Single sign-On | FAQ

How does SSO differ from MFA?

SSO is a login method enabling users to access multiple resources with a single username/password authentication. Multi-factor authentication (MFA) requires more than one factor to authenticate a user’s identify before login. For example, a username plus a verification code or a security token. While you can use MFA for a single application, systems frequently combine it with SSO. 

Salesforce email reminder to update  SSO certificate

Salesforce Dot Com (SFDC) certificates expire every year and you need to update them within the org. If you get an SFDC Expired Certificate Notification, resolution instructions are on the Sage People Community.

Ensure you upload the updated certificate to the single sign-on integration. Your IT support team will typically handle this.

Can I turn off case sensitivity for SSO logins?

Yes:

  1. Go to Setup and select Single Sign-On Settings.
  2. Select Edit.
  3. Select the checkbox for Make Federation ID case insensitive.
  4. Click Save.

A team member can't log in using SSO

The fix depends on the error message the team member receives:

  • If the error references either Sage People or Salesforce, the issue it's likely an incorrect Federation Id

  • If the error message doesn't reference Sage People or Salesforce, the cause is a local IT issue. It's likely you haven't provisioned the user in the SSO app in the cloud service. Refer to your organization’s IT support team for resolution

  • If one or more team members can't log in using a single sign-on, and they receive a Sage People or Salesforce error message:  

    1. Go to Single Sign-On Settings and select SAML Assertion Validator

    2. There can be several errors on this page. Scroll to the bottom of the page to find the error:

      Unable to map the subject to a Salesforce.com user. Your SSO provider sends an identifier in the SAML request, usually the User Principal Name (UPN). The system compares this identifier to the user's identifier, usually the Federation ID. These two identifiers don't match, so the login fails

      Note

      The team member’s User record doesn't display an error. This is because Salesforce can't identify which user is trying to log in.  

    3. You can:  

      • Amend the UPN for the team member in the SSO service to match the value used in Salesforce. Refer to your organization’s IT support team for resolution

      • Modify the Federation Id (or Username, if used instead) to match the value in the SAML Assertion Validator above. Get this from within the User record

        Ensure the values match and remember by default Salesforce Federation IDs are case-sensitive. You switch off case sensitivity by enabling the Make Federation ID case-insensitive option in Single Sign-On

        Screenshot: Make Federation ID case-insensitive option in Single Sign-On Settings

No one can log in to Sage People org using SSO

This usually relates to a certificate mismatch between the SSO certificate in your SSO service and the SAML Single Sign-On Settings in your org. Your IT team typically maintains the certification of the SSO service. However, with system administrator access to your org, you can update the SAML settings in the org:

  1. Log in to the org using the login.salesforce.com page and your Salesforce username and password.  

  2. Go to Setup and in Quick Find enter Sign-On Settings.

  3. On the Single Sign-On Settings page, select SAML Assertion Validator.

  4. This page typically displays several errors. Copy the value from the SAML Response field at the bottom. This is a long text string. 

  5. Go to https://www.samltool.com/decode.php and paste the SAML Response into Deflated and Encoded XML.

  6. Select Decode and Inflate XML.

  7. In Deflated XML, the page displays a long string of characters between <ds:X509Cert> and </ds:X509Cert>.

    1. Copy this string and paste it into a blank .txt file.

    2. At the top of the file enter -----BEGIN CERTIFICATE----- with a carriage return.

    3. At the bottom of the file enter -----END CERTIFICATE-----

      The file will now look like this:
        Screenshot: An example of a certificate displayed in a plain text editor

  8. Save the file with a name you can easily identify and rename the extension to .cer 

  9. Go back to the org and go to the SSO service presenting the problem.  

  10. Select Edit and then Choose File next to Identity Provider Certificate.  

  11. Upload the file you created above and select Save.  

  12. Return to SAML Assertion Validator and ensure the errors are no longer be present.

All users will now be able to login using SSO.  

I can still log in to my org with Salesforce credentials. Can I disable this?

Sage People recommends retaining a working Salesforce username and password for:

  • At least one system administrator to retain system access if your single sign-on service fails

  • Pre-boarders who don't yet qualify for full access through SSO

  • API access to your org

To control which users can use SSO and which retain Salesforce login access, use a setting in Profiles or Permission Sets. Use this with a setting on the Single Sign-On Settings page:

  1. Go to Setup and in Quick Find enter Sign-On Settings.

  2. In the Delegated Authentication section, select Disable login with Salesforce credentials:

    Screenshot: Disable login with Salesforce credentials option in Single Sign-On Settings

    When you select this, the option makes another SSO-related item available to the profiles and permission sets for your org:

    Screenshot: Is Single Sign-On Enabled checkbox

  3. In the profiles or permission sets you assigned to users who need Salesforce login access, ensure Is Single Sign-On Enabled is unchecked.

  4. In the profiles or permission sets you assigned to users who need SSO access and not Salesforce, ensure Is Single Sign-On Enabled is checked.

Does Federation ID automatically synchronize from Team Member to User?

Yes. You don't need to create a separate flow to synchronize the Federation ID.