Resolve Marketing Cloud Engagement Single Sign-On Errors

Incoming SAML assertion or response from an issuer for which the service provider has no metadata loaded or is wrong

Incoming SAML message is not properly formatted, is missing elements, or includes invalid elements

The system couldn’t process the message that it received from the identity provider because the message didn’t include all the required information in the correct format. This error can also occur because the system determined that some of the message elements were invalid. This message can include additional details.

• Message was signed but signature could not be verified—The system couldn’t validate the signature contained in the message from the identity provider. Make sure that Engagement uses the correct certificate from the identity provider.
• Assertion contains an unacceptable Audience Restriction—The message didn’t contain the expected Audience Restriction value of https://sp.exacttarget.com/shibboleth-sp.
• Assertion is no longer valid or Message expired, was issued too long ago—Both of these reasons indicate issues with the message timestamp. These issues can occur if the system clock for the server that generates the SAML messages is set to a time outside of the acceptable clock skew range. To correct this error, ensure that the server’s system clock provides an accurate value.
• SAML response contained an error—The SAML message from the identity provider contained an error status code. Make sure that the identity provider is properly configured and that it returns the expected successful SAML message status codes.

Incoming SAML message has security elements which are missing or invalid

The message received from the identity provider includes one or more invalid security elements. This error message can include additional details.

• Message was signed but signature could not be verified—The system couldn’t validate the signature contained in the message from the identity provider. Make sure that Engagement is configured to use the correct certificate from the identity provider.
• Message expired, was issued too long ago—There’s an issue with the message timestamp. This issue can occur if the system clock for the server that generates the SAML messages is outside of the acceptable clock skew range. Ensure that the server’s system clock provides an accurate value.
• Rejecting replayed message ID (<message-id>)—The system already received a SAML message with the provided ID. Ensure that your identity provider provides unique message IDs for all SAML messages that it generates.

Incoming SAML assertion or response does not use an allowed NameIDFormat

The message contains a NameIDFormat value that isn’t allowed. Confirm that the NameIDFormat used in SAML messages includes a supported format.

• urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
• urn:oasis:names:tc:SAML:2.0:nameid-format:entity
• urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
• urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Provided federation ID could not be found, or the account or user is not properly configured for SSO

Either the user or the account security settings are configured incorrectly. Make sure that SSO is activated in the account security settings. Also, make sure that a user is configured in the account that has SSO enabled and has a Federation ID value that matches the Federation ID value contained in the SAML message.

Your IP address (###.##.###.###) doesn't match the address recorded when the session was established.