Salesforce SSO SAML Integration Error: "Unable to create user"

Overview

This article explains the cause and provides a solution for an “Unable to create user” error encountered during Single Sign-On (SSO) integration with Salesforce. This issue can occur when following the tutorial available in the Auth0 Dashboard by navigating to Applications > SSO Integrations, selecting the relevant SSO Integration, and then accessing the Tutorial tab.

A generic Salesforce error message may first appear:

We can’t log you in because of an issue with single sign-on. Contact your Salesforce admin for help.

Upon inspecting the network request, a more detailed error is displayed:

Unable to create user

Applies To

  • Single Sign-On (SSO) integration with Salesforce
  • Security Assertion Markup Language (SAML)

Cause

The error occurs because Salesforce cannot automatically create a user within its organization during the SSO authentication process. This typically happens when the SAML assertion sent by the identity provider (Auth0) is missing required user attributes for Just-in-Time (JIT) provisioning.

According to Salesforce documentation regarding Just-in-Time Provisioning for SAML, the identity provider must send user information to the Salesforce organization in an Attribute statement within the SAML assertion. Salesforce uses this data to create a new User object.

The following User object fields are required in the SAML assertion for the JIT provisioning process:

  • Email
  • LastName
  • ProfileId (This is specific to the profile intended for user assignment in Salesforce)
  • Username (required for insert operations only)

Solution

A potential workaround involves creating a Post-Login Action in Auth0 to set the attributes required by Salesforce in the SAML assertion. The following JavaScript code provides a starting point:

JavaScript
exports.onExecutePostLogin = async (event, api) => {
  api.samlResponse.setAttribute('User.Email', event.user.email);
  api.samlResponse.setAttribute('User.ProfileId','Standard User');
  api.samlResponse.setAttribute('User.Username', event.user.email);
  api.samlResponse.setAttribute('User.LastName', event.user.nickname);
  api.samlResponse.setAttribute('User.Alias', event.user.name);
};

NOTE:

  • For this Action to function correctly, the user profiles in Auth0 must already contain values for the necessary fields (e.g., email, nickname, name).
  • Ensure the value assigned to User.ProfileId (e.g., “Standard User” in the example) corresponds to an existing profile ID or name in the Salesforce organization. To assign a different profile, replace “Standard User” with the desired profile identifier from Salesforce.
  • The User.Username field is set to the email address in this example; however, this may require adjustment based on specific Salesforce organization requirements.
  • The User.Alias field is also included in the example and may be adjusted or removed as needed.