Workiva can record short SAML-related messages when sign-in or configuration steps fail. Use the message wording as shown in the tables below to search your org’s SAML activity log or support tickets. Messages may include your SAML configuration name, user name, or other values, which are represented by placeholders, like {name}.
Then refer to the message's common causes while working with your IT team or Workiva Support to resolve the errors.
Note: If the message includes "SAML Consumer" or "Saml Logout", that text comes from the SAML processing step – the underlying issue is usually with the certificates, response shape, or Workiva configuration.
Users, accounts, and mapping
| Message | What it means | Common causes |
| SAML authentication failed for user {user} (SAML ID {samlId}). User is suspended. | The IdP authenticated the user, but the Workiva account is suspended. |
Admin suspended user; compliance hold.
|
| SAML authentication failed due to Assertion validation failure ({detail}). | Assertion failed validation; detail may name the rule (varies). | Audience/Recipient mismatch; condition failed; custom validator failure. |
| SAML authentication failed for user {user} (SAML ID {samlId}). User IP is not in allowlist. | IP allowlisting blocked this sign-in. |
VPN off; new office IP; allowlist not updated.
|
| Unauthenticated user {username} cannot be mapped to SAML ID {samlId} outside of their primary account/organization. | A user exists elsewhere but cannot be tied to this org via SAML in this context. |
Wrong org URL; user’s home org differs; cross-org login attempt.
(Contact support to help you resolve this) |
| SAML association failed for user {displayName} | Linking the Workiva user to the SAML ID failed validation. | Duplicate SAML ID; invalid characters; business rules on the mapping. |
| Login attempt from unassociated SAML ID {samlId}. Consider configuring this SAML ID for the corresponding Wdesk user. | SSO is required for the org, but this NameID is not mapped to a user. |
New hire not provisioned; SAML ID typo; wrong IdP directory for this org.
(See section below for steps on how to resolve this error) |
| New SAML user for SAML ID {samlId} - redirecting to login to complete SAML initialization | First-time SAML user flow: user must finish setup after IdP sign-in. | Expected on first SAML login when SSO is not required; user completing mapping. |
Resolve SSO login failures
When a user can't log in with SSO, this may be due to incorrect user mapping. To fix this:
- Try to get the date and time of the SSO failed attempt.
- In the activity log, scroll through the table to get to the logs that occurred at the date and time of the SSO failed attempt.
- Look for the message "Login attempt from unassociated SAML ID {samlId}. Consider configuring this SAML ID for the corresponding Wdesk user." ("{samlId}" is a placeholder for your user's specific SAML ID.)
- Take the value of {samlId} and navigate to the User mapping section of your SSO configuration.
- Search for your user's username under the Username column in the table.
- In the table, double click the SSO ID field next to the user, and enter in the value of {samlId} that you obtained from the activity log.
- Click Save configuration.
- Ask the user to try logging in with SSO again.
Sign-in and SAML response processing
| Message | What it means | Common causes |
| Failed to deserialize authentication request. | The browser or IdP sent data the service could not read as a valid SAML request. | Truncated or corrupted request; proxy stripping POST body; very old or non‑SAML POST to the login URL. |
| An invalid XML object was received. Response data malformed or incomplete. | The SAML Response XML could not be parsed or was cut off. | IdP misconfiguration; load balancer or proxy altering the response; network interruption; pasted/edited XML in tests. |
| SAML assertion is not valid. | The assertion failed structural or policy checks before user mapping. | Clock skew; wrong audience; assertion expired; malformed assertion content. |
| (Text varies — often includes technical details from invalid_response / invalid_destination) | Something in the SAML Response did not match what Workiva expects (destination, structure, etc.). | ACS URL mismatch; wrong entity ID; Response sent to wrong environment; IdP sending an error Status with no usable assertion. |
| The signature of response or assertion was invalid… X.509 certificate(s) configured in Wdesk matches your IdP's certificate | Cryptographic signature verification failed. |
IdP rotated signing cert but Workiva still has the old cert; wrong cert pasted in Workiva; signing on wrong element; multiple certs and IdP not using the one you expect.
|
| Missing or empty SAML name identifier | The NameID (or equivalent subject) was missing or blank. | IdP not releasing NameID; mapping sends empty value; wrong NameID format selected on IdP. |
| Failed to decrypt an assertion or nameID. | Encrypted SAML content could not be decrypted with your SP settings. | Encryption cert mismatch; IdP encrypting with a cert Workiva does not have; corrupted ciphertext. |
| Assertion's Issuer does not match the configured Issuer in Wdesk | The Issuer in the SAML message does not match your SAML configuration. |
Typo in Issuer URL; IdP using alias issuer; staging vs production IdP.
(Check this log for the request details to help you fix the SSO configuration) |
| Could not find SAML configuration for request. | No SAML setup matched this request (registration not found). | Wrong URL path / SAML config ID; disabled or deleted configuration; bookmark to old URL. |
| An error occurred in SAML Consumer… (generic) | Sign-in failed in a way that is not mapped to a specific SAML code above. | Unusual IdP behavior; transient integration bug; best next step is a HAR or IdP sign-on log plus this message. |
| An error occurred in Saml Logout… (generic) | Logout request failed in a way not mapped to a specific code. | Same idea as consumer: collect IdP logout log and correlation time. |
Certificates (signing / validation)
| Message | What it means | Common causes |
| X509 certificate is incorrectly formatted or has expired. If set, alt X509 certificate will be used. | Primary IdP signing cert in Workiva is invalid or expired; system may fall back to alternate cert. | Expired cert; PEM formatting error; extra spaces or missing headers. |
| Alt X509 certificate is incorrectly formatted or has expired. | Alternate cert is also bad or expired. | Both certs need renewal; copy/paste error on second cert. |
| No X509 certificates have been set for SAML Configuration. | Neither primary nor alternate signing cert is stored. | New config; certs cleared; metadata import did not populate cert. |
Response shape, assertions, and "wrapped" responses
| Message | What it means | Common causes |
| Potential XSW Detected: Response element not found | The SAML payload did not contain a single, normal <Response> root as expected. | Malformed XML; unusual IdP packaging; tampering attempt; broken middleware. |
| Potential XSW Detected: Multiple Response elements found | More than one SAML Response in the payload. | Rare IdP bug; concatenated responses; proxy merging bodies incorrectly. |
| No Assertion element found... check the SAML Response for StatusCode authentication failures from your Identity Provider | There was no assertion to log the user in—often an IdP-side denial. | Wrong password; MFA failure; IdP policy denied user; user not licensed on IdP side. |
| Potential XSW Detected: Multiple Assertion and EncryptedAssertion elements detected | Both cleartext and encrypted assertions present (not allowed). | Unusual IdP configuration; customization sending duplicate content. |
| Potential XSW Detected: Multiple assertions detected - only one is allowed by Wdesk | More than one assertion in one Response. | IdP sending grouped assertions; federation aggregators. |
| Potential XSW Detected: Multiple encrypted assertions detected - only one is allowed by Wdesk | More than one encrypted assertion. | Same family of causes as multiple assertions. |
*“XSW” refers to suspicious response wrapping patterns the service blocks for security.
Workiva configuration and URLs
| Message | What it means | Common causes |
| Unable to find a SAML Configuration for id {id} / Unable to find SAML Configuration for {id} | No SAML record exists for that identifier. | Wrong {id} in the URL; config deleted; typo in link or integration. |
| SAML Configuration {name} is not currently enabled and cannot be used for authentication | SAML exists but is turned off for that org. | Admin disabled SAML; change freeze; testing another IdP. |
| SAML Configuration {name} is not minimally configured and cannot be used for authentication | Required fields (for example IdP URL, binding, or certificates) are incomplete. | Setup not finished; metadata import incomplete; draft configuration. |
| Unable to find Organization associated with this SAML Configuration {id} | Internal link between SAML config and org is missing. | Data inconsistency; support usually needs to investigate. |
| SAML configuration matching provided id does not have a logout response URL | Logout URL is not set where the app expects it. | Logout not configured on SAML config; metadata missing Single Logout URL. |
Subject / NameID and attributes
| Message | What it means | Common causes |
| Unable to find the SAML Subject in the Attribute Name={name} element... | Workiva is configured to read the SAML ID from a specific attribute, but that attribute or statement is missing. | Attribute not sent; wrong attribute name; attribute in assertion but wrong namespace/format. |
Logout
| Message | What it means | Common causes |
| Missing SAMLRequest parameter | IdP or browser hit the logout endpoint without a SAML logout request. | Misconfigured IdP logout URL; manual URL visit; broken deep link. |
| Unable to find a saml configuration matching provided id | Logout referenced an unknown SAML configuration. | Wrong samlConfig in path or parameter. |
Completing SAML user setup (after first IdP sign-in)
| Message | What it means | Common causes |
| SAML user initialization failed - security token validation error | The one-time setup token was missing, wrong, or expired. | Bookmarked old link; took too long to finish; cookie blocked; opened link in different browser. |
| An error occurred in the SAML Initialization handler... (generic) | Setup failed for an unexpected reason. | Retry; if repeated, capture time and URL for Support. |
| (Various validation messages) | Shown when creating the SAML user record fails (exact text depends on validation). | Example: SAML ID already used by another user in the org. |
Admin: SAML metadata import (API / admin flows)
| Message | What it means | Common causes |
| Unable to parse the metadata XML | File is not valid XML. | Wrong file downloaded; HTML error page saved as .xml. |
| Unable to find IDPSSODescriptor in the metadata XML | Not IdP metadata (or wrong profile). | SP metadata uploaded by mistake; trimmed file. |
| Unable to find a signing X.509 certificate | No signing cert in metadata where expected. | Metadata without <KeyDescriptor use="signing">; encrypted-only metadata. |
| Unable to find a SingleSignOnService in the metadata XML | No SSO endpoint declared. | Incomplete export from IdP. |
| No supported SingleSignOnService binding found | SSO URL exists but binding is not one Workiva supports for import. | Unusual binding only; old IdP template. |
| WARNING: Your metadata file contains {n} signing certificates... | Multiple signing certs detected; you may need to pick the correct one manually. | IdP rotation period with several active certs. |
Admin: Bulk SAML ID file import
| Message | What it means | Common causes |
| Skipping row {n} because SAML ID and/or Wdesk Username are missing | Empty cells in that row. | CSV edited in Excel; trailing empty rows. |
| Skipping row {n} due to duplicate username in csv | Same Workiva username appears twice. | Spreadsheet copy/paste error. |
| Username {name} was not found or is not a member of this account | No matching user in the org for that row. | Typo in username; user in different org. |
| Skipping user {name} because the user's primary organization does not match. | User’s home org is not this realm. | Wrong realm chosen for import; contractor account. |
Security and account controls
| Message | What it means | Common causes |
| SAML request blocked due to account security validation rules | Logout or SAML request failed an internal security check for that org/config. | Policy engine block; suspicious pattern; support may need internal logs. |
Technical diagnostics (support-oriented)
| Message | What it means | Common causes |
| SAMLResponse: followed by encoded data | A raw SAML Response was logged when SAML authentication failed, for troubleshooting with Support. | Captured automatically on certain failures; not an “error sentence” by itself. |