Use the Identity Provider Event Log
When you're using Salesforce as an identity provider, use the identity provider event log to see information about login attempts. For example, see why login attempts failed so you can troubleshoot problems with your single sign-on (SSO) configuration. The log shows you the 50 most recent login attempts. To view more, create a custom report.
Required Editions
| Available in: both Salesforce Classic and Lightning Experience |
| Available in: Developer, Enterprise, Performance, Unlimited, and Database.com Editions |
| User Permissions Needed | |
|---|---|
| Define and modify identity providers and service providers: | Customize Application |
- From Setup, in the Quick Find box, enter Identity Provider Event Log, then select Identity Provider Event Log.
-
By default, the log shows you all login attempts. To see errors or successes only,
click the dropdown arrow and choose Show errors only or
Show successes only.
The log displays information in these fields.
To see all login attempts, create a custom report. For more information, see Set Up a Custom Report Type.Field Description Username The username of the user who attempted to log in. Usage Type The login flow used for the attempt.
- Identity provider-initiated SAML
- OAuth authorization
- OAuth token exchange
- Service provider-initiated SAML
Timestamp The date and time of the login attempt. For example, 7/20/2025, 12:15:30 PM PDT. Entity ID The entity ID of the connected app. Status The status of the login attempt.
- Error: App access denied—The user isn't permitted to use the OAuth-enabled connected app. For example, they don't have the right permission set or profile.
- Error: App blocked—An admin blocked access to the connected app.
- Error: Custom field not found—Salesforce couldn't find the field for the subject custom attribute used to identify the user.
- Error: Expired authorization code
- Error: IdP certificate is invalid or does not exist
- Error: Internal Error—An unidentified error occurred within Salesforce.
- Error: Invalid authorization code
- Error: Invalid client credentials
- Error: Invalid device ID
- Error: Invalid grant—There was a problem with the OAuth flow. This error also displays a specific reason for the problem, such as an expired token.
- Error: Invalid Identity Provider Endpoint URL
- Error: Invalid Issuer
- Error: Invalid scope(s)
- Error: Invalid session level—The session policy for the connected app is invalid or wasn't satisfied.
- Error: Invalid Signature—Something is wrong with the signature in the SAML assertion.
- Error: Invalid spoke SP settings—In the Environment Hub, the service provider orgs aren't configured properly for the identity provider org.
- Error: Invalid user credentials
- Error: Misconfigured or invalid service provider
- Error: No Spoke ID found—For Environment Hub orgs, the identity provider org couldn't find the ID of the service provider org.
- Error: Unable to parse AuthnRequest from service provider
- Error: User does not have access to this service provider—The user isn't permitted to use the SAML-enabled connected app. For example, they don't have the right permission set or profile.
- Error: User does not have a Federation Identifier selected
- Error: User does not have a value for the subject custom attribute
- Error: Unable to resolve request into a Service Provider
- OAuth Error—A problem occurred with the OAuth flow, but Salesforce couldn't identify the cause.
- Success
- Unknown Error—An unidentified error unrelated to Salesforce occurred. For example, the user lost internet connection.
- User logged out due to forced authentication request
Service Provider The connected app the user tried to access.
Did this article solve your issue?
Let us know so we can improve!
