I've got a problem with my SAML login. Anyone here who might be able to help?
if you're trying the "log in with Google" button on their auth page, that is an OAuth launcher, not SAML
SAML workflow should be enter primary email -> be redirected to Google Auth page -> auth to GSuite -> land on SF start page
I also use this chrome extension to troubleshoot SAML issues: https://chrome.google.com/webstore/detail/saml-message-decoder/mpabchoaimgbdbbjjieoaeiibojelbhm?hl=en
@jbradford so I definitely try to install and use the SAML workflow as I also want to use auto provisioning. When I go to mydomain.my.salesforce.com I already get redirected to my G Suite Login where I then enter my email and PW but rather then getting redirected to the homepage I get this error page:
Oh and no for some reason it doesn't generate an Assertion Validator nor do I see failed logins on SF's side.
@topher thanks. I'll check it out.
So this screenshot comes from the SAML Report out of the G Suite Admin Console.I don’t understand the G Suite Help Comment on this error:
A log entry for each time a user login failed because a request was denied. The user is not authorized. Check if the application is enabled for the user.
You have to enable SAML applications for those buttons to work. This is done in the SAML admin page for the specific application and is set at an OU level
the error typically means this is not done for the OU the user is in
oh, wait a minute. Monday morning reading comprehension issue... The log in with Google button on the Salesforce login page is an OAuth button and triggers an OAuth workflow. Typical relying party SAML login workflow is enter email address in the user/pass field, then it takes you to your SAML login page (in this case GSuite login) and then upon completion it takes you into the app. If you are switching from OAuth to SAML it gets confusing for the users. If you never had OAuth set up, then there is likely somewhere in the SFDC config to not allow it at which point you should not see the "user is not authorized" log entry. Once set up, it is security best practice to disable U/P login for users so they will quickly learn the proper way to get into the service. You can also solicit https://apps.google.com/user/hub to your users as a convenient app launch page.
@jbradford so this user is part of an OU with access to Salesforce.
@jbradford what you can see above in the screenshot is two login attempts:
1: is the way through https://apps.google.com/user/hub (which results in a success)2: is the way through which then redirected me to Google and then to the error page
This is how my login flow looks like right now via the domain.
hrm -any logs on the SF side? Not sure where to go with that other than open a support request with SF and see what they can offer
Already have an account? Login
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
Sorry, we're still checking this file's contents to make sure it's safe to download. Please try again in a few minutes.
Sorry, our virus scanner detected that this file isn't safe to download.
We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.