This topic provides some insights into various error scenarios that you might encounter.

Also see OAuth2 error responses


Unit4 Identity Services (U4IDS) uses Serilog for application-wide logging. This is configured in the web.config file. Learning how to investigate the log is a great way to diagnose issues encountered.

Invalid scope

Possible causes

For more details on the difference between ID scope and resource scope, see Scope.

Invalid response type

Possible causes

If the response type is not valid the request will not reach the authentication middleware, therefore this will not produce any logging information. Check the listed parameters and see which one is wrong.

Invalid token

This typical happens if you only copy a part of your access token or reference token or if you by an accident has a typo. If you have an jwt token you can use to check if your token is valid.

Possible causes

Invalid request

This often happens when you are missing a required parameter in the request. Note: Different required parameters for different authentication flow see flows

Possible causes

Invalid client

You will get error message invalid_client from the token endpoint (not authorize endpoint) or revocation endpoint if you request clientId or secret property is invalid.

Possible causes

The client application is not known or is not authorized

You will get an unauthorized client when the client configuration does not match the authorize request.

Possible causes

Please contact your system administrator

You should open the log on your U4IDS to see more information.

Possible causes

The requests base path will be used as cookie path value. The cookie path value is treated as case sensitive by the browser. If the request to U4IDS is different from the redirect url to the Identity Provider this will cause that the cookies are not transferred back to U4IDS.

*Make sure U4IDS base path from the request matches the case on the U4IDS server. *

Certificate issue

The certificate must be uploaded to Azure for Azure deployment.

Could not find certificate with thumbprint XXX, store name XXX and location XXX




The certificate thumbprint copied from MMC snapin has an invisible extra space at the beginning of the string. It must be removed. See this article for details.

No signing certificate configured


Requires a certificate to be installed on the server certificate store.


No signin id

Possible causes

Missing parameters in callback

After a sucessful login, the IdP should call the U4IDS callback endpoint. The user is able to login but the callback to IDS is showing Please contact your system administrator.

Verify that your callback has a SigninMessage cookie and a state in the form post.

From IDS log

[Information] Callback invoked from external identity provider
[Information] No signin id passed

ADFS Deep-Dive: Comparing WS-Fed, SAML, and OAuth

WS-federation: wctx parameter missing

No identifier claim from external identity provider

After authenticating the external identity provider calls the U4IDS callback with the authentication token. The token needs to contain identifier claims. There are two claim types:

From IDS log

[Error] no subject or unique identifier claims from external identity provider. Claims provided: