I've implemented Single Sign On using ADFS as the Identity provider. We tested in sandbox, and again in production prior to release.
Now, in release we find that some users are able to login via SSO, while others using the same instructions are not.
Checking our login history, successful users login type is SAML SFDC Initiated SSO. Failing login attempts show 'Application' as the login type, and receive the error message: 'The Single Sign-On Gateway Url is invalid'
What setting in Salesforce determines the login type and/or gateway url? How can I resolve this issue?
Thank you!
Best Answer
I'm not sure if you figured this out but we were experiencing a similar issue. 99% of our users logged in successfully and a couple received that same error.
Our issue was case sensitivity of the user lookup. We're using ADFS which returns the user's email address after successful authentication which looks up the user's salesforce account using their federation id. What was confusing was their email address in AD looked fine (all lower case) but upon closer inspection we realized their O365 account wasn't syncing (mixed case).
Navigating to Setup > Single Sign-On Settings you'll find a setting labeled
'Make Federation ID case insensitive'
Once we enabled that setting, our users were able to successfully sign in.
You can validate whether this is the issue by selecting the button SAML Assertion Validator on the Single Sign-On Settings page. You'll see something to the effect of 'unable to find the user' in results.
I hope this helps