Sign Up ›
  • Laura Rieder-Mayring
  • NEWBIE
  • 0 Points
  • Member since 2023
  • Chatter
    Feed
  • 0
    Best Answers
  • 0
    Likes Received
  • 0
    Likes Given
  • 0
    Questions
  • 2
    Replies
6 replies

How to set up SSO via Okta to a Salesforce Sandbox Org?

We getting stuck:

 

Saml Validator shows us the following error:

 "Subject: Unable to map the subject to a Salesforce user"

We tried using the standard usernames our userbase has in production and also the updated usernames as lsited in the sandbox (where the '.sandboxname' is added as a suffix, and still get the above error.

As I understand it, if it works there should be the subject: username@domain.com Assertionid: randomlongstringofstuff.

Seems like we can't get the assertion to map correctly?

any help super appreciated.

9 replies

The audience in the assertion did not match the allowed audiences

Last recorded SAML login failure:  2016-08-18T19:44:20.356Z
Unexpected Exceptions
  Ok
1. Validating the Status
  Ok
2. Looking for an Authentication Statement
  Ok
3. Looking for a Conditions statement
  Ok
4. Checking that the timestamps in the assertion are valid
  Current time is after notOnOrAfter in Conditions
  Current time is: 2016-08-18T20:23:24.287Z
  Time limit in Conditions, adjusted for skew, is: 2016-08-18T19:52:20.065Z
  Timestamp of the response is outside of allowed time window
  Current time is: 2016-08-18T20:23:24.287Z
  Timestamp is: 2016-08-18T19:44:20.065Z
  Allowed skew in milliseconds is 480000
  Timestamp of the assertion is outside of allowed time window
  Current time is: 2016-08-18T20:23:24.287Z
  Timestamp is: 2016-08-18T19:44:20.065Z
  Allowed skew in milliseconds is 480000
5. Checking that the Attribute namespace matches, if provided
  Not Provided
6. Miscellaneous format confirmations
  Ok
7. Confirming Issuer matches
  Ok
8. Confirming a Subject Confirmation was provided and contains valid timestamps
  Ok
9. Checking that the Audience matches
  Audience problems
  The audience in the assertion did not match the allowed audiences
  Allowed audiences: [https://hpeiamfedpractdev-dev-ed.my.salesforce.com]
10. Checking the Recipient
  Ok
  Organization Id that we expected: 00D41000000M1pP
  Organization Id that we found based on your assertion: 00D41000000M1pP
11. Validating the Signature
  Is the response signed? true
  Is the assertion signed? false
  Is the correct certificate supplied in the keyinfo? true
  Ok
12. Checking that the Site URL Attribute contains a valid site url, if provided
  Not Provided
13. Looking for portal and organization id, if provided
  Not Provided
14. Checking if session security level is valid, if provided
  Ok

I am federating to Okta (idP) - Any thoughts on why this fails? I created a SalesForce domain after the fact and all hell broke loose at that point.