function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
daustindaustin 

SAML JIT Issues

I'm having issues with the SAML SSO's Just In Time setup.

 

The SAML login works fine until I enable JIT. After I enable JIT, I receive the error "Unable to map an unique profile id for the given profile name" (Error Code: 16).

 

The documentation does not seem to have any information about this error... Also, what should I be passing in for profile id? I hardcoded my user's profile id on salesforce, but I won't have this in a real world scenario with dynamic users. (Hence the JIT setup)... Ideas?

 

 

<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfx766d4df1-1929-1d78-9b19-71d1b84296fe" Version="2.0" IssueInstant="2012-04-11T21:26:57Z" Destination="https://login.salesforce.com/?saml=02HKiPoin4qyAn.NYkIUhJDYI0BT_TbEY0rXygRfivhnkIXjjdBH54OvHd" InResponseTo="_2JxOJfTkGTgItVu3EbyxlErXVdt74BLUUCq_wkVVR80YIP60D_qeBAf4QClp4BJt7ryoZ9_YGyeTrtNdhtW30KMjAVwJ7tZabLuHVozctle78mdu1lSl.nPORoi7kYd.1Sk7xp31CA306.riHFBhm7tizQArvJgtWcivaOIDv24wy3cIfeX7JeDdTblcrA82f3aL3DEihSkJm01B_VbJdGwCwNbTrYQ">
  <saml:Issuer>ONEsite</saml:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
  <ds:Reference URI="#pfx766d4df1-1929-1d78-9b19-71d1b84296fe"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>fGizXC/YYdUxw6buGR+CgZ49tn8=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>1AQREJhC81C2Za2ph7uX6W438fs6R+UUCARN3eedJmwXwtn8HdyPKsIh+0gjZ+JsaQJ++anbrvZQ041dA+IdRxrdcDVwwDbzKoD01tDUyWiBQMptC7jn6yN8eLgEi6Cm++P0Yki2SFeylLHz8H2ZXUq9B1t04SapNDbSSfMYZhw=</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICeTCCAeICCQD/DLLXx9QfOzANBgkqhkiG9w0BAQUFADCBgDELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE9rbGFob21hMRYwFAYDVQQHEw1Pa2xhaG9tYSBDaXR5MRAwDgYDVQQKEwdPTkVzaXRlMRAwDgYDVQQDEwdvbmVzaXRlMSIwIAYJKoZIhvcNAQkBFhNkZXJyaWNrQG9uZXNpdGUuY29tMB4XDTEyMDMyOTIyMTgxOVoXDTM5MDgxNDIyMTgxOVowgYAxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhPa2xhaG9tYTEWMBQGA1UEBxMNT2tsYWhvbWEgQ2l0eTEQMA4GA1UEChMHT05Fc2l0ZTEQMA4GA1UEAxMHb25lc2l0ZTEiMCAGCSqGSIb3DQEJARYTZGVycmlja0BvbmVzaXRlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5bzDaISNuXT0UFOQlCUrdFrqg1VFC73+4LzNC4lfIsRKJjNLmTXtMsrgxs8xmBwRViY/h59lExC3tLc5nY1441Ye1ZGOq22E5ZoKBx5R8vaUvgDUa9d1CapCBLqCGI+dQoiuFwBOTk/RN9kBcHN6d5M7MX9ozzgiaBRiSQIczTUCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBjLwDo4rlqSg6KNKLjtf91+YXDENhU+uip4a0CWKVIHgeLAzQXvXjP4Ht8+xQHuP7lNRth+OlaK1AU+W7j7jAMy1TJEOVVY4JuGjOenS1PhsKMyZRA2IaBl315dNmm3gHExAbtIqF/kmSH7IHXcYIdJNNzWZYWiZ7zU9aLnjhMyQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="pfxc755b00c-a5de-87e6-d1bf-6726a094d9ca" Version="2.0" IssueInstant="2012-04-11T21:26:57Z">
    <saml:Issuer>ONEsite</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
  <ds:Reference URI="#pfxc755b00c-a5de-87e6-d1bf-6726a094d9ca"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>877uX4K4I6Q/wJoeFkDTYHer+6w=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>zlzoLhtOPdgHSkDNfj2NjedDB1Pp2hgzSe4rgXj8vSqBHptTM1VcI3AhjlRyGOHWh8qBIGBNxMOBteVJcWyP7HC8yA5t3a0f4aGr6BLHaXSuy9cUg7zhbA7b0GMFi2RBffAY2Fruj7MhDzxeOn6vx/V0uKLlec4FXd/Ky3Kczm0=</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICeTCCAeICCQD/DLLXx9QfOzANBgkqhkiG9w0BAQUFADCBgDELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE9rbGFob21hMRYwFAYDVQQHEw1Pa2xhaG9tYSBDaXR5MRAwDgYDVQQKEwdPTkVzaXRlMRAwDgYDVQQDEwdvbmVzaXRlMSIwIAYJKoZIhvcNAQkBFhNkZXJyaWNrQG9uZXNpdGUuY29tMB4XDTEyMDMyOTIyMTgxOVoXDTM5MDgxNDIyMTgxOVowgYAxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhPa2xhaG9tYTEWMBQGA1UEBxMNT2tsYWhvbWEgQ2l0eTEQMA4GA1UEChMHT05Fc2l0ZTEQMA4GA1UEAxMHb25lc2l0ZTEiMCAGCSqGSIb3DQEJARYTZGVycmlja0BvbmVzaXRlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5bzDaISNuXT0UFOQlCUrdFrqg1VFC73+4LzNC4lfIsRKJjNLmTXtMsrgxs8xmBwRViY/h59lExC3tLc5nY1441Ye1ZGOq22E5ZoKBx5R8vaUvgDUa9d1CapCBLqCGI+dQoiuFwBOTk/RN9kBcHN6d5M7MX9ozzgiaBRiSQIczTUCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBjLwDo4rlqSg6KNKLjtf91+YXDENhU+uip4a0CWKVIHgeLAzQXvXjP4Ht8+xQHuP7lNRth+OlaK1AU+W7j7jAMy1TJEOVVY4JuGjOenS1PhsKMyZRA2IaBl315dNmm3gHExAbtIqF/kmSH7IHXcYIdJNNzWZYWiZ7zU9aLnjhMyQ==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
    <saml:Subject>
      <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">squared3</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData NotOnOrAfter="2012-04-11T21:31:57Z" Recipient="https://login.salesforce.com/?saml=02HKiPoin4qyAn.NYkIUhJDYI0BT_TbEY0rXygRfivhnkIXjjdBH54OvHd" InResponseTo="_2JxOJfTkGTgItVu3EbyxlErXVdt74BLUUCq_wkVVR80YIP60D_qeBAf4QClp4BJt7ryoZ9_YGyeTrtNdhtW30KMjAVwJ7tZabLuHVozctle78mdu1lSl.nPORoi7kYd.1Sk7xp31CA306.riHFBhm7tizQArvJgtWcivaOIDv24wy3cIfeX7JeDdTblcrA82f3aL3DEihSkJm01B_VbJdGwCwNbTrYQ"/>
      </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2012-04-11T21:26:27Z" NotOnOrAfter="2012-04-11T21:31:57Z">
      <saml:AudienceRestriction>
        <saml:Audience>https://saml.salesforce.com</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2012-04-11T21:26:57Z" SessionNotOnOrAfter="2012-04-12T05:26:57Z" SessionIndex="_b6c9e3c74e52b2a7ab0745fe54c039e52658cf57aa">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
      <saml:Attribute Name="ProvisionVersion">
        <saml:AttributeValue xsi:type="xs:string">1.0</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="User.Username">
        <saml:AttributeValue xsi:type="xs:string">user@example.com</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="User.Phone">
        <saml:AttributeValue xsi:type="xs:string"/>
      </saml:Attribute>
      <saml:Attribute Name="User.FirstName">
        <saml:AttributeValue xsi:type="xs:string">FirstName</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="User.LanguageLocaleKey">
        <saml:AttributeValue xsi:type="xs:string">en_US</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="User.Alias">
        <saml:AttributeValue xsi:type="xs:string">Alias</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="User.LastName">
        <saml:AttributeValue xsi:type="xs:string">LastName</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="User.Email">
        <saml:AttributeValue xsi:type="xs:string">user@example.com</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="User.FederationIdentifier">
        <saml:AttributeValue xsi:type="xs:string">squared3</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="User.ProfileId">
        <saml:AttributeValue xsi:type="xs:string">005d00000019aXk</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="User.IsActive">
        <saml:AttributeValue xsi:type="xs:integer">1</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="User.EmailEncodingKey">
        <saml:AttributeValue xsi:type="xs:string">UTF-8</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="federationId">
        <saml:AttributeValue xsi:type="xs:string">squared3</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
  </saml:Assertion>
</samlp:Response>
Best Answer chosen by Admin (Salesforce Developers) 
BrendanOCBrendanOC

You are putting the user's UserID in the ProfileID field. User IDs always start with the prefix 005.  Profile IDs always start with the prefix 00e.

You need to specify which Profile (by ID) that you want the JIT User to have.  Users must have a profile, so you cannot create a user (through the UI, API, or JIT SAML) without specifying the profile ID.

 

Try this:  select a user in your org that you want to mimic.  Let's call him Bob and say his username is bob@company.com.  Open the apex developer console (Top right of the screen next to Setup) and type the following apex code:

user u = new user();

u = [SELECT Id, ProfileId from User where username = 'bob@company.com'];

system.debug(u);

 

You should see 3 values in your debug log:

Bob's username = bob@company.com

Bob's User ID = 005xxxxxxxxxxxx

Bob's Profile ID = 00exxxxxxxxxxx

 

You now have Bob's profile ID.  Put this ID in your JIT SAML and it should work.

 

Hope that helps!

 

 

 

All Answers

BrendanOCBrendanOC

You are putting the user's UserID in the ProfileID field. User IDs always start with the prefix 005.  Profile IDs always start with the prefix 00e.

You need to specify which Profile (by ID) that you want the JIT User to have.  Users must have a profile, so you cannot create a user (through the UI, API, or JIT SAML) without specifying the profile ID.

 

Try this:  select a user in your org that you want to mimic.  Let's call him Bob and say his username is bob@company.com.  Open the apex developer console (Top right of the screen next to Setup) and type the following apex code:

user u = new user();

u = [SELECT Id, ProfileId from User where username = 'bob@company.com'];

system.debug(u);

 

You should see 3 values in your debug log:

Bob's username = bob@company.com

Bob's User ID = 005xxxxxxxxxxxx

Bob's Profile ID = 00exxxxxxxxxxx

 

You now have Bob's profile ID.  Put this ID in your JIT SAML and it should work.

 

Hope that helps!

 

 

 

This was selected as the best answer
daustindaustin

Thanks Brendan, that explains the ProfileID much better. :)

UniqueG.UniqueG.

Hi daustin--

 

How do you differentiate your user profiles from one another? Are your profiles correlating to a security group of some sort i.e. AD or are you using an API to query against SF existing users?

 

We're using JIT with ADFS 2.0 and attempting to dynamically generate new users using JIT SAML and log in existing users using NameID.

 

Is the API a requirement for JIT?

 

Any guidance is appreciated.

 

Regards,

 

uglover

daustindaustin

The "federationID" is used to distinquish between users. Depending on your setup you can either pass this in as an attribute or nameID.

 

      <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">squared3</saml:NameID>
UniqueG.UniqueG.

SAML User ID Type: Assertion contains the Federation ID in from the User object

SAML User Location: User ID is in the NameIdentifier element of the Subject statement

 

Are you hard-coding your Profile ID's for JIT?

 

<Subject><NameID>am222222</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData NotOnOrAfter="2012-04-04T01:22:04.803Z" Recipient="https://test.salesforce.com/?saml=" /></SubjectConfirmation></Subject><Conditions NotBefore="2012-04-04T01:17:04.688Z" NotOnOrAfter="2012-04-04T02:17:04.688Z"><AudienceRestriction><Audience>https://xxx.xxx.my.salesforce.com</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="User.Email"><AttributeValue>Abbey.Mattey@xxx.com</AttributeValue></Attribute><Attribute Name="User.LastName"><AttributeValue>Mattey</AttributeValue></Attribute><Attribute Name="User.FederationIdentifier"><AttributeValue>am222222</AttributeValue></Attribute><Attribute Name="User.Username"><AttributeValue>am222222@xxx.com.chatter</AttributeValue></Attribute><Attribute Name="User.ProfileID"><AttributeValue>00eQ0000000DtWv</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2012-04-04T00:24:39.300Z" SessionIndex="_c8bfacee-adbd-41f5-98e5-eabf1377fb16"><AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>

UniqueG.UniqueG.

I guess what I am failing to understand is how can I log existing users in without modifying their profile type. I am sending over a "Chatter Free Profile" using JIT (user.profileID) but the assertion seems to be trying to update existing user profiles -- changing their profile type from system adminstrator to Chatter free (for example)

 

This leads me to believe there needs to be some logic to differentiate between a new user and existing user. Also, my existing users already have their Federation ID field inserted with the ID coming across from the NameID subject.

 

Thanks,

 

UniqueG.

jbovedajboveda

I'm very sad to see this as an issue that's over a year old. It's a huge hole in JIT provisioning. To reiterate:

 

JIT provisioning requires a hardcoded Profile to create users. You can use either a ProfileID (recommended) or a ProfileName in its place which cannot resolve ambiguously (e.g. if you put in 'Custom: Basic User' you can't have profiles named 'Custom: Basic User' and 'Custom: Basic User Extended'). Since you're hardcoding the profile, when a user logs in, the JIT provisioner tries to change the profile to what's hardcoded.

 

This is a glaring ERROR in the functionality of this feature over a year old.

 

Profiles should NOT be UPDATED, only INSERTED.

 

Please fix! Thanks!

Surabhi Agrawal 8Surabhi Agrawal 8
Hello,
I am also working on the JIT provisioning, and the existing users profile is getting updated.(Big Issue as we dont want system admin to change to Standard user) Did using a custom SAML JIT apex class help?
Aleksandar Spasov 10Aleksandar Spasov 10
Hello guys, 2021 one here. Is there any solution for this? Have someone been able to somehow NOT update existing users profileID?
Is there