Below are some common issues you may encounter and possible resolutions when onboarding customers:
Federation ID is case-sensitive. If the federated identity is your organizational email address, be sure to enter it exactly as AD FS sends it. Otherwise, Salesforce cannot find a matching user. Unfortunately, you cannot write a custom claim rule to normalize the case of the LDAP attribute before sending it because the claims language has only a basic regular expression replace.
Assertion has expired. Assertions with a time stamp more than 5 minutes old are rejected. Note: Salesforce does make an allowance of 3 minutes for clock skew. Therefore, an assertion can be as much as 8 minutes past the time stamp time or 3 minutes before it. This amount of time is less if the assertion’s validity period is less than 5 minutes. Ensure that your AD FS server’s system clock is synchronized to a good internet time source using Network Time Protocol (NTP).