SSO Best Practices While Sandbox Refresh

Why there is a need for us to review the SSO settings for a Sandbox after the Sandbox is refreshed every time?

Sandboxes are created as a mirror of their production environment, and all the SSO settings and configurations will be copied from the production environment into the sandbox whenever you refresh a Sandbox. So, the existing configurations get over-written by the Production configurations and the SSO stops working in the Sandbox due to a change in the SSO settings.


Things to Check After a Salesforce Sandbox Refresh: SSO Settings

  1. Disable Login with Salesforce Credentials
    • If the “Disable login with Salesforce credentials” option is checked, ensure that for the Admin Profile, the “Is Single Sign-On Enabled” permission is disabled.
    • If this permission is enabled after a refresh, you will not be able to log in via credentials, and SSO will break, affecting all users’ ability to log in.
  2. SAML Enabled Checkbox
    • The SAML Enabled checkbox gets disabled after a sandbox refresh, which will stop the SSO from functioning.
    • To enable it:
      • In Lightning Experience: Go to SetupIdentitySingle Sign-On Settings.
      • In Salesforce Classic: Under Administer, click Security ControlsSingle Sign-On Settings.
      • Click Edit, then check the SAML Enabled box.
  3. Update Entity ID
    • Update the Entity ID with the sandbox My Domain URL or the IDP Entity ID used for the configuration.
  4. Check SAML Identity Type
    • Check and update the SAML Identity Type if necessary according to your configuration.
  5. Validate Settings with SAML Assertion Validator
    • Use the SAML Assertion Validator to validate all the settings.
    • If you get the error message:
      “Unable to map the subject to a Salesforce user”, it indicates an issue with the Entity ID or the SAML Identity Type.
  6. Org ID Changes
    • The Org ID of the sandbox changes every time you refresh, which can invalidate your SSO settings. Ensure everything is updated accordingly.
  7. Check Login, Logout, and Endpoint URLs
    • These URLs will also change after the sandbox refresh, so verify and update them.
  8. Admin Login with “Is Single Sign-On Enabled”
    • If the “Is Single Sign-On Enabled” option is checked for admins and no one can log in with their credentials, raise a Salesforce support case to get assistance in disabling the permission.

Important Considerations –

  • If you have SSO enabled in the Production environment with a custom profile with the SSO permission enabled, when the Sandbox refresh occurs, login will be blocked. You’ll need to check the permissions. This won’t apply to a user(s) with a standard profile(s). (This is due to a sandbox refresh limitation).
  • The org ID of the sandbox environment is changed every time you refresh the sandbox and will negate SSO settings, requiring that they be reconfigured.
  • Once the Recipient URL is updated, download the metadata, provide it to the IDP ( Identity Provider), and have it updated at the IDP end.
  • After the Sandbox refresh, one of the system admin users of the Org may need to reach out to Salesforce support for a password reset email to bypass the security question prompt so that they can set up their password to access the Sandbox.
  • For more detailed information, visit Salesforce Help Article.
Scroll to Top