Press "Enter" to skip to content
< Back

Enterprise SSO Error Codes

Error Code Detail:

Note – this feature is in beta so due care needs to be taken when using this feature and please report any issues/feedback to  

 

extauth-appaccess_expr-error extauth-requiredtype-okta
extauth-appaccesstoken-error
extauth-requiredtype-azure
extauth-disabled-error extauth-token-error
extauth-invalidtype-error extauth-token-expired
extauth-login-retry extauth-tokenreq-error
extauth-nonce-error extauth-unknowncompany-error
extauth-noconfig-error extauth-unknowntype-error
extauth-reg-failed extauth-update-error
extauth-requiredtype-error extauth-usernotfound-error

extauth-reg-failed

    • End user error text
      Authorization by <IDP> succeeded but registration with WhenToWork failed.

    • Error Detail
      This is an unlikely catch-all error code which can be raised during the registration of identity service providers such as Google, Facebook or Microsoft.
      This error could occur if WhenToWork’s software encounters an unplanned error condition from the IDP, such as the IDP’s endpoint is not responding or is responding with unexpected content. The this error code occur if the target IDP has changed their public facing API in a way which is no longer compatible with WhenToWork’s implementation.

    • What to do
      If the problem persists, feel free to email WhenToWork’s tech support staff with a description of the problem.
  •  

extauth-token-expired

    • End user error text
      Authorization by <IDP> has expired. Login again or try clearing cookies and force a hard refresh of your internet browser. If the problem persists, contact your local system administrator.

    • Error Detail
      The exp claim provided by the id or access token provided by the IDP has expired. Token expiration time is typically one hour, but the IDP’s browser-based software is responsible for keeping tokens current, such that this issue should be uncommon.

    • What to do
      If your browser supports multiple user profiles/identities. Make sure that the desired identity is the one that’s active/selected. Retry your login.
      Clear your browser’s data cache (Ctrl-Shift-Delete, in some browsers), and retry the login.
      If available, try to login using your browser’s “new incognito/private window” option.
      Try to login using a different browser.
      Contact your local system administrator.
      If the problem persists, contact WhenToWork tech support.

extauth-tokenreq-error

    • End user error text
      Authorization by <IDP> failed unexpectedly. Try logging in again and if the problem persists, contact your local system administrator.

    • Error Detail
      This issue can only occur during WhenToWork’s processing of the OAuth2 code flow for IAM’s such as Okta and Azure. The error indicates that IAM user authentication succeeded, but failed to receive an access token for the endpoint found at <OAuthBaseURI>/token. This could be due to a system outage at that endpoint. It could also be caused an incorrect Application Id/Client Id or an incorrect or expired Client Secret in your WhenToWork SSO settings.

    • What to do
      After a while, retry your login.
      Contact your local system administrator.
      If the problem persists, contact WhenToWork tech support.

extauth-nonce-error

    • End user error text
      Authorization by <IDP> included an unexpected verification value. If the problem persists, contact your local system administrator.

    • Error Detail
      This error indicates that WhenToWork has intercepted an attempted replay attack.

    • What to do
      Contact WhenToWork tech support.

extauth-token-error

    • End user error text
      Login via IDP Authorization by <IDP> failed. Please try again or use WhenToWork login id and password.
      Login via IAM Authorization by <IDP/IAM> failed. Please try again, or if the problem persists, contact your local system administrator.

    • Error Detail
      This is an unlikely catch-all error code which indicates a non-specific or unexpected condition occurred while validating an id or access token.

    • What to do
      If the problem persists, feel free to email WhenToWork’s tech support staff with a description of the problem.

extauth-update-error

    • End user error text
      Authorization by <IDP> succeeded but update of authentication data failed unexpectedly. Please try again.

    • Error Detail
      Indicates that the attempt to record the antecedent error failed. This could happen if WhenToWork’s main server is experiencing an outage.

    • What to do
      If the problem persists, feel free to email WhenToWork’s tech support staff with a description of the problem.

extauth-disabled-error

    • End user error text
      Authorization by <IDP> is either not configured or disabled. Check WhenToWork SSO settings.

    • Error Detail
      This is an IAM-only error wherein a user is attempting to login using and IAM type (e.g. Okta/Azure) which is currently disabled.

    • What to do
      Contact your local system administrator.

extauth-invalidtype-error
extauth-requiredtype-error
extauth-requiredtype-okta
extauth-requiredtype-azure

    • End user error text
      Your WhenToWork account requires authorization using <IDP>.

    • Error Detail
      A user is attempting to login using a different IAM than the one which is currently enabled and “Required”.
      This error is most likely to be the result of changing from one type of IAM configuration to another, e.g. changing from Azure to Okta.
      Although these error codes mean essentially the same thing, the unique error codes may be useful to WhenToWork technical staff in diagnosing an unexpected root cause.

    • What to do
      Contact your local system administrator.
      If the problem persists, feel free to email WhenToWork’s tech support staff with a description of the problem.

extauth-unknowntype-error

    • End user error text
      SSO type <IDP> is unknown. Please check with your manager or system administrator.

    • Error Detail
      This error can only occur as a result of an invalid value for the IAM code flow launch url param “codeflow=”. Supported values for the codeflow param are “azure” and “okta”.

    • For Azure, see “Initiate login URI”.
    • For Okta, see “Home Page URL”.
    • What to do
      Contact your local system administrator.

extauth-unknowncompany-error

    • End user error text
      Company id <company id> is unknown. Please check with your manager or system administrator.

    • Error Detail
      This error can only occur as a result of an invalid value for the IAM code flow launch url param “companyid=”.

    • For Azure, see “Initiate login URI”.
    • For Okta, see “Home Page URL”.
      In this case, the specified company id does not exist.
    • What to do
      Contact your local system administrator.

extauth-noconfig-error

    • End user error text
      Configuration for company id <company id> is not found. Please check with your manager or system administrator.

    • Error Detail
      This error can only occur as a result of an invalid value for the IAM code flow launch url param “companyid=”.

    • For Azure, see “Initiate login URI”.
    • For Okta, see “Home Page URL”.
      In this case, the specified company id does not have any IAM configuration data at WhenToWork SETTINGS → Pro → Enterprise SSO / Configure
    • What to do
      Contact your local system administrator.

extauth-usernotfound-error

    • End user error text
      <IDP> user not found. Please check with your manager or <IDP> system administrator.

    • Error Detail
      User attempted to login to WhenToWork with and external IDP/IAM id or email address that is not linked/provisioned in WhenToWork.
      This error can only occur for IAM access attempts. Conversely, standard IDP access wherein no user link is found will automatically guide the user to set up a persistent link to the IDP.

    • What to do
      Contact your manager.

extauth-appaccesstoken-error

    • End user error text
      An unexpected <IDP> app access token error occurred. Please contact your <IDP> administrator.

    • Error Detail
      This error is specific to Azure AD, and indicates that AppResourceName is defined through configuration, but the user who is attempting to login does not have permissions to query the app list.

    • What to do
      Contact your manager or local system administrator.

extauth-appaccess_expr-error

    • End user error text
      User is not authorized to access the WhenToWork application. Please contact your <IDP> administrator.

    • Error Detail
      This error indicates that a configured test expression did not resolve to true, and thus prevented user access.

    • What to do
      Contact your manager or local system administrator.
      To diagnose which expression failed, open WhenToWork SSO configuration page and locate Test Expressions. Click on Run to popup the Test Expressions diagnostic tool. Find the employee by name and double-click to execute the defined expressions against the most recently received auth tokens. Note the results at the bottom of the popup window.

extauth-appaccess_userqry-error

    • End user error text
      User is not authorized to access the WhenToWork application. Please contact your <IDP> administrator.

    • Error Detail
      This error is specific to Okta, wherein if ApiKey is defined and no custom scope values are defined, WhenToWork will attempt to query Okta to determine if the user who is attempting to access WhenToWork is ACTIVE in Okta and has been assigned to the WhenToWork app.

    • What to do
      Contact your manager or local system administrator.