IDP03 unsolicited sso support

Cantor, Scott cantor.2 at
Thu May 7 12:19:05 EDT 2015

On 5/7/15, 11:49 AM, "Alexander Galilov" <alexander.galilov at> wrote:
>Now I have another issue from Salesforce SAML validator:
>Subject: AAdzZWNyZXQxKb+vKRzExCggvlsBj11cPO1e4b8KwJYq42uI5hcOaLP04CqFfzHS3zmHQiOPqvg5F9kn9oKHG1Ec0g88Mt0QlgImEP3lwJ3tHK75bi9yE8S/2RFQIoEMAg1wNZmeA7DG2+HI
>Unable to map the subject to a user 

Because you're using a transient subject identifier. You have to start with a clear sense of the technical requirements of the SP, and then you know what to change on the IdP. That's true of every vendor.

I believe Salesforce handles either Attribute or NameID-based account linking, but you're providing it neither, I would imagine. You have to start by picking what you want to use and configuring Salesforce to look for that. I'm using eduPersonPrincipalName in an Attribute, so I didn't have to do anything unusual, but that requires appropriate configuration in Salesforce.

-- Scott

More information about the users mailing list