+ Start a Discussion
Dr. Thomas MillerDr. Thomas Miller 

Defect in SAML Single Sign-On settings

There seems to be a defect in SAML Single Sign-On settings, at least in conjunction with JIT.
We had a a SAML integration working with two IDP providers and using JIT, retrieving the federation id from the subject.
To avoid duplicates between these two providers we changed this to retrieve the federation id from an extra attribute (whose value was designed to differentiate the two IDPs).
-> SAML validator throughs an error "Unable to map the subject to a Salesforce.com user" - note that it talks about subject"
-> no debug logs are created for the JIT handler, so it seems that the JIT handler is not even called
SandhyaSandhya (Salesforce Developers) 
Hi  Thomas Miller,

Federation ID is case sensitive.   Once I get the nameID in the subject to match the case of the Federation ID set in Salesforce it works.  

From below link

https://developer.salesforce.com/forums/?id=906F0000000DEo0IAG
 
Please refer below link you may get some information on this.

https://success.salesforce.com/answers?id=90630000000gpzrAAA
 
Hope this helps you!

Please mark it as Best Answer if my reply was helpful. It will make it available for other as the proper solution.
 
Thanks and Regards
Sandhya

 
Dr. Thomas MillerDr. Thomas Miller
Hello Sandhya,
case sensitivity is checked and not the cause of the problem. Also note that we are using JIT and the JIT handler would create a new user if the fedarationid isn't matching an existing one. However the JIT handler isn't even called.
it really seems that "get id from attribute" doesn't work together with JIT (although specified). As soon as we moved the federationid into the name field the soluton started working again