SSO Authentication Error Scenarios for Salesforce Voice

NOTE: This article is only applicable to Salesforce Voice (formerly Service Cloud Voice) with Amazon Connect or Salesforce Voice with Partner Telephony using Amazon Connect contact centers.

When a contact center user opens a console-app page with Omni-Channel present, Salesforce initiates the user's SSO authentication to Amazon Connect in the background.
If the background SSO authentication fails, the user would continue to see a grayed-out Dial-Pad in Omni-Channel widget despite being on an Available/Busy status.

This SSO authentication process can be tested manually with visual progress to identify & resolve any configuration-level issue for such a user in order to allow them a successful authentication to Amazon Connect.

Pre-requisites :-

1. As a Contact Center / Salesforce Admin, navigate to Salesforce Setup & search 'Contact Centers' in Quick Find
2. Click on 'Amazon Contact Centers' or 'Partner Telephony Contact Centers' (based on your configured Telephony Model for Salesforce Voice)
3. Identify your Contact Center in the list, right click on its 'Telephony Provider Settings' link and click on 'Copy Link Address'
4. Save the copied link on a notepad & share the link with affected user

Steps to follow for the affected User :-

Open the 'Telephony Provider Settings' link shared by your admin in a new browser tab & observe the screen for any error page as mentioned below :-

• Error Message #1
  • Message : Insufficient Privileges

• • Cause : This could happen due to the user lacking access to the Contact Center's SSO Connected App with either of the following :

    • User’s Salesforce Profile is not added to the SSO Connected App's 'Manage' page

    • No permission set (like 'Salesforce Voice Permission Set') is assigned to the user that allows them access to the SSO Connected App

  • Resolution : Perform either of the following steps to resolve this problem :

    • Add the user’s Salesforce Profile to the SSO Connected App’s access on its ‘Manage’ page

    • Assign a permission set (like 'Salesforce Voice Permission Set') to the user that allows access to the SSO Connected App

• Error Message #2
  • Message : Data Not Available - The data you were trying to access could not be found. It may be due to another user deleting the data or a system error. If you know the data is not deleted but cannot access it, please look at our support page.

• • Cause : This could happen due to deletion of the self-signed certificate that is selected in the Contact Center's SSO Connected App, leading to a bad reference while SAML XML is being generated by the connected app for the user. To validate this:

    • Navigate to "{contact_center_internal_name} Connected App" and Edit it
    • If 'Idp Certificate' field shows a "0P1......" Id instead of the certificate's name/label, the linked certificate was deleted by a user

  • Resolution : Create / identify another self-signed certificate in [Setup --> Certificate and Key Management] & update it as the chosen certificate in 'Idp Certificate' field of your "{contact_center_internal_name} Connected App".

• Error Message #3
  • Message : Response signature invalid (Service: AWSSecurityTokenV20111201; Status Code: 400; Error Code: InvalidIdentityToken; Request ID: ********-****-****-****-************; Proxy: null). Please try again.

• • Cause : Certificate mismatch between Salesforce Connected App & AWS-side SAML metadata

  • Resolution :

    • Check if the certificate has expired

      • If YES, follow step #1 - #5 specified in the Help Article [Manage Contact Center Certificates]

    • If the certificate has not expired,

      • First ensure that both Salesforce Identity Provider & Contact Center's SSO Connected App are using the same self-signed certificate

      • Download SAML metadata XML from Salesforce Identity Provider page & replace SAML metadata in [AWS Management Console → IAM → Identity Provider → SalesforceServiceVoiceIdp → "Replace Metadata"]

• Error Message #4
  • Message : Issuer not present in specified provider (Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code: AuthSamlInvalidSamlResponseException; Request ID: ********-****-****-****-************; Proxy: null) (Service: AWSSecurityTokenV20111201; Status Code: 400; Error Code: InvalidIdentityToken; Request ID: ********-****-****-****-************; Proxy: null). Please try again.

• • Cause : SAML Metadata has a mismatch between Salesforce Connected App & AWS-side Identity Provider — “Issuer“ passed by Connected App does not match with ”Issuer” (EntityId XML attribute) present in AWS-side Identity Provider's SAML metadata

  • Resolution :
    

    • Navigate to the SSO Connected App 'View' page and ensure that "Issuer" field is blank — this will force the connected app to use Org MyDomain as the issuer value
      • Additionally, verify if the "Issuer" field on 'Manage' page for SSO Connected App is also the Org’s MyDomain value
    • Verify the Salesforce Identity Provider’s Issuer field to be set to Org MyDomain (this is to avoid this problem in future due to any Contact Center create/update operation)
    • Download SAML metadata XML from Salesforce Identity Provider page & replace SAML metadata in [AWS Management Console → IAM → Identity Provider → SalesforceServiceVoiceIdp → "Replace Metadata"]

• Error Message #5
  • Message : Access denied
    Your account has been authenticated, but has not been onboarded to this application. Contact your Administrator to onboard to Amazon Connect and try again.

• • Cause : User is not added to the Contact Center (as per Amazon Connect configuration)

  • Resolution :

    • Ensure that user has the correct Contact Center Admin/Agent permission-set assigned and is successfully added to the Contact Center under “Contact Center Users” section

    • If the user is already part of the Salesforce Contact Center and still observes this issue, try removing & re-adding the user to the contact center to sync Amazon Connect's user configuration