Delegated Authentication

  • If Delegated authentication is enabled and if there are login errors, details can be viewed under setup → Delegated Authentication Error History We can get details about the recent twenty one errors that can be filtered by username, login time and error.
  • If Salesforce and the third party system cannot connect or if the request takes longer than 10 seconds to process, login attempts fail and user gets an error message indicating that the corporate authentication service is down.
  • Webservice call passes username, password and sourceIP to the webservice. Webservice validates the passed information and returns a boolean value. If false is returned, user gets an error message that the username and password combination is invalid.

Federated Authentication

  • If you cant login with SAML Assertion, check the login history and note the error message. Use SAML Assertion validator on the Single Sign On Settings configuration page to troubleshoot.
  • Salesforce allows a maximum of 3 minutes for clock skew with your IDP server. Make sure that your server clock is up to date.
  • For SAML 1.1 and 2.0, provide an error page under SAML settings. Users will be redirected to this error page when there is a SAML login error. This URL can be absolute or relative.
  • Review SAML Login History for below errors under Login History.
    • Assertion Expired: An assertion’s timestamp is more than 5 minutes old. Salesforce does make an allowance of three minutes for clock skew. This means, in practice, that an assertion can be as much as eight minutes after the timestamp time, or three minutes before it. This amount of time may be less if the assertion’s validity period is less than five minutes.
    • Assertion Invalid: Invalid assertion, for example <subject> element of an assertion might be missing
    • Audience Invalid: Value specified in audience must be https://saml.salesforce.com
    • Configuration Error/Perm Disabled: Something is wrong with the SAML configuration in Salesforce. For example, the uploaded certificate might be corrupted, or the organization preference might have been turned off. To check your configuration, from Setup, enter Single Sign-On Settings in the Quick Find box, then select Single Sign-On Settings. Next, get a sample SAML assertion from your identity provider, and then click SAML Assertion Validator.
    • Issuer Mismatched: The issuer or entity ID specified in an assertion does not match the issuer specified in your Salesforce configuration.
    • Recipient Mismatched: The recipient specified in an assertion does not match the recipient specified in your Salesforce configuration.
    • Replay Detected: Same assertion ID was used more than once. Assertion IDs must be unique within an organization.
    • Signature Invalid: Signature of assertion cannot be validated by the certificate in your Salesforce configuration.
    • Subject Confirmation Error: Subject specified in the assertion does not match SAML configuration in Salesforce.
  • SAML Assertion Validation Errors
    • IDP must include <AuthenticationStatement>
    • Any <Conditions> statements, must contain valid timestamp
    • The validity period specified in an assertion is honored. In addition, an assertion’s timestamp must be less than five minutes old, plus or minus three minutes, regardless of the assertion’s validity period setting. This allows for differences between machines. The NotBefore and NotOnOrAfter constraints must also be defined and valid.
    • If you are using SAML 1.1, both <AttributeName> and <AttributeNamespace> are required as part of the <AttributeStatement>.
    • If you are using SAML 2.0, only <AttributeName> is required.
    • The Format attribute of an <Issuer> statement must be set to “urn:oasis:names:tc:SAML:2.0:nameid-format:entity” or not set at all.
    • The subject of the assertion must be resolved to be either the Salesforce username or the Federation ID of the user.
    • The recipient specified in an assertion must match either the Salesforce login URL specified in the Salesforce configuration or the OAuth 2.0 token endpoint. This is a required portion of the assertion and is always verified.
    • The issuer specified in an assertion must match the issuer specified in Salesforce.
    • A valid signature must be included in the assertion. The signature must be created using the private key associated with the certificate that was provided in the SAML configuration.
  • JIT Errors – Refer for JIT Errors

SSO for Portals/Sites

  • Only customer and partner portals are supported.
  • SP-Initated login is not supported
  • For Portals both portal_id and organization_id attributes are required. If only one is specified, user receives an error.
  • For Sites portal_id, organization_id and siteUrl attributes are required. If only one is specified, user receives an error.

OAuth

  • OAuth 1.0 A Error Codes
  • If an error occurs while processing SAML bearer assertion, server replies with a standard OAuth error response. The response includes the reasons why the token was considered invalid
  • In JWT Bearer token flow, if an error occurs while server is responding access token, response contains errror message with below information
    • error—Error code
    • error_description—Description of the error with additional information
      • invalid_client_id—Invalid client identifier
      • invalid_request—refresh_token scope is required. Install and preauthorize the app.
      • invalid_app_acess—User isn’t approved by an admin to access this app
      • invalid_grant—User hasn’t approved this consumer
      • invalid_grant—Invalid assertion
      • invalid_grant—Invalid audience
      • invalid_grant—Authentication failure
  • If an error occurs when processing the JWT bearer token, the server replies with a standard OAuth error response. The response includes the reasons why the token was considered invalid
  • If an error occurs when processing refresh token flow, response contains error message with the following information
    • error—Error code
    • error_description—Description of the error with additional information.
      • unsupported_response_type—Response type not supported
      • invalid_client_id—Client identifier invalid
      • invalid_request—HTTPS required
      • invalid_request—Must use HTTP POST
      • invalid_client_credentials—Client secret invalid
      • invalid_request—Secret type not supported
      • invalid_grant—Expired access or refresh token
      • invalid_grant—IP restricted or invalid login hours
      • inactive_user—User is inactive
      • inactive_org—Org is locked, closed, or suspended
      • rate_limit_exceeded—Number of logins exceeded
      • invalid_scope—Requested scope is invalid, unknown, or malformed
  • If an error occurs when processing Web Server flow, response contains error message with the following information
    • error—Error code.
    • error_description—Description of the error with the following information
      • unsupported_response_type—Response type not supported
      • invalid_client_id—Client identifier invalid
      • invalid_request—HTTPS required
      • invalid_request—Must use HTTP GET
      • invalid_request—Indicates that the code_challenge value was invalid (not base64url-encoded, for example)
      • invalid_request—Indicates that the flow doesn’t support and didn’t expect a code_challenge parameter
      • access_denied—User denied authorization
      • redirect_uri_missing—Redirect URI not provided
      • redirect_uri_mismatch—Redirect URI mismatch with connected app definition
      • immediate_unsuccessful—Immediately unsuccessful
      • invalid_scope—Requested scope is invalid, unknown, or malformed
  • If an error occurs when processing Username – Password flow, response contains error message with the following information
    • error—Error code
    • error_description—Description of the error with additional information
      • unsupported_response_type—Response type not supported
      • invalid_client_id—Client identifier invalid
      • invalid_request—HTTPS required
      • invalid_request—Must use HTTP POST
      • invalid_request—Scope parameter not supported
      • invalid_client_credentials—Client secret invalid
      • invalid_grant—Authentication failure (for example, user does not exist or invalid password)
      • invalid_grant—IP restricted or invalid login hours
      • inactive_user—User is inactive
      • inactive_org—Org is locked, closed, or suspended
      • rate_limit_exceeded—Number of logins exceeded
  • If an error occurs when processing User Agent flow, response contains error message with the following information
    • error—Error code
    • error_description—Description of the error with additional information
      • unsupported_response_type—Response type not supported
      • invalid_client_id—Client identifier invalid
      • invalid_request—HTTPS required
      • invalid_request—Must use HTTP GET
      • invalid_request—Out-of-band not supported
      • access_denied—User denied authorization
      • redirect_uri_missing—Redirect_uri not provided
      • redirect_uri_mismatch—Redirect_uri mismatch with connected app object
      • immediate_unsuccessful—Immediate unsuccessful
      • invalid_grant—Invalid user credentials
      • invalid_grant—IP restricted or invalid login hours
      • inactive_user—User is inactive
      • inactive_org—Org is locked, closed, or suspended
      • rate_limit_exceeded—Number of logins exceeded
      • invalid_scope—Requested scope is invalid, unknown, or malformed
  • If an error occurs when processing Device Authentication Flow, response contains error message with the following information
    • error—Error code
      • access_denied—The user has denied access
      • authorization_pending—The user has not yet approved the device for access
      • invalid_grant—Device flow is not enabled for your connected app or we were unable to grant an access token
      • invalid_request—The device code specified in the polling request is invalid
      • server_error—The number of authorization requests from the client application exceeds the hourly limit
      • slow_down—The client application is polling the authorization server more frequently than the recommended minimum interval
    • error_description—Description of the error with additional information
  • If an error occurs when processing SAML Assertion Flow response contains error message with the following information
    • error—Error code.
    • error_description—Description of the error with additional information.
      • unsupported_response_type—Response type not supported
      • invalid_request—HTTPS required
      • invalid_request—HTTP POST required
      • invalid_assertion_type—Specified assertion type not supported
      • invalid_grant—Invalid authorization code (make sure that the client sends a URL-encoded assertion and assertion_type)
      • invalid_grant—IP restricted or invalid login hours
      • inactive_user—User is inactive
      • inactive_org—Org is locked, closed, or suspended
      • rate_limit_exceeded—Number of logins exceeded
    • error_uri—Link to the SAML Assertion Validator, which contains more information about the failure. This error is returned only when Salesforce can parse the assertion.

Mock Questions

  • An architect is troubleshooting some SAML-based SSO errors during testing. The Architect confirmed that all of the Salesforce SSO settings are correct. Which two issues outside of the Salesforce SSO settings are most likely contributing to the SSO errors the Architect is encountering? Choose 2 Answers (2,3)
    • The Identity Provider is also used to SSO into five other applications.
    • The clock on the Identity Provider server is twenty minutes behind Salesforce.
    • The Issuer Certificate from the Identity Provider expired two weeks ago.
    • The default language for the Identity Provider and Salesforce are Different.
  • Universal Containers (UC) has implemented SAML-based SSO solution for use with their multi-org Salesforce implementation, utilizing one of the the orgs as the Identity Provider. One user is reporting that they can log in to the Identity Provider org but get a generic SAML error message when accessing the other orgs. Which two considerations should the architect review to troubleshoot the issue? Choose 2 answers (2,4)
    • The Federation ID must be a valid Salesforce Username
    • The Federation ID must is case sensitive
    • The Federation ID must be in the form of an email address.
    • The Federation ID must be populated on the user record.
  • An architect has successfully configured SAML-BASED SSO for universal containers. SSO has been working for 3 months when Universal containers manually adds a batch of new users to salesforce. The new users receive an error from salesforce when trying to use SSO. Existing users are still able to successfully use SSO to access salesforce. What is the probable cause of this behavior? (2)
    • The administrator forgot to reset the new user’s salesforce password.
    • The Federation ID field on the new user records is not correctly set
    • The my domain capability is not enabled on the new user’s profile.
    • The new users do not have the SSO permission enabled on their profiles.
  • A group of users try to access one of universal containers connected apps and receive the following error message : “Failed : Not approved for access”. what is most likely to cause of the issue? (2)
    • The use of high assurance sections are required for the connected App.
    • The users do not have the correct permission set assigned to them.
    • The connected App setting “All users may self-authorize” is enabled.
    • The salesforce administrators gave revoked the Oauth authorization.
  • An Architect has configured a SAML-based SSO integration between Salesforce and an external Identity provider and is ready to test it. When the Architect attempts to log in to Salesforce using SSO, the Architect receives a SAML error. Which two optimal actions should the Architect take to troubleshoot the issue? (2,3)
    • Ensure the Callback URL is correctly set in the Connected Apps settings.
    • Use a browser that has an add-on/extension that can inspect SAML.
    • Paste the SAML Assertion Validator in Salesforce.
    • Use the browser’s Development tools to view the Salesforce page’s markup.

Leave a Reply

Your email address will not be published. Required fields are marked *