You need to sign in to do that
Don't have an account?
saarikogmail
Unable to map the subject to a Salesforce.com user - Error with Google as IdP
I have enabled SSO login.
When I login , I get the error:
Setup is correct.
The SAML Validator results are OK
But, last row shows:
The subject is a correct user name. I put the same value on the 'Federation ID' value on the User object.
Any ideas what can the issue be?
It feels like SF are not completing the action. Or have I missed a step?
When I login , I get the error:
Setup is correct.
The SAML Validator results are OK
Last recorded SAML login failure: 2020-05-05T16:43:31.001Z
Unexpected Exceptions
Ok
1. Validating the Status
Ok
2. Looking for an Authentication Statement
Ok
3. Looking for a Conditions statement
Ok
4. Checking that the timestamps in the assertion are valid
Ok
5. Checking that the Attribute namespace matches, if provided
Not Provided
6. Miscellaneous format confirmations
Ok
7. Confirming Issuer matches
Ok
8. Confirming a Subject Confirmation was provided and contains valid timestamps
Ok
9. Checking that the Audience matches
Ok
10. Checking the Recipient
Ok
11. Validating the Signature
Is the response signed? false
Is the assertion signed? true
Is the correct certificate supplied in the keyinfo? true
Ok
12. Checking that the Site URL Attribute contains a valid site url, if provided
Not Provided
13. Looking for portal and organization id, if provided
Ok
14. Checking if session security level is valid, if provided
Ok
Unexpected Exceptions
Ok
1. Validating the Status
Ok
2. Looking for an Authentication Statement
Ok
3. Looking for a Conditions statement
Ok
4. Checking that the timestamps in the assertion are valid
Ok
5. Checking that the Attribute namespace matches, if provided
Not Provided
6. Miscellaneous format confirmations
Ok
7. Confirming Issuer matches
Ok
8. Confirming a Subject Confirmation was provided and contains valid timestamps
Ok
9. Checking that the Audience matches
Ok
10. Checking the Recipient
Ok
11. Validating the Signature
Is the response signed? false
Is the assertion signed? true
Is the correct certificate supplied in the keyinfo? true
Ok
12. Checking that the Site URL Attribute contains a valid site url, if provided
Not Provided
13. Looking for portal and organization id, if provided
Ok
14. Checking if session security level is valid, if provided
Ok
But, last row shows:
Subject: masked@hidden.com
Unable to map the subject to a Salesforce.com user
AssertionId: _961716652b448f70e502193d01f1dd0f
Unable to map the subject to a Salesforce.com user
AssertionId: _961716652b448f70e502193d01f1dd0f
The subject is a correct user name. I put the same value on the 'Federation ID' value on the User object.
Any ideas what can the issue be?
It feels like SF are not completing the action. Or have I missed a step?
Can you re-check Federation ID it is case sensitive.
Review below link.
https://success.salesforce.com/answers?id=90630000000gpzrAAA
Hope above information was helpful.
Please mark as Best Answer so that it can help others in the future.
Thanks,
Vinay Kumar
Unable to map the subject to a Salesforce.com user is mostly a case sensitivity issue. Can you check the SAML response? What subject do you see?
Check user in your org and compare it with the Subject: masked@hidden.com
I have experienced such issues in the past. For example abc.xyz@test.co.uk was being used instead of Abc.Xyz@test.co.uk
Your IDP username should always match Salesforce username
If you find this information helpful, pleaset mark this as solved by selecting this answer as best. It may help others in the community
Anudeep
- I am not sure how to check the SAML response, beside using the SAML validator.
- I use Google IdP is this can help get the answer.
- My email/and user name are all lower case in google admin console. same as my SF username.
- I took the email from the subject error message. pasted that into the federation id field. Still got the same error.
thank you for looking into this further.Your answers made me read again the settings,
In the SAML setting, there are 3 options:
- Assertion contains the User's Salesforce username
- Assertion contains the Federation ID from the User object
- Assertion contains the User ID from the User object
Initially, the #3 was selected. I replaced that with #2 and it works.#3 needs the 15/18 id of the user object.
#1 might not be the same
thank you
Do you still see issue?
You can use below link to Validate SAML Response.
https://www.samltool.com/validate_response.php
Thanks,
Vinay Kumar