function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
Reshmi SmijuReshmi Smiju 

Set up single sign-on for your Developer Edition

Hi,

While doing the challenge for the Set up single sign-on for your Developer Edition Chapter, I have got this message after try to login.

User-added image

MY SFDC settings screen

User-added image

Herokku screen

User-added image

Please let me know, what could be the error.
Thanks much in advance
 
Vasani ParthVasani Parth
Reshmi,

You need to understand this error first as to why and how it occurs. Here's the detailed explanation,

Where can I find entries about login history for a failed SAML login attempt?

When Salesforce cannot find the user in your assertion or cannot associate the provided user ID with a user in Salesforce, an entry is inserted in the login history. To see the login history, from Setup, enter Login History in the Quick Find box, then selectLogin History.

Does single sign-on work outside my corporate firewall?

Yes, single sign-on can work outside your corporate firewall. When users are outside the corporate firewall, they can use their network passwords to log in to Salesforce. Alternately, you can require that users must first be connected to your corporate network in order to log in.

Can I validate the SAML response sent by my identity provider?

Yes. After you have configured single sign-on, you can access the SAML Validation page from Setup, by clicking SAML Validationon the Single Sign-On Settings page. If a user tries to log in to Salesforce and fails, the invalid SAML assertion is used to automatically populate the SAML Assertion Validator if possible. On the SAML Validation page, if the SAML assertion is not automatically populated, you can enter either an XML– or base64–encoded SAML response that you've received from your service provider. Salesforce validates the response against the values provided during single sign-on setup, and provides detailed information about the response.

Can I configure a start page and logout page that are specific to my company?

Yes.
You can customize the start, error, login, and logout pages for single sign-on users using SAML 1.1 or 2.0. As part of your configuration, decide the following:
If your identity provider uses SAML 1.1, the URL to direct the user to when single sign-on successfully completes (known as the start page). This URL can be absolute, such as https://na1.salesforce.com/001/o or it can be relative, such as /001/o. This URL must be an endpoint that accepts SAML authentication requests.
In SAML 2.0, the start page is the page the user attempted to access before they were authenticated. The SAML 2.0 start page must support Sp-init single sign-on.
If you are using SAML 2.0, you can also use the RelayState parameter to control where users get redirected after a successful login.

The single sign-on start page where Salesforce sends a SAML request to start the login sequence.
We recommend that if you specify a single sign-on start page that you also specify a logout page. When you specify a logout page, when a user clicks logout or if a user’s session expires, the user is redirected to that page. If you don’t specify a logout page, the user is redirected to the general Salesforce login page.
The URL to direct the user to when they click the Logout link in Salesforce (known as the logout page). The default ishttps://login.salesforce.com, unless MyDomain is enabled. If My Domain is enabled, the default ishttps://customdomain.my.salesforce.com
.
See Customize SAML Start, Error, Login, and Logout Pages.

Does Salesforce delegated authentication support SAML tokens?

Yes, SAML tokens can be used with the sample delegated authentication implementations using the listener validating the token.

Can delegated authentication single sign-on work with Connect Offline?

Yes, delegated authentication can work with Connect Offline if it is set up to work with both tokens and passwords. In this case, users should use their network password to access Connect Offline.

Please mark this as the best answer if this helps