Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            SAML Login Errors

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            SAML Login Errors

            If users have trouble accessing your org with single sign-on (SSO), use the login history to determine whether it’s a SAML assertion error or a configuration problem. If it’s an assertion-related error, identify specific assertion problems with the SAML Assertion Validator. Work with your identity provider to ensure that the SAML assertion and your SSO configuration are valid.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience

            Federated Authentication is available in: All Editions

            Delegated Authentication is available in: Professional, Enterprise, Performance, Unlimited, Developer, and Database.com Editions

            Authentication Providers are available in: Professional, Enterprise, Performance, Unlimited, and Developer Editions
            User Permissions Needed
            To view the settings: View Setup and Configuration
            To edit the settings:

            Customize Application

            AND

            Modify All Data

            Login History

            Use the login history to determine whether a login error is related to the SAML assertion or to your SSO configuration.

            If you see any of these errors in the login history, use the SAML Assertion Validator to find the specific error in the assertion.

            Assertion Expired
            The timestamp on the assertion is too old.
            Assertion Invalid
            Something is wrong with the assertion, like a missing <Subject> element.
            Audience Invalid
            The value specified in <Audience> doesn’t match the Entity ID that you specified during SSO configuration.

            If you see any of these errors in the login history, check your SSO settings for a configuration problem. From Setup, in the Quick Find box, enter Single Sign-On Settings, and then select Single Sign-On Settings. Get a sample SAML assertion from your identity provider, and confirm that you have the right information in your configuration. If your configuration is correct, run the sample assertion through the SAML Assertion Validator.

            Configuration Error/Perm Disabled
            Something is wrong with your SAML configuration in Salesforce. For example, the certificate that you uploaded is corrupt, or you disabled SAML in your org’s Single Sign-On Settings.
            Issuer Mismatched
            Check that the issuer specified in your configuration matches the issuer in the assertion.
            Recipient Mismatched
            Check that the recipient specified in your configuration matches the recipient in the assertion.
            Replay Detected
            Every assertion has a unique ID. This error means that Salesforce detected a repeat assertion ID.
            Signature Invalid
            The certificate that you uploaded during configuration failed to validate the signature in the assertion. Work with your identity provider to confirm that you have the right certificate.
            Subject Confirmation Error
            Check that the <Subject> specified in your configuration matches the <Subject> in the assertion.

            SAML Assertion Validator

            When you run the SAML Assertion Validator, it checks the assertion against Salesforce’s validity requirements and tells you whether the assertion met each requirement. Salesforce imposes these validity requirements on assertions, shown here in the order that they appear on the results page.

            Status
            The status field in the SAML response must indicate success.
            Authentication Statement
            The identity provider must include an <AuthenticationStatement> in the assertion.
            Conditions Statement
            Some assertions use a <Conditions> statement to constrain the time period when the assertion is valid, called the validity period. If the assertion contains a <Conditions> statement with a timestamp, the timestamp must be valid.
            Timestamps
            The identity provider generates a timestamp to indicate when it sent the assertion. Salesforce must receive the assertion from your identity provider within 5 minutes of the timestamp, plus or minus 3 minutes. In practice, this constraint means Salesforce can receive the assertion up to 8 minutes after the timestamp or 3 minutes before it. If the assertion specifies a shorter validity period, the validator checks this requirement too. The NotBefore and NotOnOrAfter constraints must also be defined and valid.
            Attribute
            If you set your Salesforce configuration to Identity is in an Attribute element, the assertion from the identity provider must contain an <AttributeStatement>.
            Only <AttributeName> is required.
            Format
            The Format attribute of an <Issuer> statement must be set to "urn:oasis:names:tc:SAML:2.0:nameid-format:entity" or not set at all.

            For example:

            <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://www.salesforce.com</saml:Issuer>

            This example is also valid:

            <saml:Issuer >https://www.salesforce.com</saml:Issuer>
            Issuer
            The issuer specified in the assertion must match the issuer you specified when you configured Salesforce.
            Subject
            The subject of the assertion must be either the Salesforce username or the Federation ID of the user.
            Audience
            The assertion must contain an <Audience> value that matches the Entity ID you specified in your configuration. The default value is https://saml.salesforce.com.
            Recipient
            The assertion must contain a recipient that matches either the Salesforce login URL you specified in the Salesforce configuration or the OAuth 2.0 token endpoint.
            Signature
            The assertion must include a valid signature. The signature must be created using the private key associated with the certificate you uploaded when you configured SSO. We recommend that your identity provider signs the response body and the assertion. During SSO, when Salesforce receives the SAML response, it first looks for a signature in the response body. If the response body has a valid signature, the assertion is considered to have a valid signature. If the signature in the response body is missing or invalid, Salesforce looks for a signature in the assertion itself.
            Site URL Attribute
            Valid values are:
            • Not Provided
            • Checked
            • Site URL is invalid
            • HTTPS is required for Site URL
            • The specified Site is inactive or has exceeded its page limit
            Portal and Organization ID
            Optional. For SAML login into a portal, the recipient and organization ID in the assertion must match the recipient and organization ID specified in your SSO configuration.
            Session Security Level
            Optional. Session security level describes how secure a user session is. If you configured session security settings, the session security level in the assertion must match your configuration.

            See Also

             
            Loading
            Salesforce Help | Article