Are you currently working on an Single Sign On integration? Or trying to troubleshoot a Single Sign on setup? SAML traces are quite useful for this process.

Here is the instruction on how to do a SAML trace:

How to perform a SAML Trace

In your Settings in the Admin console (adminconsole.adobe.com) go to Identity and to the Directory and look to see what the User login setting is set to.

If it is set to Email that means in the SAML you should see: FirstName, LastName, Email as what we are looking to get. Also the Name ID should be showing up in Email format.

If the setting is set to Username then this means that the SAML response should have Name ID as Username, and you should be passing FirstName, LastName, Email in the SAML.

Please note that the variable names are camel case!

If you pass the variables in your IdP setup as firstname, lastname, email, username this will result in Okta 400 errors! Casing is important this does not mean that the payload i.e example: Bob_Martin@domain.com has be camel cased. SAML responses only need the variables as such. If you are setting up Single Sign on for Analytics, Target, Audience Manager, Launch, DTM, AEM then FirstName, LastName, Email are required. More importantly this is needed for Analytics so it will create an account. If you are setting this up for Creative Cloud then Email with blanks does work for SAML. Its important to understand this difference as the Cloud have different requirements.

Hope this helps!

If you have questions reach out to me!

Thanks,

Kerry Nelson