Can't make SSO integration to Salesforce Community

Hi,

I have tried to set up a SSO-integration to a Salesforce community following the steps in the tutorial and in the set up.

Whenever I try to login with Auth0 I get the following error in login:

“We can’t log you in. Check for an invalid assertion in the SAML Assertion Validator (available in Single Sign-On Settings) or check the login history for failed logins.”

…and in the SAML Assertion Validator I get:

Results

Last recorded SAML login failure: 2019-10-16T14:17:52.537Z
Unexpected Exceptions
Ok
1. Validating the Status
Ok
2. Looking for an Authentication Statement
Ok
3. Looking for a Conditions statement
Ok
4. Checking that the timestamps in the assertion are valid
Ok
5. Checking that the Attribute namespace matches, if provided
Not Provided
6. Miscellaneous format confirmations
Ok
7. Confirming Issuer matches
Ok
8. Confirming a Subject Confirmation was provided and contains valid timestamps
Ok
9. Checking that the Audience matches
Ok
10. Checking the Recipient
Ok
11. Validating the Signature
Is the response signed? false
Is the assertion signed? true
Is the correct certificate supplied in the keyinfo? true
Ok
12. Checking that the Site URL Attribute contains a valid site url, if provided
Not Provided
13. Looking for portal and organization id, if provided
Not Provided
14. Checking if session security level is valid, if provided
Ok

Subject: auth0|xxxx
Unable to map the subject to a Salesforce.com user

AssertionId: xxxx

I’ve also tried creating a rule to set email to the nameidentifier instead but it’s still the above error that occur.

Is anyone able to see what I am doing wrong? Am I not supposed to set the subdomain to the community as “Salesforce Domain” in the SSO settings in Auth0?

There has to be someone that has sucessfully set up SSO for a Salesforce Community! Hope this someone can help me :slight_smile:

Having the same issue, did you manage to solve this?

Hi, fortunately I wrote these instructions for my colleagues when I had managed to fix the assertion with a rule in Auth0. Hope it’s helpful even if you are not setting up SSO with swedish BankId or Federation Id / ssn.

See below:
Before setting up the SSO, make sure that you have created ADFS enterprise connections for BankID.

  1. In the Auth0 dashboard, go to “SSO integrations”, click “Create SSO integration” and then select “Salesforce” as provider

  2. Choose a name that describes what the integration will do and then click “Create”

  3. Before you start following the instructions provided by Auth0, go to the settings tab and:

  4. Keep or modify the name of the integration

  5. Set the community subdomain with “/login” appended as “Salesforce Domain”, for example: “demo.force.com/login”. The subdomain can be found under “Domains” in Salesforce Setup

  6. Set the “Entity ID” to the subdomain URL, for example “https://demo.force.com”. Setting it to this is better practice than using something arbitrary like suggested by Auth0

  7. Save the settings and go back to the “Tutorial” tab, follow the instructions there and make sure to copy the settings directly to the designated fields in the “SAML Single Sign-On Setting” you are creating

  8. If you disregard of the second screen shot in the instructions you can see some additional settings under it. The “Request Signature Method” should already be set to “RSA-SHA256”. For “SAML Identity Type”, we will be using “Federation ID” which is option “Assertion contains the Federation ID from the User object” under “SAML Identity Type” in the SAML Single Sign-On Setting. We choose this since we are going to map the “ssn”(Social Security Number) on the BankID test user in Auth0 with “Federation ID” on user object in Salesforce

  9. Save the SAML Single Sign-On Setting in Salesforce and navigate to “Rules” in the Auth0 dashboard

  10. We are going to create a new rule to modify the mapping between the ADFS test user profile in Auth0 and user object in Salesforce. By default the “user_id” is given as name identifier by Auth0 and mapped against the Federation ID. By creating a new rule we can change it to ssn instead

  11. Click “Create rule” and select the template “SAML Attributes Mapping”, change the example code to the below snippet and save
    function (user, context, callback) {
    if (context.connectionStrategy === “adfs”) {
    context.samlConfiguration.mappings = {
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier”: “ssn”,
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”: “email”,
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name”: “name”
    };
    }
    callback(null, user, context);
    }

  12. To allow access to users no matter their email domain we have to create another rule. This time you can choose the template “Whitelist”. Change the code to the below and save
    function (user, context, callback) {
    if (user.email || user.email_verified) {
    return callback(null, user, context);
    }
    callback(new UnauthorizedError(‘Access denied.’));
    }

  13. Now the Auth0 configuration is ready! To be able to test it, the Auth0 login option has to be enabled for the community. Go to the “Workspaces” for the community, then Administration → Login & Registration and check the Auth0 SSO under “Login Page Setup”. Save this configuration and go to the login url for the community

  14. Login!

Trouble shooting

If it’s not working, go to the SAML Assertion Validator in the Single Sign-On Settings and check the error log. Keep in mind that the “Subject” will be the test user’s ssn in our case.

You can also whitelist your email with a new Whitelist rule in the Auth0 dashboard if you experience verification issues when trying to log in.

2 Likes

Thanks a lot for sharing this, managed to get it work :slight_smile:

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.