You are here:
Troubleshoot Login Issues with Salesforce Identity for Enablement
If you configure your enablement site to use Salesforce Identity for Enablement authentication, users can sometimes encounter issues when they try to log in. Help resolve any issues your users encounter when they visit your site’s login URL and enter the credentials.
Required Editions
| Available in: Enterprise, Performance, and Unlimited Editions |
| User Roles | |
|---|---|
| This topic supports these enablement site roles: | Salesforce Admins |
Incorrect Salesforce Identity for Enablement Setup
If you know that you entered an incorrect login URL, connected app Consumer Secret, or connected app Consumer Key when you configured Salesforce Identity for Enablement, submit a Salesforce Customer Support case. Provide the corrected details that you want to use for updating your enablement site’s configuration.
Infinite Redirect after Logging In
If a user is caught in an endless redirect loop after logging in, the login URL references the trailhead domain instead of the salesforce domain. For example, the specified login URL is https://subdomain.my.trailhead.com instead of https://subdomain.my.salesforce.com.
To fix the login URL to use the correct domain, submit a Salesforce Customer Support case.
Redirect URI Mismatch
If a user sees a mostly blank page with only the error message redirect_uri_mismatch or similar after logging in, the connected app’s callback URL is incorrect.
To fix the callback URL:
- Create another connected app in your org, and be sure to specify the correct callback URL.
- Submit a Salesforce Customer Support case. Request an update to your enablement site’s
Salesforce Identity for Enablement configuration so that it uses the Consumer Secret and
Consumer Key values from your new connected app.
Note Updating your previous connected app with new values doesn’t necessarily solve this issue.
This error can also appear if your org’s list of allowed IP addresses excludes the Sales Enablement outbound IP addresses. Try adding the list of enablement site outbound IP addresses to the org’s allowed addresses. To learn more, check out the Salesforce Knowledge article, Salesforce IP Addresses and Domains to Allow.
Redirect to Trailhead
If a user navigates to Trailhead instead of your enablement site after logging in, no error appears. But the user most likely doesn’t have the correct permissions to access your enablement site.
To resolve this issue, add the user to a permission set that meets these criteria:
- Uses the Enablement Sites (myTrailhead) permission set license.
- Enables access to at least one content collection.
For more information, check out Allow Learners to Access Enablement Site Content Collections.
403 Error
If a user encounters a 403 error code after logging in, a security setting in your org is preventing the user from successfully receiving an OAuth token. This error can occur even when the user entered the correct credentials.
To verify the specific cause, copy the error message shown on the page into a search engine. Some known error messages that can cause this issue include:
- IP allowlist violation
- The user is logging in from an IP address that’s outside of the org’s allowed
addresses. To resolve this issue:
- Verify whether the user can log in from your enablement site’s login URL through a web browser. If they still can’t log in through a browser, continue to the next step.
- Add the list of enablement site outbound IP addresses to the org’s allowed addresses. To learn more, check out the Salesforce Knowledge article, Salesforce IP Addresses and Domains to Allow.
- User isn’t admin-approved to access this app
- The user doesn’t belong to a profile or permission set that the connected app
authorizes.
To resolve this issue, add the user to a profile or permission set that you selected from the Permitted Users dropdown in the connected app’s OAuth access policies.
If you’re certain that the connected app is configured correctly but users are seeing this error, complete these steps:
- Create another connected app in your org.
- Submit a Salesforce Customer Support case. Request an update to your site’s Salesforce Identity for Enablement configuration so that it uses the Consumer Secret and Consumer Key values from your new connected app.
Invalid Page with an Experience Cloud Site
If your enablement site’s login URL is an Experience Cloud site URL and a user receives an invalid page error after logging in, there’s likely an incomplete SSL certificate chain.
To confirm that an incomplete SSL certificate chain is the cause of the issue, analyze your Experience Cloud site URL at SSL Labs.
To resolve this issue:
- Generate the missing intermediate certificates at https://whatsmychaincert.com, and download the .crt files locally.
- In Salesforce, from Setup, enter certificate in the Quick Find box, and then select Certificate and Key Management.
- Upload the .crt files.
