TrubleShooting (extra) Flashcards
Issuer Mismatched
Description: This error occurs when the Issuer value in the SAML assertion doesn’t match the Issuer configured in Salesforce.
Troubleshooting: Verify that the Issuer URL in your Identity Provider’s configuration exactly matches the Issuer value in Salesforce’s Single Sign-On Settings. Ensure there are no typos or discrepancies in the URL.
Audience Invalid
Description: This error indicates that the Audience value in the SAML assertion doesn’t match the Entity ID configured in Salesforce.
Troubleshooting: Confirm that the Entity ID in Salesforce matches the Audience value sent by the Identity Provider. The Entity ID is typically a URL like https://saml.salesforce.com. Ensure consistency between configurations.
Subject Confirmation Error
Description: This error arises when the Subject in the SAML assertion doesn’t match the expected value based on the configured SAML Identity Type.
Troubleshooting: Determine which field (Username, Federation ID, or User ID) Salesforce uses to identify users. Ensure the Identity Provider sends the correct value in the SAML assertion’s Subject.
Assertion Invalid
Description: This error occurs when there’s an issue with the SAML assertion, such as a missing <Subject> element.</Subject>
Troubleshooting: If identity is expected in the NameIdentifier element, ensure the Identity Provider includes the <Subject> element with the correct NameID. If the identity is in an Attribute element, verify the Identity Provider includes the necessary <AttributeStatement>.</AttributeStatement></Subject>
Assertion Expired
Description: The timestamp on the assertion is too old.
Troubleshooting: Ensure the system clocks of the Identity Provider and Salesforce are synchronized. Check that the assertion’s validity period is correctly configured.
Configuration Error/Perm Disabled
Description: Something is wrong with your SAML configuration in Salesforce.
Troubleshooting: Verify the uploaded certificate isn’t corrupt. Ensure SAML is enabled in the org’s Single Sign-On Settings.
Recipient Mismatched
Description: Salesforce detected a repeat assertion ID.
Troubleshooting: Ensure that every SAML assertion sent by the Identity Provider has a unique ID.
Signature Invalid
Description: The certificate uploaded during configuration failed to validate the signature.
Troubleshooting: Work with your Identity Provider to confirm the certificate is correct. Ensure the correct certificate is uploaded in Salesforce.
SAML Identity Type
Description: This setting determines which Salesforce user field is used to match the SAML assertion to a Salesforce user. The options include the Salesforce Username, Federation ID, or User ID.
Importance: The value in the SAML assertion must correspond to the selected field in Salesforce, as this is how user authentication is performed.
Assertion Contains the Salesforce Username
Description: If this option is selected, the SAML assertion must include the Salesforce username as the identifier for user authentication.
Example: The SAML assertion should include the <Subject> element containing the username, such as user@example.com.</Subject>
SAML Identity Location
Description: This setting specifies where the identity information is located in the SAML assertion. It can either be in the NameIdentifier element of the Subject statement or in an Attribute element.
Importance: Salesforce needs this information to extract the user’s identifier from the SAML assertion. The configuration must match what the Identity Provider sends.
Identity in the NameIdentifier Element
Description: If the identity is in the NameIdentifier element, the Identity Provider must include the user identifier in the <Subject> element’s <NameID> field.</NameID></Subject>
Troubleshooting: Ensure the <NameID> element contains the correct identifier, such as the Federation ID or username, as required by your Salesforce configuration.</NameID>
