I'm testing Azure AD SSO with Salesforce (dev). Users are synchronized with AAD and AAD Connect w/ SSO Preview is working as expected for Microsoft sites, e.g. outlook.office365.com.
With Salesforce, I'm seeing:
We can't log you in. Check for an invalid assertion in the SAML Assertion Validator (available in Single Sign-On Settings) or check the login history for failed logins.
The Username in SalesForce matches the UPN in AAD. Salesforce User Provisioning is working correctly. SalesForce SAML validator passes. It does show the last login which indicates no mapping occurred.
Subject: username@domain.comUnable to map the subject to a Salesforce.com user
When I look at the specific user, the Salesforce username and email address both match the UPN/email address of the user from Azure AD. In Azure AD, the Salesforce connector is configured to use user:userprincipalname as the mapping. The sign on URL is the URL of the Salesforce dev tenant.
Ideas from what I might be missing, or any other information that might be helpful?
Trevor Seward
Office Servers and Services MVP
Author, Deploying SharePoint 2016
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.