Review the Login History
When users fail to log in to your org with single sign-on (SSO), search the login history to find out why. For example, see if a login failure is related to the SAML assertion or to your Salesforce configuration.
Required Editions
| Available in: both Salesforce Classic and Lightning Experience |
Federated Authentication is available in: All Editions Delegated Authentication is available in: Professional, Enterprise, Performance, Unlimited, Developer, and Database.com Editions Authentication Providers are available in: Professional, Enterprise, Performance, Unlimited, and Developer Editions |
| User Permissions Needed | |
|---|---|
| To view the settings: | View Setup and Configuration |
| To edit the settings: | Customize Application AND Modify All Data |
When a user logs in to your org from an external SAML identity provider, like Okta, the identity provider sends SAML assertions with user information to Salesforce. Salesforce validates the SAML assertion and its user claims with information from your SSO configuration and the users in your org. If the SAML assertion is invalid or something is wrong with your SAML configuration, the user fails to log in. To see why the login failed, view the login history.
Use the login history to determine whether an error is related the SAML assertion or to your Salesforce configuration. If the error is related to the SAML assertion, use the SAML Assertion Validator to locate specific errors in the assertion.
For example, you configure SSO into your org from Okta, your identity provider, and ask a few users to test it by logging in. All test users fail to log in. You go to Setup, review the login history, and find the failed attempts. Under Status, you see the same error message for all test users: Assertion Invalid. It’s a SAML assertion problem, so you go to the SAML Assertion Validator, which contains the assertion from the most recent failed attempt. You run the validator, locate the error, and work with Okta to fix it.
Or, consider the same scenario with a different error message indicating a problem with your Salesforce configuration: Issuer Mismatched. This error message tells you that the issuer specified in Okta’s assertion is different than the issuer you specified in your Salesforce configuration. You obtain the correct issuer from Okta, edit your SSO settings, and fix the error.
For a list of reasons for login failures, see SAML Login Errors.
To view the login history:
- From Setup, enter Login History in the Quick Find box, then select Login History. You can view and download your org’s login history for the last 6 months.
- To customize the information the login history shows, from the Login History page, click Create New View. For more information on creating login history views, see Monitor Login History.
- Troubleshoot SAML Assertion Errors
Use the SAML Assertion Validator to troubleshoot single sign-on (SSO) login problems and identify errors in SAML assertions sent by your identity provider. - SAML Login Errors
If users have trouble accessing your org with single sign-on (SSO), use the login history to determine whether it’s a SAML assertion error or a configuration problem. If it’s an assertion-related error, identify specific assertion problems with the SAML Assertion Validator. Work with your identity provider to ensure that the SAML assertion and your SSO configuration are valid.
