How do you avoid an error like being unable to map the subject to a salesforce user?
Whenever I try to log in to the Okta applications page, I get an error that shows the problem is with single sign-on. I am using just plain old internal user Salesforce login via SSO. How do we solve this issue?
If you get the error: unable to map the subject to a salesforce user, I would suggest two points to remember:- Firstly, if the SFDC Single Signon configuration SAML Identity type is Federation Id, the configured Federation Id in Okta must match the SFDC user with that Federation Id.
Secondly, the Okta value is passed to Salesforce if the SFDC Single Signon configuration SAML Identity type is UserName. Salesforce must match the Salesforce UserName.
Additional points to check:
Setup | Single Sign-on Settings select your SSO configuration, then click on Saml Assertion Validator within 480 seconds of the error. If you still can't map the subject to a Salesforce user, there is a mismatch between the supplied federation ID and the configured user—FederationId in SFDC.
I believe it’s not an SFDC issue but an Okta setup issue. The OKTA user must have a value for its Federation ID attribute; in this case, there was none. To avoid such a situation, We can keep the Create/Update checkboxes unchecked so that the (Federated Id) configuration does not force us to set this up, even if we don’t need it.
Lastly, we can also map an Okta field to the Salesforce field Federation ID in the Okta profile editor for the Okta user to get a value to pass in the SAML assertion if the Service Provider requires it.