Question

I've got a problem with my SAML login. Anyone here who might be able to help?


Userlevel 3
Badge +2
  • Active Member / Beta Tester
  • 1477 replies

I've got a problem with my SAML login. Anyone here who might be able to help?



🗨 Link to Slack thread

13 replies

Badge

if you're trying the "log in with Google" button on their auth page, that is an OAuth launcher, not SAML

Badge

SAML workflow should be enter primary email -> be redirected to Google Auth page -> auth to GSuite -> land on SF start page

Badge

I also use this chrome extension to troubleshoot SAML issues: https://chrome.google.com/webstore/detail/saml-message-decoder/mpabchoaimgbdbbjjieoaeiibojelbhm?hl=en

Userlevel 3
Badge +2

@jbradford so I definitely try to install and use the SAML workflow as I also want to use auto provisioning.
When I go to mydomain.my.salesforce.com I already get redirected to my G Suite Login where I then enter my email and PW but rather then getting redirected to the homepage I get this error page:

Oh and no for some reason it doesn't generate an Assertion Validator nor do I see failed logins on SF's side.

Userlevel 3
Badge +2

@topher thanks. I'll check it out.

Userlevel 3
Badge +2

So this screenshot comes from the SAML Report out of the G Suite Admin Console.
I don’t understand the G Suite Help Comment on this error:

A log entry for each time a user login failed because a request was denied. The user is not authorized. Check if the application is enabled for the user.


Badge

You have to enable SAML applications for those buttons to work. This is done in the SAML admin page for the specific application and is set at an OU level

Badge

the error typically means this is not done for the OU the user is in

Badge

oh, wait a minute. Monday morning reading comprehension issue... The log in with Google button on the Salesforce login page is an OAuth button and triggers an OAuth workflow. Typical relying party SAML login workflow is enter email address in the user/pass field, then it takes you to your SAML login page (in this case GSuite login) and then upon completion it takes you into the app. If you are switching from OAuth to SAML it gets confusing for the users. If you never had OAuth set up, then there is likely somewhere in the SFDC config to not allow it at which point you should not see the "user is not authorized" log entry. Once set up, it is security best practice to disable U/P login for users so they will quickly learn the proper way to get into the service. You can also solicit https://apps.google.com/user/hub to your users as a convenient app launch page.

Userlevel 3
Badge +2

@jbradford so this user is part of an OU with access to Salesforce.

Userlevel 3
Badge +2

@jbradford what you can see above in the screenshot is two login attempts:

1: is the way through https://apps.google.com/user/hub (which results in a success)
2: is the way through which then redirected me to Google and then to the error page

Userlevel 3
Badge +2

This is how my login flow looks like right now via the domain.

Badge

hrm -any logs on the SF side? Not sure where to go with that other than open a support request with SF and see what they can offer

Reply