+ Start a Discussion
Jared FowkesJared Fowkes 

SAML Login with Office 365 Fails for Single User

Our whole company logs into Salesforce using SSO hosted by Office 365.  However, one employee gets an error message stating "Single Sign-On Error: We can't log you in because of an issue with single sign-on.  Contact your Salesforce admin for help."

This user appears to be set up like everyone else.  I have even removed them from the integration and re-added them.  The logs in Azure AD show that the login attemp is successful, but Salesforce only show regular browser logins, no SAML logins like everyone elses do - I assume these are when he tries to log into the portal using his login and password rather than clicking on "Office 365 Login" and yes, I have watched him attempt to log in and know that he has clicked on the proper button.

Since there is no record of the failure in Salesforce, Azure AD says the authentication was successful, and everyone else is able to log in easily, I'm currently at a loss and appreciate any help.

Thank you,

AbhishekAbhishek (Salesforce Developers) 

When the "Single Sign-On: Delegated Authentication" feature is enabled in a Sandbox environment as well as at the profile level, the customer may get the error: "To login, contact Salesforce Customer Support to disable this feature.

To request disablement of 'Single Sign-On: Delegated Authentication'.

1. Ask a System Administrator to create a case with Salesforce Support.
2. Include the Organization ID and business need for this request.
3. Salesforce Support will review and action as needed.

Even with standards, you can raise a case for it.

Let me know if it helps you and close your query by marking it as solved so that it can help others in the future.

Lorena Sergent 9Lorena Sergent 9
Did you ever resolve this? We are having the exact same issue and we can't get any help from SF?? 
Jared FowkesJared Fowkes
We gave up and that user is using his own username and password instead of SSO.

What I'm most upset about regarding this is that there are no longs on the Saleforce side whatsoever and they refuse to look into that.  At least if there was a log for the authentication attempt I might be able to get somewhere with it.  My guess is that the user is bugged.
Steven FischerSteven Fischer

We had this issue last week. Microsoft Office logs said the SSO attempt was successful which makes sense since the user was able to successfully enter their correct email and password after clicking the Office365 SSO button. After doing so, SF couldn't authenticate the email to a user since the email was misspelled when the user was created... The domain was simply misspelled. Such a silly mistake to cause so much fuss.

Hope this helps someone. :)

Jared FowkesJared Fowkes
We were finally able to resolve the issue.  The problem was that the capitalization of the domain was different between Salesforce and Azure AD.  The resolution was to enable Make Federation ID case-insensitive in the Single Sign-On Settings and now everything works as expected.