Error codes

In this article

    Description of error codes related to authorizing an application and working with tokens.

    Problems with application authorization

    Code Error Description
    0 NoError  
    1 Revoked Application's access to the tenant has been revoked
    2 InvalidRedirectUrl The redirect URL your used is not registered in SuperOffice operation center on the app -  you need to whitelist the redirect URL on your app registration.
    This is usually shown in an error message Authorization error: InvalidRedirectUrl (2) 
    3 Expired The application authorization on this tenant has expired
    4 Denied The applications access to this tenant has been denied
    5 NeedsReapproval Authorization needs to be re-approved
    6 InvalidTimestamp The supplied timestamp is invalid
    7 InvalidSignature Calculated signature is invalid

    Problems with tokens and certificate

    Error: ID4037

    The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier'


    The certificate is not found:

    • the certificates are not installed on the local machine, or
    • the certificates are not configured to load the SuperOfficeFederatedLogin.crt certificate by using the CertificateFileCertificateStoreTokenResolver class


    1. Check the online certificates are installed on the local machine.
    2. Use the CertificateFileCertificateStoreTokenResolver to point to the location of the SuperOfficeFederatedLogin.crt certificate. Set the CertificateValidator to X509.CertificateValidator.None.
    var tokenHandler = new SuperIdTokenHandler();
    tokenHandler.IssuerTokenResolver = 
        new SuperOffice.SuperID.Client.Tokens.CertificateFileCertificateStoreTokenResolver(
    tokenHandler.CertificateValidator = System.IdentityModel.Selectors.X509CertificateValidator.None;
    return tokenHandler.ValidateToken(returnedToken, TokenType.Saml);

    Error: ID4175

    The issuer of the security token was not recognized by the IssuerNameRegistry.


    The SuperIdCertificate appSetting value doesn't correlate to an installed certificate.


    1. Install the correct certificates for the correct environment (SOD, Stage, Production) into the local certificate store.
    2. Make sure the thumbprint is correct: use the arrow keys or Backspace to verify that there is no hidden character before the thumbprint value. 

    Alternatively, override the IssuerTokenRsolver and set the CertificateValidator to X509CertificateValidator.None.

    Error: ID4148

    The Saml2SecurityToken is rejected because the SAML2:Assertion's NotOnOrAfter condition is not satisfied.


    Too much time has elapsed since the system user token was signed and sent to exchange for a system user ticket. The returned token containing the system user ticket has expired.


    Tokens must be validated immediately after they are returned by SuperID.

    Error: Data at the root level is invalid. Line 1, position 1


    TokenHandler attempted to validate a JWT token with the SAML token enumeration.


    Change the enumeration from SAML to JWT.

    tokenHandler.ValidateToken(token, SuperOffice.SuperID.Contracts.SystemUser.V1.TokenType.Jwt)


    Error: IDX10708

    'System.IdentityModel.Tokens.JwtSecurityTokenHandler' cannot read this string: 'PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz48QXNzZXJ0aW9uIElEPSJfZWQ4OTVmMzktZjc4Yi00NDFkLWFiY2QtYjllZWMzOGUyZDNhIiBJc3N1ZUluc3RhbnQ9IjIwMTUtMTAtMDZUMjA6NTg6NDMuNzI5WiIgVmVyc2lvbj0iMi4wIiB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI


    TokenHandler attempted to validate a SAML token with the Jwt token enumeration.


    • Don't set the tokenHandler.JwtIssuerSigningCertificate property if you use locally installed certificates.
    • Don't set tokenHandler.IssuerTokenResolver to a new CertificateFileCertificateStoreTokenResolver instance if you use a relative certificate file.
    • Change the TokenType enumeration from Jwt to SAML in the Validate method.
    //Disable looking up the certificate PeerTrust when using CertificateFileCertificateStoreTokenResolver or JWT tokens.
    tokenHandler.CertificateValidator = System.IdentityModel.Selectors.X509CertificateValidator.None;
    //determine what class will lookup the certificates for validation
    tokenHandler.IssuerTokenResolver = new SuperOffice.SuperID.Client.Tokens.CertificateFileCertificateStoreTokenResolver(
    tokenHandler.ValidateToken(token, SuperOffice.SuperID.Contracts.SystemUser.V1.TokenType.Saml)

    Error: Value cannot be null. Parameter name: certificate

    Possible problem 1:

    TokenHandler attempted to validate a SAML token with the Jwt token enumeration.

    Resolution 1:

    Change the enumeration from Jwt to SAML.

    tokenHandler.ValidateToken(token, SuperOffice.SuperID.Contracts.SystemUser.V1.TokenType.Saml)

    Possible problem 2:

    Certificates have not been installed on the partner's server. When setting up a database mirroring service an email with the following error will be sent the technical contact:

    Failed validating token at at SuperOffice.SuperID.Client.Tokens.SuperIdTokenHandler.ValidateJwtToken(String token, ClaimsPrincipal& claimsPrincipal) in ...
    at SuperOffice.Online.Mirroring.MirroringClientService.ValidateSuperOfficeSignedToken(String token) in ...
    at SuperOffice.Online.Mirroring.MirroringClientService.Authenticate(AuthenticateRequest request) in ...
    Value cannot be null. Parameter name: certificate at at Microsoft.IdentityModel.Tokens.X509SecurityKey..ctor(X509Certificate2 certificate) in ...


    Install the public SuperOffice certificates.

    Error: Cannot locate PartnerHttpContext


    The web application web.config file declared a session mode equal to PartnerHttpContext, but that class is not included in the project or in an assembly located in the website's bin folder.


    Ensure your web project contains the following files from the sample project SuperOffice.DevNet.Online.Login:

    • ContextInitializer.cs
    • ContextResolver.cs
    • PartnerHttpContext.cs