OpenID API Error Handling

HTTP Status Codes

The following are the generic HTTP statuses for the HID Authentication Service OpenID API when an error is returned.

Code Label Applicability Description

400

BAD REQUEST

GET, POST, PUT, DELETE

Request cannot be parsed, is syntactically incorrect, or violates schema

401

UNAUTHORIZED

GET, POST, PUT, DELETE

Authorization failure. The authorization header is invalid or missing

403

FORBIDDEN

GET, POST, PUT, DELETE

Operation is not allowed based on the supplied authorization

404

NOT FOUND

GET, POST, PUT, DELETE

Specified resource (such as user) or endpoint does not exist

409

CONFLICT

POST, PUT, DELETE

The specified version number does not match the resource's latest version number or HID Authentication Service refused to create a new, duplicate resource

500

INTERNAL SERVER ERROR

GET, POST, PUT, DELETE

An internal server error has occurred

HID Error Reason Codes

These reason codes for hid_error correspond to the error codes of the API's ErrorConstants object.

Code Description

0

A technical error has occurred

100

A technical error has occurred in an authentication or authentication manager adapter

1000

A parameter was null

1001

An authenticator status parameter is not one of the allowed values

1002

A parameter value greater than zero was not provided

1003

A parameter value greater than or equal to zero was not provided

1005

During UP Authentication, either the username or usercode should be specified, but not both

1006

A parameter was of an invalid format

1007

Date parameters are in an invalid order (for example, start date after end date)

1008

A parameter is too long

1009

A value has been specified for a parameter that is not supported

1010

A parameter representing a numeric value is too large (positive or negative) to be converted into a number

1011

Either a specific channel, or all channels should be specified, but not both

1012

A parameter cannot be both audited and not-audited

1013

During adding a device, either the expiry date or never expires should be specified, but not both

1014

When requesting manual synchronization of a device, either the clock or the counter must be specified

1015

A device issuance request status parameter is not one of the allowed values

1016

The device authentication request should have a usercode or device search criteria

1017

Illegal authentication mode

1018

The security domain is invalid

1019

The adapter type is invalid

1020

The adapter type is invalid

1021

The adapter type is invalid

1022

Either a specific Asset set, or all Asset sets should be specified, but not both

1023

Either a specific AuthenticationTypeCode, or all AuthenticationTypes should be specified, but not both

1024

Invalid LDAP mapping

1025

Either a specific AssetGroupCode, or allAssetGroupCode should be specified, but not both

1026

User status is invalid

1027

Transaction Type is invalid

1028

Resource Type is invalid

1029

Device import failed due to invalid parameter

1030

STM device activation failed due to invalid parameter

1031

Manual Synchronization failed because the device counter was set to a value lower than the current one

1032

Manual Synchronization failed because the device counter delta is superior than max delta

1033

Adapter creation failed because an adapter already exists with this name and code for the specified type

1034

An invalid algorithm was found

1036

Error while reading the import device file due to a wrong parameter:

  • The file is wrong (bad format, corrupted file, ...)
  • The chosen adapter does not correspond to the chosen file (for example, PSKC adapter for an .sds file)
  • The encryption key is wrong

1100

An authentication type with this code already exists

1101

A channel with this code already exists

1102

A UP authenticator of this authentication type, with this usercode (external reference), already exists

1103

A UP authenticator of this authentication type, with this username (login), already exists

1104

An MD prompt with this code already exists

1105

An MD authenticator of this authentication type, with this usercode (external reference), already exists

1106

An asset with this code already exists

1107

An asset group with this code already exists

1108

An asset set with this code already exists

1109

A function set with this code already exists

1110

A transaction with this code already exists

1111

A transaction set with this code already exists

1112

An attribute type with this code already exists

1113

A user (sub)group with this code already exists

1114

A user with this code already exists

1115

A user group transaction set privilege with this user subgroup and transaction set already exists

1116

A transaction set item with this transaction already exists in the transaction set

1117

A function set item with this function already exists in the function set

1118

A user group function set privilege with this user subgroup and function set already exists

1119

A user group asset set transaction set privilege with this user subgroup, asset set and transaction set, already exists

1120

A user group asset group function set privilege with this user subgroup, asset group and function set, already exists

1160

A device with this device type and serial number already exists

1161

A credential with this credential code already exists

1166

Defines the error code for a duplicate datasource entity

1167

Defines the error code for a duplicate radiusServer entity

1168

Defines the error code for a duplicate RealmProxy Policy entity

1169

Defines the error code for a duplicate RequestFailurePolicy entity

1170

A device type with this code already exists

1171

Defines the error code for a duplicate AuthProfile entity

1172

AssetGroup already assigned to the Transaction set

Defines the error code for a duplicate assigning of AssetGroup to transactionSet

1173

Defines the error code for a duplicate ChannelAuthProfile entity

1174

Defines the error code overlap datasource

1175

Defines the error code overlap client addresses of the gate policy

1180

A role with this code already exists

1190

DEPRECATED Defined the error code for a duplicate user role

1191

A role function set privilege with this role and function set already exists

1192

A role transaction set privilege with this role and transaction set already exists

1193

An authenticator with this usercode and authentication type already exists

1200

A user with the specified code (external reference) could not be found

1201

A user (sub)group with the specified code could not be found

1202

An asset with the specified code could not be found

1203

An asset group with the specified code could not be found

1204

An authentication type with the specified code could not be found

1205

A UP authenticator with the specified code could not be found

1206

An MD authenticator with the specified code could not be found

1207

A MD Group with the specified code could not be found

1208

An MD answer with the specified code could not be found

1209

A channel with the specified code could not be found

1210

An MD prompt with the specified code could not be found

1211

An asset set with the specified code could not be found

1212

An authenticator manager adapter with the specified code could not be found

1213

An audit record with the specified ID could not be found

1260

A device type with the specified code could not be found

1261

A device with the specified ID could not be found

1263

A session transfer type with the specified code could not be found

1270

An authenticator could not be found

1280

A reset password batch with the specified ID could not be found

1281

A transaction set with the specified code could not be found

1282

A transaction (item) with the specified code could not be found

1283

A function set with the specified code could not be found

1284

A function with the specified code could not be found

1285

A function set item with the specified code could not be found

1286

A transaction set item with the specified code could not be found

1287

A user group transaction set privilege with the specified ID could not be found

1288

A user group asset set transaction set privilege with the specified ID could not be found

1289

A user group asset group function set privilege with the specified ID could not be found

1290

A role function set privilege with the specified code ID not be found

1291

A role transaction set privilege with the specified ID could not be found

1292

A role with the specified code could not be found

1293

A user role assignment could not be found

1294

A user transaction privilege with the specified ID could not be found

1295

A credential with the specified ID could not be found

1296

A credential type with the specified ID could not be found

1297

A status category with specified search criteria could not be found

1298

A status with specified search criteria could not be found

1299

A status transition with specified search criteria could not be found

1300

An asset cannot be added to an asset set because they have different asset groups

1301

RADIUS Server could not be found

1302

RealmProxy Policy could not be found

1303

RequestFailurePolicy could not be found

1304

ChannelAuthorizationPolicy could not be found

1305

ChannelAuthorizationPolicy could not be found

1306

Dictionary Code could not be found

1307

AssetGroup to Transaction set mapping could not be found

1308

Datasource could not be found

1309

An Asset set item could not be found

1310

Email Address or template could not be found

1311

Device issuance request could not be found

1312

Organization could not be found

1313

No Organization adapter could be found

1314

Pseudonymization Token could not be found

1400

No function privilege to call this method

1500

Insufficient MD answers were provided to create the MD authenticator

1501

The MD answer provided is not associated with the MD authenticator (MD group)

1600

The authentication type only allows seeded authentication

1601

The authentication type only allows unseeded authentication

1602

The number of password/answer seed characters provided does not match the number of seed positions provided

1603

The number of password/answer seed characters provided is insufficient for authentication

1604

The seed positions provided are not unique

1605

The number of seed positions requested is greater than the minimum length constraint

1700

An invalid channel was found during authentication

1701

An invalid channel was found for this authentication type

1900

The session is invalid

1901

The session does not exist

1902

The session has timed out

1903

The session has expired

1904

The session has an invalid user associated with it

1905

An authentication of the specified authentication type does not exist within the session

1906

The session contains too many authentication occurrences

200

A technical error has occurred in the Activ Kernel

2000

The number of allowed (failed) attempts to change the password has been exceeded

2001

An expired password change was attempted on a password that had not expired

2100

A constraint violation has occurred (for example, when creating an authenticator with an invalid password or MD answer)

2200

No longer used

2201

The configurer card was not present

2202

The configurer card is faulty

2203

No longer used

2204

The card is not a configurer card

2205

No longer used

2206

The card label is not in the form config.username

2207

No longer used

2208

The card was not recognized

2209

No longer used

300

A technical error has occurred within Core Security

3000

The user subgroup cannot be deleted, because it contains child user subgroup(s)

3001

The user subgroup cannot be deleted, because it contains users

3002

The user subgroup cannot be moved, because the target parent group is a child of the subgroup

3003

The parent of the user subgroup cannot be updated

3004

The user group cannot be moved because it is a root group

3006

The user subgroup cannot be moved because the target parent group does not belong to the subgroup's root group hierarchy

3007

Cannot change user attribute types for a subgroup

3200

An attribute type with the specified code could not be found

3201

A credential could not be found

3202

An adapter could not be found

3203

A delivery provider could not be found

400

A technical error has while getting the CheckBefore Attributes for RADIUS

4000

The asset group or asset set contains assets

4001

The asset group contains an asset set

500

A technical error has occurred while validating the profile attribute type for RADIUS

5000

The form is missing one or more required MD answers

5001

A form with status ISSUED of this form type, already exists for this user

5003

There was one or more problems with a user's authenticators when submitting a form

5100

The user does not have any attributes

5101

The user does not have a mandatory attribute

5106

The user for a password reset request could not be found

5107

A password cannot be generated because a minimum or maximum length constraint of an authentication type has not been set

5108

Unable to reset password, the specified authentication type is not username password

5109

Unable to reset password, the specified authentication type does not specify a valid two-way key

5150

Mandatory encryption parameters for the specified authentication type are missing

5151

The specified authentication type is not of class UP

5200

A base authentication type cannot be dependent on itself

5201

The session does not contain an authentication for the required base authentication type

5202

Authentication type code is used by system, user cannot create an authentication type with same code

5203

Direct User does not have valid authentication type to perform this indirect authentication

5204

Trying to do direct authentication with authentication type that supports only indirect authentication

5300

A cloned authenticator cannot be of the same authentication type

5301

A cloned authenticator cannot be of an authentication type with a different adapter code

5400

The specified session transfer code length is outside the minimum and maximum limits for the specified session transfer type code

5401

The specified session transfer 'from' datetime is in the past

5402

The specified session transfer code is not yet valid

5403

The specified session transfer code has expired

5404

The specified session transfer code has already been received

5405

No unique session transfer code could be generated

5406

The specified session transfer code does not exist

5407

The specified session transfer code is link to a session with too high risk score

600

A technical error has occurred in the LDAP

6001

When creating an authentication type, the number of prompts required for creation, was greater than the actual number of prompts in the MD group

6002

The number of prompts required for display does not match with supplied promts or prompts required for creation/authentication

6003

When creating an authentication type, the number of prompts required for authentication, was greater than the actual number of prompts in the MD group

6004

The password has expired but can be reset

6005

The authenticator status is invalid

6006

The AuthenticationType class type is incompatible

6007

The old password is invalid

6008

User group not authorized

601

LDAP return size limit exception occurred

602

LDAP lookthrough size limit exception occurred

6050

The device search criteria do not uniquely identify device

6051

The device is bound to a different user than the one specified

6052

The automatic synchronization method is not supported

6054

The start date is not before the expiry date

6055

The manual synchronization method is not supported

6056

The create unlock code method is not supported

6057

The synchronization request contains incompatible information

6058

There was no active device on the authenticator

6059

Device does not support soft PIN

6060

Soft PIN is too short

6061

Soft PIN is too long

6062

Soft PIN position is invalid

6063

Status value is invalid

6064

Status value is not a valid initial status

6065

Device assignment failed

6066

Request Device failed

6067

Device Activation failed

6068

Reached maximum number of SoftTokens for this device type

6069

Reached maximum number of SoftTokens for this device type

6070

Certificate has expired

6071

Certificate is not yet valid

6072

Unsupported certificate

6073

Unable to verify certificate

6074

Unable to download CRL

6075

Unsupported CRL

6076

Unable to verify CRL

6077

Invalid certificate path

6078

Certificate is revoked

6100

The device does not support asynchronous authentication

6101

The device does not support synchronous authentication

6102

A challenge has not previously been issued for this device

6104

The counter (ATC) on the device has reached its max value

6105

A user defined challenge is expected, but has not been provided

6200

No active Authenticator was found for dynamic Authenticator Selection get Challenge Request

6201

No active Authenticator was found for dynamic Authenticator Selection Device Authentication Request

6202

No active Authenticator was found for dynamic Authenticator Selection UP Authentication Request

6203

For dynamic Authenticator Selection, the usercode should be specified, it cannot be NULL

7000

A circular transaction dependency cannot be configured

7001

A self dependent transaction cannot be configured

7002

The transaction is a dependent transaction for another transaction(s)

7003

The number of authorizations required must be zero or greater

7004

The secondary transaction code must be specified

7400

The specified user already has the specified role

7500

Unable to delete the transaction set as a role transaction set privilege refers to it

7501

Unable to delete the function set as a role function set privilege refers to it

7502

Unable to delete the asset set as a role transaction set privilege refers to it

7503

Unable to delete the asset group as a role function set privilege refers to it

7504

Unable to delete the function set as a function set privilege refers to it

7505

Unable to delete the function set as an asset group function set privilege refers to it

7506

Unable to delete the transaction set as a user subgroup transaction set privilege refers to it

7507

Unable to delete the transaction set as a user subgroup asset set transaction set privilege refers to it

7508

Unable to delete the transaction set as a user transaction set privilege refers to it

7509

Unable to delete the role as a user refers to it

7510

Unable to delete the channel as an authentication type refers to it

7511

Unable to delete channel as there is an unspecified constraint violation because a privilege may refer to it

7512

Unable to delete the attribute type as a user attribute refers to it

7513

Unable to delete the device type as a device refers to it

7514

Unable to delete the device as it is assigned to a user

7516

Unable to delete RequestFailurePolicy as it is used by one or more channels

7517

Unable to delete the datasource as a user refers to it

7518

Unable to delete Authorization Profile due to an existing ChannelAuthorizationProfile reference to it

7519

Unable to delete a user attribute due to an existing LDAP attribute reference to it

7520

Unable to delete an authentication type as something refers to it

7521

The specified user does not have the specified role

7522

Unable to delete a user attribute due to existing user type reference to it

7523

Unable to delete role as it is bound to one or more user repositories

8000

The user already has the maximum number of roles allowed

8800

EntityId or EntityType is null in the exterAuditRequest

900

A technical error has occurred in STM Integration

9000

No license was found for the feature

9001

License for feature has expired, please contact you vendor to purchase new licenses

9002

Invalid license

9003

Audit Tokenization is not enabled

9004

User is not deleted so it cannot be forgotten

9005

Adapter cannot be deleted as it is referenced by a channel

9006

Configured function set to update does not exist

9007

Configured function set to update is not set up correctly

9008

Maximum number of roles has been reached

9009 UserType is SCIM_FED but there is no datasource with matching provisioningAgent
9010 OCSP or CRL internal error
9011 User is bound to a datasource that does not match this session
9012 Security Group is bound to a datasource that does not match this session
9013 Security Group is not bound to a datasource
9014 Cannot add a non SCIM_FED User to a security group bound to a datasource
9015 Client is bound to a datasource

910

Invalid serial number

920

Soft token activation failed

930

The Soft token activation failed

940

The Soft token activation failed

950

The authentication failed

951

A technical error has occurred while activating a push-based HID Approve device

HID Failure Reason Codes

These reason codes for hid_failure correspond to the error codes of the API's AuthenticationResponseConstants object.

Code Description

31

It is required to provide amount and currency for asynchronous EMV cap authentication of EMV cards with IAF=1

12

The authentication code length does not match the requested authentication length of characters

1

The authenticator is disabled

0

The authenticator could not be found

7

The authenticator is not yet valid

22

The challenge has expired

17

The challenge does not match that issued for the token

30

It is required to provide challenge for asynchronous authentication

4

There is a primary block for this channel

6

There is a primary and secondary block for this channel

5

There is a secondary block for this channel

20

The device is not valid

33

The conversion of EMV SDB to EMV NVP format failed

36

The credential type does not support asynchronous authentication

35

The credential type does not support synchronous authentication

40

Unsupported LDAP authentication mode

LDAP authentication only supports synchronous authentication mode

34

Failed to provide the required PKI_CHALLENGE_SIGNATURE parameter for Asynchronous PKI Certificate authentication

18

An incorrect response was provided

26

The amount value for EMV cap verification is invalid

It must not have decimal character and it should be a numeric value

27

The currency code for EMV cap verification is invalid

32

The Cryptogram Version Number (CVN) for EMV card is invalid

Supported CVN values are [0xC8, 0xC9, 0x0A, 0x0E]

25

The EMV card data is invalid

28

The Master Key Label for EMV card is invalid

2

The successive failed authentication count reached the disable threshold

3

The maximum number of usages has been reached

29

The maximum value of ATC is reached

9

An MD answer does not match

14

Insufficient MD answers were provided

23

No valid credentials were found

19

The password's maximum usage has been reached

13

The password does not match

45

The user is disabled

15

The user was not found

24

The software PIN was wrong

-1

The value is not defined (available)

46

The Activation Code has expired

47

The Activation Code has reached its threshold

54

The score has not been retrieved

55

The authentication code is not allowed by configuration

49

The challenge has not been found

59

The check before action failed

48

The user already has an open session

50

The OOB secret generation has failed

58

Specific RMS parameters are missing

41

The OTP matched

42

The OTP did not match

43

The PIN matched

44

The PIN did not match

56

For the second step authentication, no session transfer has been found

57

The second step authentication user does not match

53

The block threshold has been reached

52

The reject threshold has been reached

51

The step-up threshold has been reached

39

Hashed password authentication is unsuccessful

HID Response Codes

These response codes correspond to the codes of the API's AuthenticationResponseConstants object.

Code Description

2

The authentication failed

1

The authentication succeeded