Salesforce Summer ’19 issue with ADFS single sign on

This is a work related techie blog post for the benefit of others who may experience the same problem.

We have a production Salesforce Org and a number of sandbox Orgs, all set up with a Salesforce “My Domain” and configured to use Single Sign On authenticating against Microsoft ADFS. On the weekend, after our sandbox Orgs got upgraded to the Summer ’19 release, we were unable to login to any of our sandboxes using Single Sign On. We were just getting a very unhelpful “An error occurred” message on the sign-in screen.

Comparing the Single Sign On settings in our Production Org (which was still working), I noticed that where the “Login URL” SAML endpoint used to have an “so=OrgID” parameter, this was now gone in the updated sandboxes. Jumping on to our ADFS management console, and editing the relevant Relying Party Trust to remove the “so=OrgID” parameter from the Endpoint was all that was needed to fix the problem.

Curiously, when I checked the release notes for the Summer ’19 update (which is 480 pages long!), there appears to be no mention of this change in Single Sign In configuration.

Production (not yet updated to Summer ’19) had an “so=” parameter in the Login URL SAML endpoint
Sandboxes that had been updated to Summer ’19 release did not have the “so=” parameter in the Login URL SAML endpoint
Removing the “so=OrgID” parameter in the ADFS settings fixed the sign in problem.

1 thought on “Salesforce Summer ’19 issue with ADFS single sign on

  1. Our production Salesforce Org got updated to the Summer ’19 release over the weekend. Interestingly in the Production Org the Login URL still has the “so=” parameter. It seems that it’s only sandboxes that have this changed behaviour.

Leave a Reply

Your email address will not be published. Required fields are marked *