Identify*STS Improved Error Handling

Identify*STS is now able to handle most of the error happening while processing a security token issuing request. With this improvement, the client will no longer receive a FaultException with message “The server was unable to process the request due to an internal error”. When an exception is thrown, Identify*STS will make sure the followings.

  • All errors are logged with detail message, error code and full stacktrace
  • Fault exception response to client will have specific message with its fault code.
  • All uncaught exceptions are handled

Below is an overview of the Event IDs that are being logged at the Event Viewer

Erorr Message Error Event Id Type Possible cases
STSConfigurationLoadingError 5001 Warning/Error Warning:- The value at the setting “Received Security Token Encryption certificate” at the wstrust connection is invalid or emptyError:- The value at the “Bootstrap token trusted issuers” is invalid or empty when using actas request ‘s at the wstrust connection- The Audience restriction configured on the wstrust connection is invalid

– the authentication connection which is chosen for the wstrust connection is disabled

STSInvalidProtocolConnectionFoundError 5003 Error – The wstrust connection doesn’t exist or it’s disabled.- There’s more than 1 wstrust connection matching to the AppliesTo
STSClientCertificateSecurityTokenValidationFailedError 5004 Error The requested certificate doesn’t map to any user belonging to the Identify store/ADFS store
STSUserNamePasswordValidationFailedError 5005 Error The requested user credential doesn’t exist at the Identify store/ADFS store
STSAuthenticationFailedError 5010 Error The requested user credential doesn’t exist at the Identify store/ADFS store (Note: the authentication connection of the wstrust connection is None)
STSAuthorizationFailedError 5011 Error The ActAs user is not authorized for the wstrust connection
STSActAsTokenValidationFailedError 5012 Error The Actas element on RST is invalid (not SAML2, not a certificate, invalid issuer…)
STSLogEvent 5020 Info It logs all STS debug log event
StsUnknownError 5050 Error It’s unknown error, e.g RP expects the SAML 1.1 token but the IDP contains the claim type doesn’t suite with the format rule
Was this helpful ?Good Somewhat Bad