How wrong can an error Message be?
A customer tried using Single Sign-On With their Federated Service Provider, Salesforce, today receiving this error:
Login Error Your login attempt using single sing-on With an Identity provider certificate has failed. Please contact Your salesforce.com administrator for more information.
We could believe this has to do With some faulty certificate or maybe an outdated certificate, but as their Salesforce vendor didn’t know I was contacted to help solve the issue.
The solution was rather simple, but I believe the error Message could have figured it out and returned a better description.
Salesforce uses none Federated accounts mostly, and when you add federation it is an option for the prior none Federated accounts. For this to work we need to fill in the Salesforce With the users Federated Identity. In some cases it can be the same if it is the email address, but alot of customers uses different usernames in their Identity provider and therefore it is a another Field for Federated ID.
In that case I would also recommend ADFS 3.0 With Server 2012 R2 Service Pack 1, so you can activate Alternate Login ID aswell.