+ Start a Discussion
Robin BarnwellRobin Barnwell 

Single Sign-on Set-up - aaaarrrggghhhh!!!!!

I just can't work this out.  I've read and re-read the Salesforce documentation.  All I want to do is connect my Community to the internal Identity Provider.

1. I have a Salesforce Org with a Community, nothing special - community is active and published, standard template, no customization

2. I set-up My Domain and this automatically creates a SAML idetnity provider for the new domain.  It included a self-signed certificate plus metadata end-points for the Domain and the Community Domain.

3. I set-up both domains as Remote Sites so I can then set them up for SSO

4. I enable Single Sign-on and set-up the Community as per the instructions:  https://developer.salesforce.com/docs/atlas.en-us.sso.meta/sso/sso_examples_sf2sf.htm
To set up a community as a service provider, use the community URL under SAML Metadata Discovery Endpoints on the Identity Provider page. Upload the SAML metadata from this URL. Using the metadata populates the service provider’s SAML SSO settings, including the Login URL that points to the community. When you define a connected app on the identity provider, specify this Login URL as the ACS URL.

5. I set-up the community as a connected app and use the Entity ID and HTTPRedirect URL specified

6. I update the community to enable access to this SSO login.  I get it showing on the login screen, but it doesn't work.  What can I do to debug this??

Community Login Page

SSO Page - no login
Robin BarnwellRobin Barnwell
I've got a SAML assertion validator trace if that helps
Unexpected Exceptions
1. Validating the Status
2. Looking for an Authentication Statement
3. Looking for a Conditions statement
4. Checking that the timestamps in the assertion are valid
5. Checking that the Attribute namespace matches, if provided
  Not Provided
6. Miscellaneous format confirmations
7. Confirming Issuer matches
8. Confirming a Subject Confirmation was provided and contains valid timestamps
9. Checking that the Audience matches
10. Checking the Recipient
  Incorrect recipient
  Recipient that we found in the assertion: https://ssotest-comm.cs85.force.com/community/idp/endpoint/HttpRedirect
  Recipients that we expected based on the Single Sign-On Settings page:
  Regular flow: https://test.salesforce.com?so=00D6E0000008z9w
  OAuth2 flow: https://test.salesforce.com/services/oauth2/token?so=00D6E0000008z9w
  MyDomain Regular flow: https://20180618--SSOTest.cs85.my.salesforce.com?so=00D6E0000008z9w
  MyDomain OAuth2 flow: https://20180618--SSOTest.cs85.my.salesforce.com?so=00D6E0000008z9w%2Fservices%2Foauth2%2Ftoken&so=00D6E0000008z9w
  Warning: Salesforce custom domains (such as those created using My Domain) must be all lowercase.
  Organization Id that we expected: 00D6E0000008z9w
  Organization Id that we found based on your assertion: null
11. Validating the Signature
  Is the response signed? true
  Is the assertion signed? true
  The reference in the response signature is valid
  The signature in the assertion is not valid
  The reference in the assertion signature is valid
  Is the correct certificate supplied in the keyinfo? true
  Signature or certificate problems
  The signature in the response is not valid
12. Checking that the Site URL Attribute contains a valid site url, if provided
  Not Provided
13. Looking for portal and organization id, if provided
  Not Provided
14. Checking if session security level is valid, if provided

Vijay GurusamyVijay Gurusamy
How did you resove this isue and set up sso for communities ?
Robin BarnwellRobin Barnwell
I had a long call with the Product Manager at Salesforce.  It turns out there is no such thing as SSO between a Salesforce Community and the Org that it is part of.  So there is no set-up required.