function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
Manoj SonawaneManoj Sonawane 

SAML SSO Failing

Hello,

I am trying to perform SSO between our web portal (Idp) and salesforce (sp). SAML Response looks good, since we have integration with other third parties with same response and works fine. However with Salesfoce sso poc, am getting issue and its showing me below Error,

"Login Error
Your login attempt using single sign-on with an identity provider certificate has failed. Please contact your salesforce.com administrator for more information"

I tried to validate the SAML Response in SAML Validatator, below is the output:

Last recorded SAML login failure:  2014-03-28T16:24:00.162Z
Unexpected Exceptions
  Ok
1. Validating the Status
  Ok
2. Looking for an Authentication Statement
  Ok
3. Looking for a Conditions statement
  Ok
4. Checking that the timestamps in the assertion are valid
  Current time is after notOnOrAfter in Conditions
  Current time is: 2014-03-28T16:29:30.895Z
  Time limit in Conditions, adjusted for skew, is: 2014-03-28T16:28:22.901Z
5. Checking that the Attribute namespace matches, if provided
  Ok
6. Miscellaneous format confirmations
  Ok
7. Confirming Issuer matches
  Ok
8. Confirming a Subject Confirmation was provided and contains valid timestamps
  Ok
9. Checking that the Audience matches
  Ok
10. Checking the Recipient
  Ok
  Organization Id that we expected: 00DJ00000036x7r
  Organization Id that we found based on your assertion: 00DJ00000036x7r
11. Validating the Signature
  Is the response signed? true
  Is the assertion signed? false
  Is the correct certificate supplied in the keyinfo? true
  Ok
12. Checking that the Site URL Attribute contains a valid site url, if provided
  Not Provided
13. Looking for portal and organization id, if provided
  Not Provided
14. Checking if session security level is valid, if provided
  Ok
 

Login History Shows Below Status:
Failed: Assertion Expired

I think clocks between our portal server and salesforce server not in sync which might be causing this, but am not sure, If anyone knows resolution for such issues please share with me. Also wanted to know how to skew clock in salesforce?

Best Answer chosen by Manoj Sonawane
Manoj SonawaneManoj Sonawane
Here is the solution I applied to resolve this issue,

#1: Make sure webserver (hosting the IDP) timezone is same as salesforce instance timezone. This issue will never occur

#2: In IDP, increase the AssertionLifeTime max to 10 min, if there is difference between timestamps less than 10min. Note: Salesforce only allowes 10 min different between the assertion timestamp.

I choose #1, to avoid any differences. Thanks

All Answers

NehalNehal (Salesforce Developers) 
Hi,

This error is due to time stamp expiration. There can be a time mismatch at your IDP's end and so you would have to get in touch with your IDP to make changes with the time.

For your reference, please go through below links that will give you more clear understanding on this error and about skew clock in salesforce:

1.http://help.salesforce.com/HTViewHelpDoc?id=sso_saml_login_history.htm&language=en_US

2.https://support.symplified.com/entries/23702597-Salesforce-SAML-Access-Error-Your-single-sign-on-login-was-not-accepted-

Hope this helps to resolve the error.
Manoj SonawaneManoj Sonawane
Here is the solution I applied to resolve this issue,

#1: Make sure webserver (hosting the IDP) timezone is same as salesforce instance timezone. This issue will never occur

#2: In IDP, increase the AssertionLifeTime max to 10 min, if there is difference between timestamps less than 10min. Note: Salesforce only allowes 10 min different between the assertion timestamp.

I choose #1, to avoid any differences. Thanks
This was selected as the best answer