You need to sign in to do that
Don't have an account?
SAML SSO Failing
Hello,
I am trying to perform SSO between our web portal (Idp) and salesforce (sp). SAML Response looks good, since we have integration with other third parties with same response and works fine. However with Salesfoce sso poc, am getting issue and its showing me below Error,
"Login Error
Your login attempt using single sign-on with an identity provider certificate has failed. Please contact your salesforce.com administrator for more information"
I tried to validate the SAML Response in SAML Validatator, below is the output:
Last recorded SAML login failure: 2014-03-28T16:24:00.162Z
Unexpected Exceptions
Ok
1. Validating the Status
Ok
2. Looking for an Authentication Statement
Ok
3. Looking for a Conditions statement
Ok
4. Checking that the timestamps in the assertion are valid
Current time is after notOnOrAfter in Conditions
Current time is: 2014-03-28T16:29:30.895Z
Time limit in Conditions, adjusted for skew, is: 2014-03-28T16:28:22.901Z
5. Checking that the Attribute namespace matches, if provided
Ok
6. Miscellaneous format confirmations
Ok
7. Confirming Issuer matches
Ok
8. Confirming a Subject Confirmation was provided and contains valid timestamps
Ok
9. Checking that the Audience matches
Ok
10. Checking the Recipient
Ok
Organization Id that we expected: 00DJ00000036x7r
Organization Id that we found based on your assertion: 00DJ00000036x7r
11. Validating the Signature
Is the response signed? true
Is the assertion signed? false
Is the correct certificate supplied in the keyinfo? true
Ok
12. Checking that the Site URL Attribute contains a valid site url, if provided
Not Provided
13. Looking for portal and organization id, if provided
Not Provided
14. Checking if session security level is valid, if provided
Ok
Login History Shows Below Status:
Failed: Assertion Expired
I think clocks between our portal server and salesforce server not in sync which might be causing this, but am not sure, If anyone knows resolution for such issues please share with me. Also wanted to know how to skew clock in salesforce?
#1: Make sure webserver (hosting the IDP) timezone is same as salesforce instance timezone. This issue will never occur
#2: In IDP, increase the AssertionLifeTime max to 10 min, if there is difference between timestamps less than 10min. Note: Salesforce only allowes 10 min different between the assertion timestamp.
I choose #1, to avoid any differences. Thanks
All Answers
This error is due to time stamp expiration. There can be a time mismatch at your IDP's end and so you would have to get in touch with your IDP to make changes with the time.
For your reference, please go through below links that will give you more clear understanding on this error and about skew clock in salesforce:
1.http://help.salesforce.com/HTViewHelpDoc?id=sso_saml_login_history.htm&language=en_US
2.https://support.symplified.com/entries/23702597-Salesforce-SAML-Access-Error-Your-single-sign-on-login-was-not-accepted-
Hope this helps to resolve the error.
#1: Make sure webserver (hosting the IDP) timezone is same as salesforce instance timezone. This issue will never occur
#2: In IDP, increase the AssertionLifeTime max to 10 min, if there is difference between timestamps less than 10min. Note: Salesforce only allowes 10 min different between the assertion timestamp.
I choose #1, to avoid any differences. Thanks