diff --git a/app/controllers/session_controller.rb b/app/controllers/session_controller.rb
index 00dbbe1d74b..7588125bbaa 100644
--- a/app/controllers/session_controller.rb
+++ b/app/controllers/session_controller.rb
@@ -57,7 +57,7 @@ class SessionController < ApplicationController
 
     sso = DiscourseSingleSignOn.parse(request.query_string)
     if !sso.nonce_valid?
-      return render(text: I18n.t("sso.timeout_expired"), status: 500)
+      return render(text: I18n.t("sso.timeout_expired"), status: 400)
     end
 
     if ScreenedIpAddress.should_block?(request.remote_ip)