function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
saarikogmailsaarikogmail 

Unable to map the subject to a Salesforce.com user - Error with Google as IdP

I have enabled SSO login.
When I login , I get the error: 


Setup is correct.
The SAML Validator results are OK
Last recorded SAML login failure:  2020-05-05T16:43:31.001Z
Unexpected Exceptions
  Ok
1. Validating the Status
  Ok
2. Looking for an Authentication Statement
  Ok
3. Looking for a Conditions statement
  Ok
4. Checking that the timestamps in the assertion are valid
  Ok
5. Checking that the Attribute namespace matches, if provided
  Not Provided
6. Miscellaneous format confirmations
  Ok
7. Confirming Issuer matches
  Ok
8. Confirming a Subject Confirmation was provided and contains valid timestamps
  Ok
9. Checking that the Audience matches
  Ok
10. Checking the Recipient
  Ok
11. Validating the Signature
  Is the response signed? false
  Is the assertion signed? true
  Is the correct certificate supplied in the keyinfo? true
  Ok
12. Checking that the Site URL Attribute contains a valid site url, if provided
  Not Provided
13. Looking for portal and organization id, if provided
  Ok
14. Checking if session security level is valid, if provided
  Ok

But, last row shows:
Subject: masked@hidden.com
Unable to map the subject to a Salesforce.com user
AssertionId: _961716652b448f70e502193d01f1dd0f

The subject is a correct user name. I put the same value on the 'Federation ID' value on the User object.

Any ideas what can the issue be?

It feels like SF are not completing the action. Or have I missed a step?
VinayVinay (Salesforce Developers) 
Hi,

Can you re-check Federation ID it is case sensitive.

Review below link.

https://success.salesforce.com/answers?id=90630000000gpzrAAA

Hope above information was helpful.

Please mark as Best Answer so that it can help others in the future.

Thanks,
Vinay Kumar
AnudeepAnudeep (Salesforce Developers) 
Hi, 

Unable to map the subject to a Salesforce.com user is mostly a case sensitivity issue. Can you check the SAML response? What subject do you see? 

Check user in your org and compare it with the Subject: masked@hidden.com

I have experienced such issues in the past. For example abc.xyz@test.co.uk was being used instead of Abc.Xyz@test.co.uk

Your IDP username should always match Salesforce username

If you find this information helpful, pleaset mark this as solved by selecting this answer as best. It may help others in the community 

Anudeep 
saarikogmailsaarikogmail
Thank you both @anudeep and @Viinay for the suggestions.
  1. I am not sure how to check the SAML response, beside using the SAML validator.
    1. I use Google IdP is this can help get the answer.
  2. My email/and user name are all lower case in google admin console. same as my SF username.
  3. I took the email from the subject error message. pasted that into the federation id field. Still got the same error.
thank you for looking into this further.
saarikogmailsaarikogmail
Eureka !!!
Your answers made me read again the settings, 
In the SAML setting, there are 3 options:
  • Assertion contains the User's Salesforce username
  • Assertion contains the Federation ID from the User object
  • Assertion contains the User ID from the User object
Initially, the #3 was selected. I replaced that with #2 and it works.
#3 needs the 15/18 id of the user object.
#1 might not be the same

thank you
VinayVinay (Salesforce Developers) 
Hi,

Do you still see issue?

You can use below link to Validate SAML Response.

https://www.samltool.com/validate_response.php

Thanks,
Vinay Kumar