Don't have an account?

Signup for a Developer Edition

Browse by Topic

ShowAll Questionssorted byDate Posted

+ Start a Discussion

reeti bibhuti

JIT Not working for Internal Users

Hello,
I set up the JIT SSO configuration for communities and passing these attributes :

Contact.Email

Contact.LastName

User.Email

User.FederationIdentifier

User.LastName

User.ProfileId

User.Username

eduPersonPrincipalName

givenName

surname

uid
External users can log in and it also creates a new community user but for existing internal users. I am getting errors :
https://abc.my.salesforce.com/_nc_external/identity/saml/SamlError?ErrorCode=5&ErrorDescription=Unable+to+create+user&ErrorDetails=Changing+User+Type+from+Standard+to+MSSC+Community+Portal+Login+User+is+not+allowed.+Select+a+different+profile.

February 8, 2021
·
Answer
·
Like
0
·
Follow
0

Anudeep (Salesforce Developers)
I recommend capturing SAML trace to troubleshoot this further

https://support.box.com/hc/en-us/articles/360043695094-Collecting-a-SAML-Trace-to-Troubleshoot-SSO-Issues

February 12, 2021
·
Like
0
·
Dislike
0

reeti bibhuti
Thank you Andrew, I do have SAML tracker but my issue how I can prevent JIT to update the existing users?

February 12, 2021
·
Like
0
·
Dislike
0

Shalu Gangwar 15
I think reeti you are trying to create a new standard user however in order to use JIT for the internal users you need to only pass the user information.
They can use the same credentials for logging in org as well as in community so no need to pass contact and account information.

Below are the user details which you need to pass in order to create a standard user using JIT and if you want to update more fields of user then just add it:-
User.Username=test2@test.com;
User.Email=test2@salesforce.com;
User.LastName=test2last;
User.ProfileId=Standard User

February 15, 2021
·
Like
0
·
Dislike
0

reeti bibhuti
Thank you Shalu, no I want to create a community user through JIT but the at same time I want an internal user should be able to log in to Community through SSO. I am not getting any error for new users, JIT is creating new users but it doesn't allow existing users to log in whose profile is not a community profile.

February 15, 2021
·
Like
0
·
Dislike
0

Shalu Gangwar 15
What parameters you are passing for standard user ? You are using federation ID or username for authentictaion purpose?

February 15, 2021
·
Like
0
·
Dislike
0

reeti bibhuti
Federation id

February 15, 2021
·
Like
0
·
Dislike
0

Shalu Gangwar 15
What parameters you are passing for standard user ?

February 15, 2021
·
Like
0
·
Dislike
0

reeti bibhuti
Hello Shalu, I din't understand the questions, do you think we can pass different parameters for internal users and community users?

February 15, 2021
·
Like
0
·
Dislike
0

Shalu Gangwar 15
Yes, you need to pass different parameters for internal users and community users.

Thanks

February 16, 2021
·
Like
0
·
Dislike
0

reeti bibhuti
Can you please tell me how? Or is there any help document I can follow the steps? I am not following what you are suggesting? And where I can pass the attributes? Do I need to write any apex class for this?

February 16, 2021
·
Like
0
·
Dislike
0

Shalu Gangwar 15
You can refer the below article for internal users:-
https://developer.salesforce.com/docs/atlas.en-us.sso.meta/sso/sso_jit_requirements.htm

You can refer the below article for portal users:-
https://developer.salesforce.com/docs/atlas.en-us.sso.meta/sso/sso_jit_portal_requirements.htm

For Standard User below are fields which you need to pass and if you want to add more then refer above article:-

User.Username=test2@test.com;
User.Email=test2@salesforce.com;
User.LastName=test2last;
User.ProfileId=Standard User

For PortalUser below are fields which you need to pass and if you want to add more then refer above article:-
Contact.Account=001U0000004Pqwau200Bt;
Contact.LastName=user8;
Contact.Email=customeruser8@cmort.org;
User.LastName=user8;
User.Email=customeruser8@cmort.org;
User.Username=customeruser8@cmort.org;
User.ProfileId=00eU0000000MKc9;
User.PortalRole=Worker

Which third party you are using as an IDP and how you are testing the scenario for community user?

February 16, 2021
·
Like
0
·
Dislike
0

reeti bibhuti
you mean to set two SSO for one community? we are using shibboleth. Can we please schedule a meeting to find the solution?

February 16, 2021
·
Like
0
·
Dislike
0

Shalu Gangwar 15
No, you can use ths same SSO however the paramters which are sent from shibboleth will be different for standard user and community user.

February 17, 2021
·
Like
0
·
Dislike
0

reeti bibhuti
Hello Shalu, how IDP can distinguish between two usernames, two emails, two profiles, and user Lastname?

February 17, 2021
·
Like
0
·
Dislike
0

Shalu Gangwar 15
IDP can distinguish on the basis of federation id and then through profile so that thay can made an update call.

I think the best option will be to reach out to your IDP to help you further as every IDP has different setup.

February 17, 2021
·
Like
0
·
Dislike
0

Shalu Gangwar 15
Hi Reeti, If you got the answer then mark my answer as best answer so that it helps others.

February 22, 2021
·
Like
0
·
Dislike
0

reeti bibhuti
Hello Shalu, please see the answer from my IDP:
Unless you have separate SPs set up for employees and students, Shibboleth will return both sets of attributes for all users since it has no way of knowing who is who or to withhold any attributes. Is this what you really want?
Students: Community profile Users
Employee : Salesforce Standrad profiles

February 25, 2021
·
Like
0
·
Dislike
0

You need to sign in to do that.

Need an account? Sign Up

Have an account? Sign In

Dismiss

Browse by Topic

Welcome to Support!

Show

sorted by

JIT Not working for Internal Users

You need to sign in to do that.