Salesforce SSO SAML Integration Error: "Unable to create user"

auth0.knowledge2 · May 7, 2025, 8:07pm

Overview

This article explains the cause and provides a solution for an “Unable to create user” error encountered during Single Sign-On (SSO) integration with Salesforce. This issue can occur when following the tutorial available in the Auth0 Dashboard by navigating to Applications > SSO Integrations, selecting the relevant SSO Integration, and then accessing the Tutorial tab.

A generic Salesforce error message may first appear:

We can’t log you in because of an issue with single sign-on. Contact your Salesforce admin for help.

Upon inspecting the network request, a more detailed error is displayed:

Unable to create user

Applies To

Single Sign-On (SSO) integration with Salesforce
Security Assertion Markup Language (SAML)

Cause

The error occurs because Salesforce cannot automatically create a user within its organization during the SSO authentication process. This typically happens when the SAML assertion sent by the identity provider (Auth0) is missing required user attributes for Just-in-Time (JIT) provisioning.

According to Salesforce documentation regarding Just-in-Time Provisioning for SAML, the identity provider must send user information to the Salesforce organization in an Attribute statement within the SAML assertion. Salesforce uses this data to create a new User object.

The following User object fields are required in the SAML assertion for the JIT provisioning process:

Email
LastName
ProfileId (This is specific to the profile intended for user assignment in Salesforce)
Username (required for insert operations only)

Solution

A potential workaround involves creating a Post-Login Action in Auth0 to set the attributes required by Salesforce in the SAML assertion. The following JavaScript code provides a starting point:

JavaScript
exports.onExecutePostLogin = async (event, api) => {
  api.samlResponse.setAttribute('User.Email', event.user.email);
  api.samlResponse.setAttribute('User.ProfileId','Standard User');
  api.samlResponse.setAttribute('User.Username', event.user.email);
  api.samlResponse.setAttribute('User.LastName', event.user.nickname);
  api.samlResponse.setAttribute('User.Alias', event.user.name);
};

NOTE:

For this Action to function correctly, the user profiles in Auth0 must already contain values for the necessary fields (e.g., email, nickname, name).
Ensure the value assigned to User.ProfileId (e.g., “Standard User” in the example) corresponds to an existing profile ID or name in the Salesforce organization. To assign a different profile, replace “Standard User” with the desired profile identifier from Salesforce.
The User.Username field is set to the email address in this example; however, this may require adjustment based on specific Salesforce organization requirements.
The User.Alias field is also included in the example and may be adjusted or removed as needed.

Topic		Replies	Views
Can't make SSO integration to Salesforce Community Get Help auth0 , sso , rules , login , salesforce	4	9381	February 19, 2020
The error message occurs while logging to Salesforce: Unable to map an unique profile id for the given profile name Get Help profile , unique-property	2	7149	March 2, 2018
Pre Registation Flow with SAML User Get Help login-experience , signup-prompt-new-experience	4	748	October 27, 2023
Need to perform SSO with Salesforce Community using SAML Get Help saml , sso , salesforce	2	4289	August 12, 2021
AssertionConsumerServiceURL is invalid while logging from Salesforce Get Help sso , salesforce	2	4262	August 26, 2019

Salesforce SSO SAML Integration Error: "Unable to create user"

Overview

Applies To

Cause

Solution

Related topics