Why there is a need for us to review the SSO settings for a Sandbox after the Sandbox is refreshed every time?
Sandboxes are created as a mirror of their production environment, and all the SSO settings and configurations will be copied from the production environment into the sandbox whenever you refresh a Sandbox. So, the existing configurations get over-written by the Production configurations and the SSO stops working in the Sandbox due to a change in the SSO settings.
Things to Check After a Salesforce Sandbox Refresh: SSO Settings
- Disable Login with Salesforce Credentials
- If the “Disable login with Salesforce credentials” option is checked, ensure that for the Admin Profile, the “Is Single Sign-On Enabled” permission is disabled.
- If this permission is enabled after a refresh, you will not be able to log in via credentials, and SSO will break, affecting all users’ ability to log in.
- SAML Enabled Checkbox
- The SAML Enabled checkbox gets disabled after a sandbox refresh, which will stop the SSO from functioning.
- To enable it:
- In Lightning Experience: Go to Setup → Identity → Single Sign-On Settings.
- In Salesforce Classic: Under Administer, click Security Controls → Single Sign-On Settings.
- Click Edit, then check the SAML Enabled box.
- Update Entity ID
- Update the Entity ID with the sandbox My Domain URL or the IDP Entity ID used for the configuration.
- Check SAML Identity Type
- Check and update the SAML Identity Type if necessary according to your configuration.
- Validate Settings with SAML Assertion Validator
- Use the SAML Assertion Validator to validate all the settings.
- If you get the error message:
“Unable to map the subject to a Salesforce user”, it indicates an issue with the Entity ID or the SAML Identity Type.
- Org ID Changes
- The Org ID of the sandbox changes every time you refresh, which can invalidate your SSO settings. Ensure everything is updated accordingly.
- Check Login, Logout, and Endpoint URLs
- These URLs will also change after the sandbox refresh, so verify and update them.
- Admin Login with “Is Single Sign-On Enabled”
- If the “Is Single Sign-On Enabled” option is checked for admins and no one can log in with their credentials, raise a Salesforce support case to get assistance in disabling the permission.
Important Considerations –
- If you have SSO enabled in the Production environment with a custom profile with the SSO permission enabled, when the Sandbox refresh occurs, login will be blocked. You’ll need to check the permissions. This won’t apply to a user(s) with a standard profile(s). (This is due to a sandbox refresh limitation).
- The org ID of the sandbox environment is changed every time you refresh the sandbox and will negate SSO settings, requiring that they be reconfigured.
- Once the Recipient URL is updated, download the metadata, provide it to the IDP ( Identity Provider), and have it updated at the IDP end.
- After the Sandbox refresh, one of the system admin users of the Org may need to reach out to Salesforce support for a password reset email to bypass the security question prompt so that they can set up their password to access the Sandbox.
- For more detailed information, visit Salesforce Help Article.