Overview
This article explains the cause and provides a solution for an “Unable to create user” error encountered during Single Sign-On (SSO) integration with Salesforce. This issue can occur when following the tutorial available in the Auth0 Dashboard by navigating to Applications > SSO Integrations, selecting the relevant SSO Integration, and then accessing the Tutorial tab.
A generic Salesforce error message may first appear:
We can’t log you in because of an issue with single sign-on. Contact your Salesforce admin for help.
Upon inspecting the network request, a more detailed error is displayed:
Unable to create user
Applies To
- Single Sign-On (SSO) integration with Salesforce
- Security Assertion Markup Language (SAML)
Cause
The error occurs because Salesforce cannot automatically create a user within its organization during the SSO authentication process. This typically happens when the SAML assertion sent by the identity provider (Auth0) is missing required user attributes for Just-in-Time (JIT) provisioning.
According to Salesforce documentation regarding Just-in-Time Provisioning for SAML, the identity provider must send user information to the Salesforce organization in an Attribute statement within the SAML assertion. Salesforce uses this data to create a new User object.
The following User object fields are required in the SAML assertion for the JIT provisioning process:
- LastName
- ProfileId (This is specific to the profile intended for user assignment in Salesforce)
- Username (required for insert operations only)
Solution
A potential workaround involves creating a Post-Login Action in Auth0 to set the attributes required by Salesforce in the SAML assertion. The following JavaScript code provides a starting point:
JavaScript
exports.onExecutePostLogin = async (event, api) => {
api.samlResponse.setAttribute('User.Email', event.user.email);
api.samlResponse.setAttribute('User.ProfileId','Standard User');
api.samlResponse.setAttribute('User.Username', event.user.email);
api.samlResponse.setAttribute('User.LastName', event.user.nickname);
api.samlResponse.setAttribute('User.Alias', event.user.name);
};
NOTE:
- For this Action to function correctly, the user profiles in Auth0 must already contain values for the necessary fields (e.g.,
email
,nickname
,name
). - Ensure the value assigned to
User.ProfileId
(e.g., “Standard User” in the example) corresponds to an existing profile ID or name in the Salesforce organization. To assign a different profile, replace “Standard User” with the desired profile identifier from Salesforce. - The
User.Username
field is set to the email address in this example; however, this may require adjustment based on specific Salesforce organization requirements. - The
User.Alias
field is also included in the example and may be adjusted or removed as needed.