0D51Y000091JYoYSAWOkta Classic EngineIntegrationsAnswered2024-04-15T10:13:45.000Z2020-07-23T16:48:20.000Z2020-07-27T15:03:16.000Z

26ne5 (26ne5) asked a question.

July 23, 2020 at 4:48 PM
Okta SAML 2.0 Salesforce + Provisioning Tab Missing

Hello I followed the steps for configuring SAML 2.0 on Salesforce for OKTA listed here

 

https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-in-Salesforce.html

 

However at the end when testing a log in it does not work.

 

I noticed the provisioning tab is missing from applications could this be the reason? Anyone have this provisioning tab missing and is it necessary to configured Okta to sso saml 2.0 for salesforce?

  • 3 answers
  • 1.79K views

  • MarkT.24215 (Employee)

    @26ne5 (26ne5)​ what Tim noted is correct. Provisioning is not required for SSO to work. Provisioning enables you to provision users and groups(if supported) from Okta to the App or perform provisioning from the App into Okta, such as an import and/or profile mastery. Normally, provisioning would be configured to push users from Okta into SFDC when they are assigned to the App, unless SFDC is acting as an identity store/profile master. So, if you don't have provisioning enabled as a SKU you purchased, I would check on what Tim mentioned to ensure the user is an active user, with a license, in SDFC and has the same application username as the user who is assigned to the app in Okta. You can validate the app username by clicking on the pencil for the assigned user in Okta and checking the username field. This field is populated based on your Application username format field, which is defined under the Sign on tab. There is also a test tool in SFDC, called SAML Validator which inspects the last assertion received to show any mismatch of data or error. This is on the same page, that you setup the SAML ACS endpoint in SFDC.

    Expand Post
    Selected as Best

  • 26ne5 (26ne5)

    So I receive the error "Single Sign-On Error

    We can't log you in because of an issue with single sign-on. Contact your Salesforce admin for help." I followed SAML instructions listen in the help article please advise.

  • User15851122134349081871 (North Central-Enterprise)

    If that Provisioning tab is missing then you probably don't have the Provisioning feature; it is optional.

    That shouldn't be required for SAML SSO to work from Okta, though, if you don't need those users to also be provisioned in Salesforce. Do those Salesforce users already exist? If so, then there may be some other config error somewhere.

  • MarkT.24215 (Employee)

    @26ne5 (26ne5)​ what Tim noted is correct. Provisioning is not required for SSO to work. Provisioning enables you to provision users and groups(if supported) from Okta to the App or perform provisioning from the App into Okta, such as an import and/or profile mastery. Normally, provisioning would be configured to push users from Okta into SFDC when they are assigned to the App, unless SFDC is acting as an identity store/profile master. So, if you don't have provisioning enabled as a SKU you purchased, I would check on what Tim mentioned to ensure the user is an active user, with a license, in SDFC and has the same application username as the user who is assigned to the app in Okta. You can validate the app username by clicking on the pencil for the assigned user in Okta and checking the username field. This field is populated based on your Application username format field, which is defined under the Sign on tab. There is also a test tool in SFDC, called SAML Validator which inspects the last assertion received to show any mismatch of data or error. This is on the same page, that you setup the SAML ACS endpoint in SFDC.

    Expand Post
    Selected as Best
This question is closed.

Recommended content

No recommended content found...