Given a scenario, troubleshoot common points of failure that may be encountered in a Single Sign-on solution (SAML, OAuth, etc.).

Delegated Authentication

• If Delegated authentication is enabled and if there are login errors, details can be viewed under setup → Delegated Authentication Error History We can get details about the recent twenty one errors that can be filtered by username, login time and error.
• If Salesforce and the third party system cannot connect or if the request takes longer than 10 seconds to process, login attempts fail and user gets an error message indicating that the corporate authentication service is down.
• Webservice call passes username, password and sourceIP to the webservice. Webservice validates the passed information and returns a boolean value. If false is returned, user gets an error message that the username and password combination is invalid.

Federated Authentication

• If you cant login with SAML Assertion, check the login history and note the error message. Use SAML Assertion validator on the Single Sign On Settings configuration page to troubleshoot.
• Salesforce allows a maximum of 3 minutes for clock skew with your IDP server. Make sure that your server clock is up to date.
• For SAML 1.1 and 2.0, provide an error page under SAML settings. Users will be redirected to this error page when there is a SAML login error. This URL can be absolute or relative.
• Review SAML Login History for below errors under Login History.
  • Assertion Expired: An assertion’s timestamp is more than 5 minutes old. Salesforce does make an allowance of three minutes for clock skew. This means, in practice, that an assertion can be as much as eight minutes after the timestamp time, or three minutes before it. This amount of time may be less if the assertion’s validity period is less than five minutes.
  • Assertion Invalid: Invalid assertion, for example <subject> element of an assertion might be missing
  • Audience Invalid: Value specified in audience must be https://saml.salesforce.com
  • Configuration Error/Perm Disabled: Something is wrong with the SAML configuration in Salesforce. For example, the uploaded certificate might be corrupted, or the organization preference might have been turned off. To check your configuration, from Setup, enter Single Sign-On Settings in the Quick Find box, then select Single Sign-On Settings. Next, get a sample SAML assertion from your identity provider, and then click SAML Assertion Validator.
  • Issuer Mismatched: The issuer or entity ID specified in an assertion does not match the issuer specified in your Salesforce configuration.
  • Recipient Mismatched: The recipient specified in an assertion does not match the recipient specified in your Salesforce configuration.
  • Replay Detected: Same assertion ID was used more than once. Assertion IDs must be unique within an organization.
  • Signature Invalid: Signature of assertion cannot be validated by the certificate in your Salesforce configuration.
  • Subject Confirmation Error: Subject specified in the assertion does not match SAML configuration in Salesforce.
• SAML Assertion Validation Errors
  • IDP must include <AuthenticationStatement>
  • Any <Conditions> statements, must contain valid timestamp
  • The validity period specified in an assertion is honored. In addition, an assertion’s timestamp must be less than five minutes old, plus or minus three minutes, regardless of the assertion’s validity period setting. This allows for differences between machines. The NotBefore and NotOnOrAfter constraints must also be defined and valid.
  • If you are using SAML 1.1, both <AttributeName> and <AttributeNamespace> are required as part of the <AttributeStatement>.
  • If you are using SAML 2.0, only <AttributeName> is required.
  • The Format attribute of an <Issuer> statement must be set to “urn:oasis:names:tc:SAML:2.0:nameid-format:entity” or not set at all.
  • The subject of the assertion must be resolved to be either the Salesforce username or the Federation ID of the user.
  • The recipient specified in an assertion must match either the Salesforce login URL specified in the Salesforce configuration or the OAuth 2.0 token endpoint. This is a required portion of the assertion and is always verified.
  • The issuer specified in an assertion must match the issuer specified in Salesforce.
  • A valid signature must be included in the assertion. The signature must be created using the private key associated with the certificate that was provided in the SAML configuration.
• JIT Errors – Refer for JIT Errors

SSO for Portals/Sites

• Only customer and partner portals are supported.
• SP-Initated login is not supported
• For Portals both portal_id and organization_id attributes are required. If only one is specified, user receives an error.
• For Sites portal_id, organization_id and siteUrl attributes are required. If only one is specified, user receives an error.

OAuth

• OAuth 1.0 A Error Codes
• If an error occurs while processing SAML bearer assertion, server replies with a standard OAuth error response. The response includes the reasons why the token was considered invalid
• In JWT Bearer token flow, if an error occurs while server is responding access token, response contains errror message with below information
  • error—Error code
  • error_description—Description of the error with additional information
    • invalid_client_id—Invalid client identifier
    • invalid_request—refresh_token scope is required. Install and preauthorize the app.
    • invalid_app_acess—User isn’t approved by an admin to access this app
    • invalid_grant—User hasn’t approved this consumer
    • invalid_grant—Invalid assertion
    • invalid_grant—Invalid audience
    • invalid_grant—Authentication failure
• If an error occurs when processing the JWT bearer token, the server replies with a standard OAuth error response. The response includes the reasons why the token was considered invalid
• If an error occurs when processing refresh token flow, response contains error message with the following information
  • error—Error code
  • error_description—Description of the error with additional information.
    • unsupported_response_type—Response type not supported
    • invalid_client_id—Client identifier invalid
    • invalid_request—HTTPS required
    • invalid_request—Must use HTTP POST
    • invalid_client_credentials—Client secret invalid
    • invalid_request—Secret type not supported
    • invalid_grant—Expired access or refresh token
    • invalid_grant—IP restricted or invalid login hours
    • inactive_user—User is inactive
    • inactive_org—Org is locked, closed, or suspended
    • rate_limit_exceeded—Number of logins exceeded
    • invalid_scope—Requested scope is invalid, unknown, or malformed
• If an error occurs when processing Web Server flow, response contains error message with the following information
  • error—Error code.
  • error_description—Description of the error with the following information
    • unsupported_response_type—Response type not supported
    • invalid_client_id—Client identifier invalid
    • invalid_request—HTTPS required
    • invalid_request—Must use HTTP GET
    • invalid_request—Indicates that the code_challenge value was invalid (not base64url-encoded, for example)
    • invalid_request—Indicates that the flow doesn’t support and didn’t expect a code_challenge parameter
    • access_denied—User denied authorization
    • redirect_uri_missing—Redirect URI not provided
    • redirect_uri_mismatch—Redirect URI mismatch with connected app definition
    • immediate_unsuccessful—Immediately unsuccessful
    • invalid_scope—Requested scope is invalid, unknown, or malformed
• If an error occurs when processing Username – Password flow, response contains error message with the following information
  • error—Error code
  • error_description—Description of the error with additional information
    • unsupported_response_type—Response type not supported
    • invalid_client_id—Client identifier invalid
    • invalid_request—HTTPS required
    • invalid_request—Must use HTTP POST
    • invalid_request—Scope parameter not supported
    • invalid_client_credentials—Client secret invalid
    • invalid_grant—Authentication failure (for example, user does not exist or invalid password)
    • invalid_grant—IP restricted or invalid login hours
    • inactive_user—User is inactive
    • inactive_org—Org is locked, closed, or suspended
    • rate_limit_exceeded—Number of logins exceeded
• If an error occurs when processing User Agent flow, response contains error message with the following information
  • error—Error code
  • error_description—Description of the error with additional information
    • unsupported_response_type—Response type not supported
    • invalid_client_id—Client identifier invalid
    • invalid_request—HTTPS required
    • invalid_request—Must use HTTP GET
    • invalid_request—Out-of-band not supported
    • access_denied—User denied authorization
    • redirect_uri_missing—Redirect_uri not provided
    • redirect_uri_mismatch—Redirect_uri mismatch with connected app object
    • immediate_unsuccessful—Immediate unsuccessful
    • invalid_grant—Invalid user credentials
    • invalid_grant—IP restricted or invalid login hours
    • inactive_user—User is inactive
    • inactive_org—Org is locked, closed, or suspended
    • rate_limit_exceeded—Number of logins exceeded
    • invalid_scope—Requested scope is invalid, unknown, or malformed
• If an error occurs when processing Device Authentication Flow, response contains error message with the following information
  • error—Error code
    • access_denied—The user has denied access
    • authorization_pending—The user has not yet approved the device for access
    • invalid_grant—Device flow is not enabled for your connected app or we were unable to grant an access token
    • invalid_request—The device code specified in the polling request is invalid
    • server_error—The number of authorization requests from the client application exceeds the hourly limit
    • slow_down—The client application is polling the authorization server more frequently than the recommended minimum interval
  • error_description—Description of the error with additional information
• If an error occurs when processing SAML Assertion Flow response contains error message with the following information
  • error—Error code.
  • error_description—Description of the error with additional information.
    • unsupported_response_type—Response type not supported
    • invalid_request—HTTPS required
    • invalid_request—HTTP POST required
    • invalid_assertion_type—Specified assertion type not supported
    • invalid_grant—Invalid authorization code (make sure that the client sends a URL-encoded assertion and assertion_type)
    • invalid_grant—IP restricted or invalid login hours
    • inactive_user—User is inactive
    • inactive_org—Org is locked, closed, or suspended
    • rate_limit_exceeded—Number of logins exceeded
  • error_uri—Link to the SAML Assertion Validator, which contains more information about the failure. This error is returned only when Salesforce can parse the assertion.