannot retrieve Entity Descriptor from FilesystemMetadataProvider | | X | X |
EntityDescriptor cannot be found | | X | |
IDPSSODescriptor can not be found! | | X | |
KeyDescriptor for can not be found! | | X | |
KeyDescriptor for signing can not be found! | | X | |
X509Data can not be found | | X | |
X509Certificate can not be found! | | X | |
Certificate file Path is not set correctly: CERT_FILE_PATH= <<certificate file path>> LIB_PATH = <<library path>> | | X | | The certificate file path is not configured in the site.security.sso.saml.certificate.file.path setting and the metadata file path is not configured in the site.security.sso.saml.IdPmetadata.file.path setting. | Log on to UKG Workforce Central, select Setup, click the Security tab, and enter the correct path in site.security.sso.saml.certificate.file.path. |
Certificate file Not found: <<certificate file path>> | | X | X | The system setting site.security.sso.saml.certificate.file.path points to a location that does not contain the required file. |
Certificate file cannot be parsed: <<certificate file path>> | | X | X | The certificate file specified by the site.security.sso. saml.certificate.file.path system setting is corrupt or invalid. | Contact the IdP administrator to obtain the correct certificate file or log on to UKG Workforce Central, select Setup, click the Security tab, and enter the correct path in site.security.sso.saml.certificate.file.path. |
time validity failed | | X | | The time window provided in the assertion and the assertion subject is validated with the current datetime. This happens to prevent a replay attack. | Contact the IdP administrator. |
spEndPoint Property Missing, whereas Destination is present in assertion XML! | | X | | Warning: Prints in the UKG Workforce Central logs only. The site.security.sso.saml.spendpoint system setting is left blank in UKG Workforce Central but the destination attribute is present in the assertion XML. | Log on to UKG Workforce Central, selectSetup, click the Security tab, andenter the correct path in the site.security.sso.saml.spendpoint system setting. |
Destination <<Attribute Name>>, does not match the expected destination of site.security.sso.saml.mobile.spendpoint. | | X | | The site.security.sso.saml.mobile.spendpointsystem setting does not match the destination attribute coming in the SAML assertion. This is for mobile only. | Contact the IdP administrator. |
Destination <<Attribute Name>> does not match the expected destination of site.security.sso.saml.spendpoint. | | X | | The site.security.sso.saml.mobile.spendpoint system setting does not match the destination attribute coming in the SAML assertion. | Contact the IdP administrator. |
spEndPoint Property Missing, whereas Recipient is present in assertion XML! | | | | Warning: Prints in the UKG Workforce Central logs only. The site.security.sso.saml.spendpoint system setting is left blank in UKG Workforce Central but the recipient attribute is present in the assertion XML. | Log on to UKG Workforce Central, selectSetup, click the Security tab, andenter the correct path in the site.security.sso.saml.spendpoint system setting. |
Recipient <<Attribute Name>> does not match the expected destination of site.security.sso.saml.mobile.spendpoint. | | X | | The site.security.sso.saml.mobile.spendpoint system setting does not match the recipient attribute in the SAML assertion. This is for mobile only. | Contact the IdP administrator. |
Recipient <<Attribute Name>> does not match the expected destination of site.security.sso.saml.spendpoint. | | X | | The site.security.sso.saml.mobile.spendpoint system setting does not match the recipient attribute in the SAML Assertion. | Contact the IdP administrator. |
Issuer in Assertion is not present, setting Issuer from response! | | X | | The issuer is included in the saml:Assertion tag. Only use the one outside of the saml:Assertion if it does not exist within the saml:Assertion tag. | Nothing to do, just logging. |
IDPIssuer Property Missing, whereas IDPIssuer is present in assertion XML! | | X | | Warning : Prints in the UKG Workforce Central logs only. The site.security.sso.saml.IDPissuer system setting is left blank in UKG Workforce Central but the destination attribute is present in the assertion XML. | Log on to UKG Workforce Central, selectSetup, click the Security tab, andenter the correct path in the site.security.sso.saml.IDPissuer system setting. |
Issuer <<Attribute Name>> does not match the expected issuer for site.security.sso.saml.IDPissuer | | X | | The site.security.sso.saml.IDPissuer system setting does not match the issuer attribute in the SAML assertion. | Contact the IdP administrator. |
Signature can not be found for SAML response! | | X | | The SAML response was not signed. | Contact the IdP administrator. |
SAML Response signature is not valid | | X | X | The SAML response was improperly signed by the IdP. | Contact the IdP administrator. |
Signature can not be found for SAML assertion! | | X | | The SAML assertion was not signed. | Contact the IdP administrator. |
SAML Assertion signature is not valid | | X | X | The SAML assertion was improperly signed by the IdP. | Contact the IdP administrator. |