The Error responses are defined in the RFC release version [SCIM-Core].
The standard format of the JSON payload is:
-
detail – a short description of the error
-
status – the HTTP Status Code
-
scimType – the SCIM Error Type
-
errorCode – the Error Reason Code
Sample Error in response to a read-only update request
HTTP/1.1 400 BAD REQUEST
Content Type: application/json+scim
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
"detail": "'roleId' specified does not exist.",
"status": "400",
"scimType": "invalidValue",
"errorCode": 1292
}HTTP Status Codes
The following are the generic HTTP statuses for the HID Authentication Service SCIM API when an error is returned.
| Code | Label | Applicability | Description |
|---|---|---|---|
|
307 |
TEMPORARY REDIRECT |
GET, POST, PUT, PATCH, DELETE |
The client is directed to repeat the same HTTP request at the location identified. The client SHOULD NOT use the location provided in the response as a permanent reference to the resource and SHOULD continue to use the original request URI. |
|
308 |
PERMANENT REDIRECT |
GET, POST, PUT, PATCH, DELETE |
The client is directed to repeat the same HTTP request at the location identified. The client SHOULD use the location provided in the response as the permanent reference to the resource. |
|
400 |
BAD REQUEST |
GET, POST, PUT, PATCH, DELETE |
Request is unparsable, syntactically incorrect, or violates schema. |
|
401 |
UNAUTHORIZED |
GET, POST, PUT, PATCH, DELETE |
Authorization failure. The authorization header is invalid or missing. |
|
403 |
FORBIDDEN |
GET, POST, PUT, PATCH, DELETE |
Operation is not permitted based on the supplied authorization. |
|
404 |
NOT FOUND |
GET, POST, PUT, PATCH, DELETE |
Specified resource (for example, User) or endpoint, does not exist. |
|
409 |
CONFLICT |
POST, PUT, PATCH, DELETE |
The specified version number does not match the resource's latest version number or a service provider refused to create a new, duplicate resource. |
|
412 |
PRECONDITION FAILED |
PUT, PATCH,DELETE |
Failed to update as resource {id} changed on the server last retrieved. |
|
413 |
REQUEST ENTITY TOO LARGE |
POST |
{"maxOperations": 1000,"maxPayload": 1048576} |
|
415 |
UNSUPPORTED MEDIA TYPE |
GET, POST, PUT, PATCH, DELETE |
Media type is incorrect. Use: application/scim+json |
|
500 |
INTERNAL SERVER ERROR |
GET, POST, PUT, PATCH, DELETE |
An internal error. Implementers SHOULD provide descriptive debugging advice. |
|
501 |
NOT IMPLEMENTED |
GET, POST, PUT, PATCH, DELETE |
Service Provider does not support the request operation (for example, PATCH) |
Source: SCIM Protocol specification RFC7644 - section 3.12
SCIM Error Types
For HTTP Status 400 (Bad Request) responses, the following detail error types (scimType) are defined:
| Label | Applicability | Description |
|---|---|---|
|
invalidFilter |
GET, POST, PATCH |
The specified filter syntax was invalid or the specified attribute and filter comparison combination is not supported. |
|
tooMany |
GET, POST |
The specified filter yields many more results than the server is willing calculate or process. For example, a filter such as by itself would return all entries with a username and MAY not be acceptable to the service provider. |
|
uniqueness |
GET, POST, PATCH |
One or more of attribute values is already in use or is reserved. |
|
mutability |
PUT, PATCH |
The attempted modification is not compatible with the target attributes mutability or current state (for example, modification of an immutable attribute with an existing value). |
|
invalidSyntax |
POST, PUT |
The request body message structure was invalid or did not conform to the request schema. |
|
invalidPath |
PATCH |
The path attribute was invalid or malformed |
|
noTarget |
PATCH |
The specified path did not yield an attribute or attribute value that could be operated on. This occurs when the specified path value contains a filter that yields no match. |
|
invalidValue |
GET , POST, PUT, PATCH |
A required value was missing, or the value specified was not compatible with the operation or attribute type, or resource schema. |
|
invalidVers |
GET , POST (ALL), PUT, PATCH, DELETE |
The specified SCIM protocol version is not supported. |
|
sensitive |
GET |
The specified request cannot be completed due to passing of sensitive (for example, personal) information in a request URI. For example, personal information SHALL NOT be transmitted over request URIs. |
Source: SCIM Protocol specification RFC7644 - section 3.12
Error Reason Codes
These reason codes correspond to the error codes of the API's ErrorConstants object.
| Code | Description |
|---|---|
|
0 |
A technical error has occurred |
|
100 |
A technical error has occurred in an authentication or authentication manager adapter |
|
1000 |
A parameter was null |
|
1001 |
An authenticator status parameter is not one of the allowed values |
|
1002 |
A parameter value greater than zero was not provided |
|
1003 |
A parameter value greater than or equal to zero was not provided |
|
1005 |
During UP Authentication, either the username or usercode should be specified, but not both |
|
1006 |
A parameter was of an invalid format |
|
1007 |
Date parameters are in an invalid order (for example, start date after end date) |
|
1008 |
A parameter is too long |
|
1009 |
A value has been specified for a parameter that is not supported |
|
1010 |
A parameter representing a numeric value is too large (positive or negative) to be converted into a number |
|
1011 |
Either a specific channel, or all channels should be specified, but not both |
|
1012 |
A parameter cannot be both audited and not-audited |
|
1013 |
During adding a device, either the expiry date or never expires should be specified, but not both |
|
1014 |
When requesting manual synchronization of a device, either the clock or the counter must be specified |
|
1015 |
A device issuance request status parameter is not one of the allowed values |
|
1016 |
The device authentication request should have a usercode or device search criteria |
|
1017 |
Illegal authentication mode |
|
1018 |
The security domain is invalid |
|
1019 |
The adapter type is invalid |
|
1020 |
The adapter type is invalid |
|
1021 |
The adapter type is invalid |
|
1022 |
Either a specific Asset set, or all Asset sets should be specified, but not both |
|
1023 |
Either a specific AuthenticationTypeCode, or all AuthenticationTypes should be specified, but not both |
|
1024 |
Invalid LDAP mapping |
|
1025 |
Either a specific AssetGroupCode, or allAssetGroupCode should be specified, but not both |
|
1026 |
User status is invalid |
|
1027 |
Transaction Type is invalid |
|
1028 |
Resource Type is invalid |
| 1029 |
Device import failed due to invalid parameter |
|
1030 |
STM device activation failed due to invalid parameter |
|
1031 |
Manual Synchronization failed because the device counter was set to a value lower than the current one |
|
1032 |
Manual Synchronization failed because the device counter delta is superior than max delta |
|
1033 |
Adapter creation failed because an adapter already exists with this name and code for the specified type |
|
1034 |
An invalid algorithm was found |
|
1036 |
Error while reading the import device file due to a wrong parameter:
|
|
1100 |
An authentication type with this code already exists |
|
1101 |
A channel with this code already exists |
|
1102 |
A UP authenticator of this authentication type, with this usercode (external reference), already exists |
|
1103 |
A UP authenticator of this authentication type, with this username (login), already exists |
|
1104 |
An MD prompt with this code already exists |
|
1105 |
An MD authenticator of this authentication type, with this usercode (external reference), already exists |
|
1106 |
An asset with this code already exists |
|
1107 |
An asset group with this code already exists |
|
1108 |
An asset set with this code already exists |
|
1109 |
A function set with this code already exists |
|
1110 |
A transaction with this code already exists |
|
1111 |
A transaction set with this code already exists |
|
1112 |
An attribute type with this code already exists |
|
1113 |
A user (sub)group with this code already exists |
|
1114 |
A user with this code already exists |
|
1115 |
A user group transaction set privilege with this user subgroup and transaction set already exists |
|
1116 |
A transaction set item with this transaction already exists in the transaction set |
|
1117 |
A function set item with this function already exists in the function set |
|
1118 |
A user group function set privilege with this user subgroup and function set already exists |
|
1119 |
A user group asset set transaction set privilege with this user subgroup, asset set and transaction set, already exists |
|
1120 |
A user group asset group function set privilege with this user subgroup, asset group and function set, already exists |
|
1160 |
A device with this device type and serial number already exists |
|
1161 |
A credential with this credential code already exists |
|
1166 |
Defines the error code for a duplicate datasource entity |
|
1167 |
Defines the error code for a duplicate radiusServer entity |
|
1168 |
Defines the error code for a duplicate RealmProxy Policy entity |
|
1169 |
Defines the error code for a duplicate RequestFailurePolicy entity |
|
1170 |
A device type with this code already exists |
|
1171 |
Defines the error code for a duplicate AuthProfile entity |
|
1172 |
AssetGroup already assigned to the Transaction set Defines the error code for a duplicate assigning of AssetGroup to transactionSet |
|
1173 |
Defines the error code for a duplicate ChannelAuthProfile entity |
|
1174 |
Defines the error code overlap datasource |
|
1175 |
Defines the error code overlap client addresses of the gate policy |
|
1180 |
A role with this code already exists |
|
1190 |
DEPRECATED Defined the error code for a duplicate user role |
|
1191 |
A role function set privilege with this role and function set already exists |
|
1192 |
A role transaction set privilege with this role and transaction set already exists |
|
1193 |
An authenticator with this usercode and authentication type already exists |
|
1200 |
A user with the specified code (external reference) could not be found |
|
1201 |
A user (sub)group with the specified code could not be found |
|
1202 |
An asset with the specified code could not be found |
|
1203 |
An asset group with the specified code could not be found |
|
1204 |
An authentication type with the specified code could not be found |
|
1205 |
A UP authenticator with the specified code could not be found |
|
1206 |
An MD authenticator with the specified code could not be found |
|
1207 |
A MD Group with the specified code could not be found |
|
1208 |
An MD answer with the specified code could not be found |
|
1209 |
A channel with the specified code could not be found |
|
1210 |
An MD prompt with the specified code could not be found |
|
1211 |
An asset set with the specified code could not be found |
|
1212 |
An authenticator manager adapter with the specified code could not be found |
|
1213 |
An audit record with the specified ID could not be found |
|
1260 |
A device type with the specified code could not be found |
|
1261 |
A device with the specified ID could not be found |
|
1263 |
A session transfer type with the specified code could not be found |
|
1270 |
An authenticator could not be found |
|
1280 |
A reset password batch with the specified ID could not be found |
|
1281 |
A transaction set with the specified code could not be found |
|
1282 |
A transaction (item) with the specified code could not be found |
|
1283 |
A function set with the specified code could not be found |
|
1284 |
A function with the specified code could not be found |
|
1285 |
A function set item with the specified code could not be found |
|
1286 |
A transaction set item with the specified code could not be found |
|
1287 |
A user group transaction set privilege with the specified ID could not be found |
|
1288 |
A user group asset set transaction set privilege with the specified ID could not be found |
|
1289 |
A user group asset group function set privilege with the specified ID could not be found |
|
1290 |
A role function set privilege with the specified code ID not be found |
|
1291 |
A role transaction set privilege with the specified ID could not be found |
|
1292 |
A role with the specified code could not be found |
|
1293 |
A user role assignment could not be found |
|
1294 |
A user transaction privilege with the specified ID could not be found |
|
1295 |
A credential with the specified ID could not be found |
|
1296 |
A credential type with the specified ID could not be found |
|
1297 |
A status category with specified search criteria could not be found |
|
1298 |
A status with specified search criteria could not be found |
|
1299 |
A status transition with specified search criteria could not be found |
|
1300 |
An asset cannot be added to an asset set because they have different asset groups |
|
1301 |
RADIUS Server could not be found |
|
1302 |
RealmProxy Policy could not be found |
|
1303 |
RequestFailurePolicy could not be found |
|
1304 |
ChannelAuthorizationPolicy could not be found |
|
1305 |
ChannelAuthorizationPolicy could not be found |
|
1306 |
Dictionary Code could not be found |
|
1307 |
AssetGroup to Transaction set mapping could not be found |
|
1308 |
Datasource could not be found |
|
1309 |
An Asset set item could not be found |
|
1310 |
Email Address or template could not be found |
|
1311 |
Device issuance request could not be found |
|
1312 |
Organization could not be found |
|
1313 |
No Organization adapter could be found |
|
1314 |
Pseudonymization Token could not be found |
|
1400 |
No function privilege to call this method |
|
1500 |
Insufficient MD answers were provided to create the MD authenticator |
|
1501 |
The MD answer provided is not associated with the MD authenticator (MD group) |
|
1600 |
The authentication type only allows seeded authentication |
|
1601 |
The authentication type only allows unseeded authentication |
|
1602 |
The number of password/answer seed characters provided does not match the number of seed positions provided |
|
1603 |
The number of password/answer seed characters provided is insufficient for authentication |
|
1604 |
The seed positions provided are not unique |
|
1605 |
The number of seed positions requested is greater than the minimum length constraint |
|
1700 |
An invalid channel was found during authentication |
|
1701 |
An invalid channel was found for this authentication type |
|
1900 |
The session is invalid |
|
1901 |
The session does not exist |
|
1902 |
The session has timed out |
|
1903 |
The session has expired |
|
1904 |
The session has an invalid user associated with it |
|
1905 |
An authentication of the specified authentication type does not exist within the session |
|
1906 |
The session contains too many authentication occurrences |
|
200 |
A technical error has occurred in the Activ Kernel |
|
2000 |
The number of allowed (failed) attempts to change the password has been exceeded |
|
2001 |
An expired password change was attempted on a password that had not expired |
|
2100 |
A constraint violation has occurred (for example, when creating an authenticator with an invalid password or MD answer) |
|
2200 |
No longer used |
|
2201 |
The configurer card was not present |
|
2202 |
The configurer card is faulty |
|
2203 |
No longer used |
|
2204 |
The card is not a configurer card |
|
2205 |
No longer used |
|
2206 |
The card label is not in the form config.username |
|
2207 |
No longer used |
|
2208 |
The card was not recognized |
|
2209 |
No longer used |
|
300 |
A technical error has occurred within Core Security |
|
3000 |
The user subgroup cannot be deleted, because it contains child user subgroup(s) |
|
3001 |
The user subgroup cannot be deleted, because it contains users |
|
3002 |
The user subgroup cannot be moved, because the target parent group is a child of the subgroup |
|
3003 |
The parent of the user subgroup cannot be updated |
|
3004 |
The user group cannot be moved because it is a root group |
|
3006 |
The user subgroup cannot be moved because the target parent group does not belong to the subgroup's root group hierarchy |
|
3007 |
Cannot change user attribute types for a subgroup |
|
3200 |
An attribute type with the specified code could not be found |
|
3201 |
A credential could not be found |
|
3202 |
An adapter could not be found |
|
3203 |
A delivery provider could not be found |
|
400 |
A technical error has while getting the CheckBefore Attributes for RADIUS |
|
4000 |
The asset group or asset set contains assets |
|
4001 |
The asset group contains an asset set |
|
500 |
A technical error has occurred while validating the profile attribute type for RADIUS |
|
5000 |
The form is missing one or more required MD answers |
|
5001 |
A form with status ISSUED of this form type, already exists for this user |
|
5003 |
There was one or more problems with a user's authenticators when submitting a form |
|
5100 |
The user does not have any attributes |
|
5101 |
The user does not have a mandatory attribute |
|
5106 |
The user for a password reset request could not be found |
|
5107 |
A password cannot be generated because a minimum or maximum length constraint of an authentication type has not been set |
|
5108 |
Unable to reset password, the specified authentication type is not username password |
|
5109 |
Unable to reset password, the specified authentication type does not specify a valid two-way key |
|
5150 |
Mandatory encryption parameters for the specified authentication type are missing |
|
5151 |
The specified authentication type is not of class UP |
|
5200 |
A base authentication type cannot be dependent on itself |
|
5201 |
The session does not contain an authentication for the required base authentication type |
|
5202 |
Authentication type code is used by system, user cannot create an authentication type with same code |
|
5203 |
Direct User does not have valid authentication type to perform this indirect authentication |
|
5204 |
Trying to do direct authentication with authentication type that supports only indirect authentication |
|
5300 |
A cloned authenticator cannot be of the same authentication type |
|
5301 |
A cloned authenticator cannot be of an authentication type with a different adapter code |
|
5400 |
The specified session transfer code length is outside the minimum and maximum limits for the specified session transfer type code |
|
5401 |
The specified session transfer 'from' datetime is in the past |
|
5402 |
The specified session transfer code is not yet valid |
|
5403 |
The specified session transfer code has expired |
|
5404 |
The specified session transfer code has already been received |
|
5405 |
No unique session transfer code could be generated |
|
5406 |
The specified session transfer code does not exist |
|
5407 |
The specified session transfer code is link to a session with too high risk score |
|
600 |
A technical error has occurred in the LDAP |
|
6001 |
When creating an authentication type, the number of prompts required for creation, was greater than the actual number of prompts in the MD group |
|
6002 |
The number of prompts required for display does not match with supplied promts or prompts required for creation/authentication |
|
6003 |
When creating an authentication type, the number of prompts required for authentication, was greater than the actual number of prompts in the MD group |
|
6004 |
The password has expired but can be reset |
|
6005 |
The authenticator status is invalid |
|
6006 |
The AuthenticationType class type is incompatible |
|
6007 |
The old password is invalid |
|
6008 |
User group not authorized |
|
601 |
LDAP return size limit exception occurred |
|
602 |
LDAP lookthrough size limit exception occurred |
|
6050 |
The device search criteria do not uniquely identify device |
|
6051 |
The device is bound to a different user than the one specified |
|
6052 |
The automatic synchronization method is not supported |
|
6054 |
The start date is not before the expiry date |
|
6055 |
The manual synchronization method is not supported |
|
6056 |
The create unlock code method is not supported |
|
6057 |
The synchronization request contains incompatible information |
|
6058 |
There was no active device on the authenticator |
|
6059 |
Device does not support soft PIN |
|
6060 |
Soft PIN is too short |
|
6061 |
Soft PIN is too long |
|
6062 |
Soft PIN position is invalid |
|
6063 |
Status value is invalid |
|
6064 |
Status value is not a valid initial status |
|
6065 |
Device assignment failed |
|
6066 |
Request Device failed |
|
6067 |
Device Activation failed |
|
6068 |
Reached maximum number of SoftTokens for this device type |
|
6069 |
Reached maximum number of SoftTokens for this device type |
|
6070 |
Certificate has expired |
|
6071 |
Certificate is not yet valid |
|
6072 |
Unsupported certificate |
|
6073 |
Unable to verify certificate |
|
6074 |
Unable to download CRL |
|
6075 |
Unsupported CRL |
|
6076 |
Unable to verify CRL |
|
6077 |
Invalid certificate path |
|
6078 |
Certificate is revoked |
|
6100 |
The device does not support asynchronous authentication |
|
6101 |
The device does not support synchronous authentication |
|
6102 |
A challenge has not previously been issued for this device |
|
6104 |
The counter (ATC) on the device has reached its max value |
|
6105 |
A user defined challenge is expected, but has not been provided |
|
6200 |
No active Authenticator was found for dynamic Authenticator Selection get Challenge Request |
|
6201 |
No active Authenticator was found for dynamic Authenticator Selection Device Authentication Request |
|
6202 |
No active Authenticator was found for dynamic Authenticator Selection UP Authentication Request |
|
6203 |
For dynamic Authenticator Selection, the usercode should be specified, it cannot be NULL |
|
7000 |
A circular transaction dependency cannot be configured |
|
7001 |
A self dependent transaction cannot be configured |
|
7002 |
The transaction is a dependent transaction for another transaction(s) |
|
7003 |
The number of authorizations required must be zero or greater |
|
7004 |
The secondary transaction code must be specified |
|
7400 |
The specified user already has the specified role |
|
7500 |
Unable to delete the transaction set as a role transaction set privilege refers to it |
|
7501 |
Unable to delete the function set as a role function set privilege refers to it |
|
7502 |
Unable to delete the asset set as a role transaction set privilege refers to it |
|
7503 |
Unable to delete the asset group as a role function set privilege refers to it |
|
7504 |
Unable to delete the function set as a function set privilege refers to it |
|
7505 |
Unable to delete the function set as an asset group function set privilege refers to it |
|
7506 |
Unable to delete the transaction set as a user subgroup transaction set privilege refers to it |
|
7507 |
Unable to delete the transaction set as a user subgroup asset set transaction set privilege refers to it |
|
7508 |
Unable to delete the transaction set as a user transaction set privilege refers to it |
|
7509 |
Unable to delete the role as a user refers to it |
|
7510 |
Unable to delete the channel as an authentication type refers to it |
|
7511 |
Unable to delete channel as there is an unspecified constraint violation because a privilege may refer to it |
|
7512 |
Unable to delete the attribute type as a user attribute refers to it |
|
7513 |
Unable to delete the device type as a device refers to it |
|
7514 |
Unable to delete the device as it is assigned to a user |
|
7516 |
Unable to delete RequestFailurePolicy as it is used by one or more channels |
|
7517 |
Unable to delete the datasource as a user refers to it |
|
7518 |
Unable to delete Authorization Profile due to an existing ChannelAuthorizationProfile reference to it |
|
7519 |
Unable to delete a user attribute due to an existing LDAP attribute reference to it |
|
7520 |
Unable to delete an authentication type as something refers to it |
|
7521 |
The specified user does not have the specified role |
|
7522 |
Unable to delete a user attribute due to existing user type reference to it |
|
7523 |
Unable to delete role as it is bound to one or more user repositories |
|
8000 |
The user already has the maximum number of roles allowed |
|
8800 |
EntityId or EntityType is null in the exterAuditRequest |
|
900 |
A technical error has occurred in STM Integration |
|
9000 |
No license was found for the feature |
|
9001 |
License for feature has expired, please contact you vendor to purchase new licenses |
|
9002 |
Invalid license |
|
9003 |
Audit Tokenization is not enabled |
|
9004 |
User is not deleted so it cannot be forgotten |
|
9005 |
Adapter cannot be deleted as it is referenced by a channel |
|
9006 |
Configured function set to update does not exist |
|
9007 |
Configured function set to update is not set up correctly |
|
9008 |
Maximum number of roles has been reached |
| 9009 | UserType is SCIM_FED but there is no datasource with matching provisioningAgent |
| 9010 | OCSP or CRL internal error |
| 9011 | User is bound to a datasource that does not match this session |
| 9012 | Security Group is bound to a datasource that does not match this session |
| 9013 | Security Group is not bound to a datasource |
| 9014 | Cannot add a non SCIM_FED User to a security group bound to a datasource |
| 9015 | Client is bound to a datasource |
|
910 |
Invalid serial number |
|
920 |
Soft token activation failed |
|
930 |
The Soft token activation failed |
|
940 |
The Soft token activation failed |
|
950 |
The authentication failed |
|
951 |
A technical error has occurred while activating a push-based HID Approve device |
