If the SSO provider returns any type of error, the error string will be available to the enclosing policy in the local variable named error.do-set-sso-passphraseand will be the form: <4-Digit Number>:<Text Description>. Otherwise that local variable will be unavailable.