Common SSO Issues and Resolutions Flashcards
A user is unable to log in via Single Sign-On (SSO) from the generic Salesforce login page. The company is not using My Domain.
When My Domain has not been set up, SP-initiated SSOdoes notwork. Salesforce does not know in advance what organization the user is trying to SSO into and what identity provider needs to be used. On the contrary, when SSO starts at the IdP (IdP-initiated SSO), the identity information is sent to Salesforce along with SAML protocol information that identifies the organization and the IdP.
Users report intermittent logouts when trying to access Salesforce resources from an external identity provider through SSO based on OAuth 2.0.
If the access token issued for an authorized user during an OAuth flow is expired or revoked, the user is logged out and cannot access Salesforce resources. For the refresh token flow, the invalid_grant error is returned when the refresh or access token expires.
A user has reported that a connected appintegrated with Salesforce is not visible in the App Launcher.
To ensure that a connected app is visible in the App Launcher, the Start URL must be defined for it, the user must be authorized to see it, and it must be marked as “Visible in App Launcher” on the “App Menu” page in Salesforce Setup.
A user has reported a “Signature Invalid”error while logging in to Salesforce through an external identity provider.
This error indicates that the certificate uploaded during SSO configuration in Salesforce failed to validatethesignature in the SAML assertion. The right certificate should be obtained from the identity provider and uploaded in Salesforce.
A Salesforce administrator has noticed “Assertion Expired” and “Assertion Invalid”errors on the Login History page in Salesforce Setup.
These errors are related to the SAML assertions sent by the external identity provider to Salesforce. The “Assertion Expired”error indicates that the timestamp on the assertion istoo old. The “Assertion Invalid” error indicates an issue with the assertion, like a missing <Subject> element.</Subject>
Users are reporting a “REGISTRATION_HANDLER_ERROR” when trying to log in from an external identity provider that supports OAuth.
This error indicates a problem with the registration handler created for the authentication provider. The registration handler Apex class is selected while configuring an authentication provider, such as a custom external authentication provider for an external system that supports OAuth.
