Apex Code Development You need to sign in to do that
Don't have an account?
Imran Khan 151 The audience in the assertion did not match the allowed audiences
Last recorded SAML login failure: 2016-08-18T19:44:20.356Z
Unexpected Exceptions
Ok
1. Validating the Status
Ok
2. Looking for an Authentication Statement
Ok
3. Looking for a Conditions statement
Ok
4. Checking that the timestamps in the assertion are valid
Current time is after notOnOrAfter in Conditions
Current time is: 2016-08-18T20:23:24.287Z
Time limit in Conditions, adjusted for skew, is: 2016-08-18T19:52:20.065Z
Timestamp of the response is outside of allowed time window
Current time is: 2016-08-18T20:23:24.287Z
Timestamp is: 2016-08-18T19:44:20.065Z
Allowed skew in milliseconds is 480000
Timestamp of the assertion is outside of allowed time window
Current time is: 2016-08-18T20:23:24.287Z
Timestamp is: 2016-08-18T19:44:20.065Z
Allowed skew in milliseconds is 480000
5. Checking that the Attribute namespace matches, if provided
Not Provided
6. Miscellaneous format confirmations
Ok
7. Confirming Issuer matches
Ok
8. Confirming a Subject Confirmation was provided and contains valid timestamps
Ok
9. Checking that the Audience matches
Audience problems
The audience in the assertion did not match the allowed audiences
Allowed audiences: [https://hpeiamfedpractdev-dev-ed.my.salesforce.com]
10. Checking the Recipient
Ok
Organization Id that we expected: 00D41000000M1pP
Organization Id that we found based on your assertion: 00D41000000M1pP
11. Validating the Signature
Is the response signed? true
Is the assertion signed? false
Is the correct certificate supplied in the keyinfo? true
Ok
12. Checking that the Site URL Attribute contains a valid site url, if provided
Not Provided
13. Looking for portal and organization id, if provided
Not Provided
14. Checking if session security level is valid, if provided
Ok
I am federating to Okta (idP) - Any thoughts on why this fails? I created a SalesForce domain after the fact and all hell broke loose at that point.
Unexpected Exceptions
Ok
1. Validating the Status
Ok
2. Looking for an Authentication Statement
Ok
3. Looking for a Conditions statement
Ok
4. Checking that the timestamps in the assertion are valid
Current time is after notOnOrAfter in Conditions
Current time is: 2016-08-18T20:23:24.287Z
Time limit in Conditions, adjusted for skew, is: 2016-08-18T19:52:20.065Z
Timestamp of the response is outside of allowed time window
Current time is: 2016-08-18T20:23:24.287Z
Timestamp is: 2016-08-18T19:44:20.065Z
Allowed skew in milliseconds is 480000
Timestamp of the assertion is outside of allowed time window
Current time is: 2016-08-18T20:23:24.287Z
Timestamp is: 2016-08-18T19:44:20.065Z
Allowed skew in milliseconds is 480000
5. Checking that the Attribute namespace matches, if provided
Not Provided
6. Miscellaneous format confirmations
Ok
7. Confirming Issuer matches
Ok
8. Confirming a Subject Confirmation was provided and contains valid timestamps
Ok
9. Checking that the Audience matches
Audience problems
The audience in the assertion did not match the allowed audiences
Allowed audiences: [https://hpeiamfedpractdev-dev-ed.my.salesforce.com]
10. Checking the Recipient
Ok
Organization Id that we expected: 00D41000000M1pP
Organization Id that we found based on your assertion: 00D41000000M1pP
11. Validating the Signature
Is the response signed? true
Is the assertion signed? false
Is the correct certificate supplied in the keyinfo? true
Ok
12. Checking that the Site URL Attribute contains a valid site url, if provided
Not Provided
13. Looking for portal and organization id, if provided
Not Provided
14. Checking if session security level is valid, if provided
Ok
I am federating to Okta (idP) - Any thoughts on why this fails? I created a SalesForce domain after the fact and all hell broke loose at that point.
May i know, what was the fix for this?
We have org to org salesforce sso settings.facing same issue.
We will appriciate the help.
Regards,
Radha
I had the same problem, and in my case, just was missing a backslash at the end on the configuration
Regards
SF site provides Login URL without backslash
Login URL https://XXXX.my.salesforce.com
In my case I also added a backslash at the end on the OKTA configuration : (OKTA/Application/Sign On)
ADVANCED SIGN-ON SETTINGS
These fields may be required for a Salesforce.com proprietary sign-on option or general setting.
Login URL
https://XXXX.my.salesforce.com/
1. On okta site if you will add '/' at the end of the field - SSO will give an error specificly ask to remove it.
2. The low paret of the picturte is from Salesforce SSO (not okta) and it's not editable to add '/' in Endpoints section
On the okta side the domain should be "mydomain" and not "mydomain--mysandbox" or "mycomain--mysandbox.sandbox" as indicated by the help text there.
- as DR SFDC Admin noted, adding a backslash to entity ID / custom domain leads to syntax errors;
- using the production url / domain name instead of the sandbox ones did not make a difference for me either.
What DID work out for me was just ignoring all custom domain stuff and using the default entity ID https://saml.salesforce.com for the Single Sign-On Setup in Salesforce; in okta (Sign On > Settings > Credentials Details), I had to set the Application username format not to the okta username but a Custom format String.append(user.login, ".mysandbox") for a sandbox at https://mydomain--mysandbox.sandbox.my.salesforce.com) to get the same format used when logging in directly with user/pw which has a ".sandboxname" appended to the email.While setting up Okta, the Okta admin needs a Custom domain.
Make sure to provide as below
domain--yoursandboxname
example: If your domain name is sfdev and sandbox is uat then sfdev--uat is the custom domain name.
And in Salesforce please follow below guide to set them up
https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-in-Salesforce.html
Entity Id for sandbox should be: https://sfdev--uat.my.salesforce.com
Problem : Users were getting single-sign-on Error
Solution Done : I corrected settings in Okta Dashboard, in custom domain “.sandbox” was missing which was causing the issue. For sandbox always add .sandbox . eg :- mydomain--environment.sandbox