You need to sign in to do that
Don't have an account?
ramanareddy p
InResponseTo must be empty for Idp-init Browser POST Profile
Hello,
We are getting SSO Login error as. The timestamp #4 (some times) and Miscellaneous format confirmations error #6 always. Do you have got any resolution for this ??
Last recorded SAML login failure: 2017-11-17T10:29:53.769Z
Unexpected Exceptions
Ok
1. Validating the Status
Ok
2. Looking for an Authentication Statement
Ok
3. Looking for a Conditions statement
Ok
4. Checking that the timestamps in the assertion are valid (Sometimes)
Current time is after notOnOrAfter in Conditions
Current time is: 2017-11-17T11:26:37.887Z
Time limit in Conditions, adjusted for skew, is: 2017-11-17T10:36:54.207Z
Timestamp of the response is outside of allowed time window
Current time is: 2017-11-17T11:26:37.887Z
Timestamp is: 2017-11-17T10:28:54.207Z
Allowed skew in milliseconds is 480000
Timestamp of the assertion is outside of allowed time window
Current time is: 2017-11-17T11:26:37.887Z
Timestamp is: 2017-11-17T10:28:54.207Z
Allowed skew in milliseconds is 480000
5. Checking that the Attribute namespace matches, if provided
Not Provided
6. Miscellaneous format confirmations
InResponseTo must be empty for Idp-init Browser POST Profile
7. Confirming Issuer matches
Ok
8. Confirming a Subject Confirmation was provided and contains valid timestamps
Ok
9. Checking that the Audience matches
Ok
10. Checking the Recipient
Ok
Organization Id that we expected: 00D4D0000008j6x
Organization Id that we found based on your assertion: 00D4D0000008j6x
11. Validating the Signature
Is the response signed? false
Is the assertion signed? true
Is the correct certificate supplied in the keyinfo? true
Ok
12. Checking that the Site URL Attribute contains a valid site url, if provided
Not Provided
13. Looking for portal and organization id, if provided
Ok
14. Checking if session security level is valid, if provided
Ok
Thank you.
Ramana.
We are getting SSO Login error as. The timestamp #4 (some times) and Miscellaneous format confirmations error #6 always. Do you have got any resolution for this ??
Last recorded SAML login failure: 2017-11-17T10:29:53.769Z
Unexpected Exceptions
Ok
1. Validating the Status
Ok
2. Looking for an Authentication Statement
Ok
3. Looking for a Conditions statement
Ok
4. Checking that the timestamps in the assertion are valid (Sometimes)
Current time is after notOnOrAfter in Conditions
Current time is: 2017-11-17T11:26:37.887Z
Time limit in Conditions, adjusted for skew, is: 2017-11-17T10:36:54.207Z
Timestamp of the response is outside of allowed time window
Current time is: 2017-11-17T11:26:37.887Z
Timestamp is: 2017-11-17T10:28:54.207Z
Allowed skew in milliseconds is 480000
Timestamp of the assertion is outside of allowed time window
Current time is: 2017-11-17T11:26:37.887Z
Timestamp is: 2017-11-17T10:28:54.207Z
Allowed skew in milliseconds is 480000
5. Checking that the Attribute namespace matches, if provided
Not Provided
6. Miscellaneous format confirmations
InResponseTo must be empty for Idp-init Browser POST Profile
7. Confirming Issuer matches
Ok
8. Confirming a Subject Confirmation was provided and contains valid timestamps
Ok
9. Checking that the Audience matches
Ok
10. Checking the Recipient
Ok
Organization Id that we expected: 00D4D0000008j6x
Organization Id that we found based on your assertion: 00D4D0000008j6x
11. Validating the Signature
Is the response signed? false
Is the assertion signed? true
Is the correct certificate supplied in the keyinfo? true
Ok
12. Checking that the Site URL Attribute contains a valid site url, if provided
Not Provided
13. Looking for portal and organization id, if provided
Ok
14. Checking if session security level is valid, if provided
Ok
Thank you.
Ramana.
The resolution for this is -
i.e. for example if email ID is like Ramana.Reddy@XXXXX.com them the Federation ID on Single Sign-On should be setup as same Ramana.Reddy@XXXXX.com
Thank you.
Ramana.
While it's true that FederationID is case sensitive, that's not what causes the errors you showed above for sections 4 and 6. If the FedID can't be matched, you'll see an error message below #14 that says something like "failed to match subject". Instead, if it says "Subject: salesforce.user@domain.name" then the FedID is matching the user.
The time error in #4 is misleading and I wish Salesforce would fix it. It shows the difference between the request time and the time when you're viewing that page. So if you view that page more than 8 minutes (480000 miliseconds) after the user attempted to login, it will show an error that the timestamp is outside the allowed time window. That's an incorrect error.
For item #6, there are a couple causes and I don't know how to narrow them down. The most common is that the user had the login page open for more than 60 seconds before entering their credentials. Could also be stale browser credential cache. I wish there were better diagnostics that could explain exactly what's wrong here.