Symptoms

SSO users fail to login and get redirected to logout page immediately

Checking the logs in the instance (Syslog.list)

with the following filters :
message > contains> not found
AND
source=SAML2

The following message is observed :

User: abc@test.com not found

Release

Applicable to any release 

Cause

The instance checks for the value in the NameID in the SAML response attribute and tries to find a match in the sys_user table based on 'User Field' mentioned in the Identity Provider record configuration . If a match is found in the instance the user is logged in .

For example if the below is returned :

<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">abc@test.com</NameID> 

and if in Identity Provider record :

Advance-> User Field is set to 'email'

Instance checks the sys_user table where email=abc@test.com

If a match is not found the user fails to login

Resolution 

• Make sure the IDP returns the right value for NameID attribute
• If the IDP is set to return the right value make sure that the 'User Field' under the Advanced properties in Identity Provider record is set to the correct field and the user actually exists with the value returned in the SAML response .