Troubleshoot SAML Assertion Errors
Use the SAML Assertion Validator to troubleshoot single sign-on (SSO) login problems and identify errors in SAML assertions sent by your identity provider.
Required Editions
| Available in: both Salesforce Classic and Lightning Experience |
Federated Authentication is available in: All Editions Delegated Authentication is available in: Professional, Enterprise, Performance, Unlimited, Developer, and Database.com Editions Authentication Providers are available in: Professional, Enterprise, Performance, Unlimited, and Developer Editions |
| User Permissions Needed | |
|---|---|
| To view the settings: | View Setup and Configuration |
| To edit the settings: | Customize Application AND Modify All Data |
If users have difficulty logging in after you configure Salesforce as a SAML service provider, use the SAML Assertion Validator to find assertion errors.
- Obtain a SAML assertion in plain XML, base-64 encoded, or deflated and base-64 encoded
format from your identity provider.
If a user can’t log in to Salesforce, the invalid SAML assertion is automatically entered into the SAML Assertion Validator, if possible. Some errors prevent the assertion from being entered automatically.
- From Setup, enter Single Sign-On Settings in the Quick Find box, select Single Sign-On Settings, then click SAML Assertion Validator.
- Enter the SAML assertion into the text box, and click Validate.
Note If your org has multiple SAML SSO configurations, the validator tries to detect the right one. You can also select a configuration by clicking the dropdown arrow next to Auto detect config.
- Share the results of the validation errors with your identity provider.
The validator only detects errors related to the SAML assertion. To troubleshoot errors unrelated to the assertion, view the login history.
