We’ve implemented SAML SSO for our partner portal, and while the authentication works (partners can log in successfully), the user mapping is completely broken. External users are being created in Salesforce, but they’re not being associated with the correct partner accounts, which means they can’t access any of their account-specific data.
The SAML assertion from our identity provider includes the partner’s company ID in a custom attribute, but Salesforce isn’t using this for account matching during Just-in-Time provisioning. Instead, new Contact records are created without any Account relationship, leaving users stranded on a blank portal homepage.
Our IdP sends these SAML assertions with partner account attributes:
- Company_ID (custom attribute): matches our Account.Partner_External_ID__c field
- Email: user’s email address
- FirstName and LastName: standard attributes
I’ve configured the SSO settings and enabled JIT provisioning, but I’m not clear on where to map the Company_ID attribute to link users to their accounts. The partner account attribute mapping seems to be missing or not working. Has anyone successfully implemented SAML assertion mapping for partner portals with account-based data access? Our partners are frustrated they can’t access their data after logging in.
One thing to watch out for with custom JIT handlers: make sure your handler includes proper error handling for cases where the Account lookup fails. If a partner sends an invalid Company_ID or the Account doesn’t exist in Salesforce, your handler should either reject the login or create an orphaned Contact with clear error messaging. Don’t let users log in successfully but have no data access. Also consider how you’ll handle users who belong to multiple partner accounts - that’s a common scenario that breaks simple lookup logic.
The issue is that standard SAML SSO configuration doesn’t automatically link Contacts to Accounts during JIT provisioning. You need to implement a custom SAML JIT handler class that processes your custom Company_ID attribute and performs the account lookup. The standard JIT handler only creates the Contact and User records, but doesn’t handle the Account relationship. Check if you have a custom Apex class implementing the Auth.SamlJitHandler interface. If not, that’s what you need.
Unfortunately, there’s no declarative way to map SAML attributes to Account relationships during JIT provisioning. You’ll need a custom JIT handler. The good news is it’s not too complex - you implement the createUser method to lookup the Account using your Company_ID attribute, create the Contact with the Account relationship, then create the User. Salesforce provides sample code in the documentation. The key is querying for the Account using the Partner_External_ID__c field before creating the Contact record.
Before writing custom code, verify your SAML assertion is actually sending the Company_ID attribute correctly. Use the SAML Assertion Validator in Salesforce (Setup > Single Sign-On Settings > SAML Assertion Validator) to inspect the raw assertion. Look for your custom attribute in the AttributeStatement section. If it’s not there, your IdP configuration is the problem, not Salesforce. Also check that the attribute name exactly matches what you’re expecting - SAML attribute names are case-sensitive.
I checked the SAML assertion and Company_ID is definitely there with the correct value. So the IdP is sending it properly. I don’t have any custom SAML JIT handler class - we’re using the standard Salesforce configuration. Does that mean I need to write custom Apex code just to map users to accounts? That seems like basic functionality for a partner portal. Is there no declarative way to configure this account mapping?