function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
Li Lin 7Li Lin 7 

Random SSO Issues with SAML Assertion Validator Error

We have seen the SSO errors with Salesforce happen sporadically. Any advice?  Here is the error I get:

Single Sign-On Error
We can't log you in. Check for an invalid assertion in the SAML Assertion Validator (available in Single Sign-On Settings) or check the login history for failed logins.

The logins will work in subsequent attempts. Here's what I've found in the login history. As you can see, the login succede and fail randomly:

Username Login Time (Eastern Daylight Time) Source IP Login Type Status Browser Platform Application Client Version API Type API Version Login URL TLS Protocol TLS Cipher Suite Country Code Country Subdivision City PostalCode Latitude Longitude
abc@abc.com 1/19/2017 9:30 209.36.16.130 SAML Sfdc Initiated SSO Success Chrome 55 Windows 7 Browser N/A N/A N/A abc.my.salesforce.com TLS 1.2 ECDHE-RSA-AES256-GCM-SHA384 US United States Rhode Island West Warwick 2893 41.697 -71.5254
abc@abc.com 1/19/2017 9:05 209.36.16.130 SAML Sfdc Initiated SSO Failed: InResponseTo Invalid Chrome 55 Windows 7 Browser N/A N/A N/A abc.my.salesforce.com TLS 1.2 ECDHE-RSA-AES256-GCM-SHA384
abc@abc.com 1/19/2017 9:05 209.36.16.130 SAML Sfdc Initiated SSO Failed: InResponseTo Invalid Chrome 55 Windows 7 Browser N/A N/A N/A abc.my.salesforce.com TLS 1.2 ECDHE-RSA-AES256-GCM-SHA384
abc@abc.com 1/19/2017 9:02 209.36.16.130 SAML Sfdc Initiated SSO Success Chrome 55 Windows 7 Browser N/A N/A N/A abc.my.salesforce.com TLS 1.2 ECDHE-RSA-AES256-GCM-SHA384 US United States Rhode Island West Warwick 2893 41.697 -71.5254
abc@abc.com 1/19/2017 8:56 209.36.16.130 SAML Sfdc Initiated SSO Failed: InResponseTo Invalid Chrome 55 Windows 7 Browser N/A N/A N/A abc.my.salesforce.com TLS 1.2 ECDHE-RSA-AES256-GCM-SHA384
Andy Shelton 19Andy Shelton 19
Any luck getting to the bottom of this? We have also been getting random "SAML Sfdc Initiated SSO" login errors with some of our users.

 
Michael Davis 15Michael Davis 15
Just started seeing this 'Failed: InResponseTo Invalid' error today with a single user.  User can turn around and signon successfully 20 seconds later.  Any ideas on what is causing this or how to correct/fix it.
Thomas HoegerThomas Hoeger

what's the life time of your SAML assertions? 

What's the time sync of your SAML server and your client? 

I have observed these errors when the platforms treats the SAML assertion as expired... if any thing else is indeed valid
Michael Davis 15Michael Davis 15
How would I find the answers to those questions?  
Thomas HoegerThomas Hoeger
you need on the user's browser to capture the SAML assertion - e.g. using a chrome plugin.
alongside also check the time of the client and the server for differences

in the SAML assertion you will find a tag like this: 
<saml:Assertion ID="idS65Ce0_q_UenJP4MWmrMhhirwzQ"
                  IssueInstant="2018-10-22T08:32:09Z"
                  Version="2.0">
ginving you the time when it was issued
and as well, usually a bit down in it a tag with 
<saml:Conditions NotBefore="2018-10-22T08:27:09Z"
                     NotOnOrAfter="2018-10-22T08:37:09Z">
showing the Time slot of validatiy for this assertion.

in above example it is time of issuing the assertion + / - 5 minutes. This time interval is adjusted on the server - as e.g. mentioned here: https://ping.force.com/Support/PingFederate/Administration/Accounting-for-Time-Drift-Between-SAML-Endpoints50907
see also:
https://stackoverflow.com/questions/29508906/notonorafter-in-subjectconfirmationdata-and-conditions-and-sessionnotonorafter

So - in your case check the validatiy slot, potential network runtimes and see if this helps you undertstanding the behavior