Single Sign-On (SSO) in Salesforce
Single Sign-On (SSO) allows users to authenticate with a trusted Identity Provider (IdP) and gain access to a Service Provider (SP), in this case, Salesforce, without re-entering credentials. This guide explains the setup process and clarifies where each step is performed.
Step 1. Prerequisites
Before configuring SSO, ensure the following prerequisites are met:
- Salesforce Org (SP):
- Admin access to configure SSO in Salesforce.
- My Domain enabled and deployed.
- Identity Provider (IdP):
- Admin access to configure the IdP.
- Access to download SAML metadata or certificates.
Step 2. Enable My Domain in Salesforce (SP)
- Log in to your Salesforce org as an admin.
- Navigate to Setup→ Quick Find → Type My Domain.
- Configure a unique domain name for your Salesforce org.
Example: `https://yourcompany.my.salesforce.com`.
- Follow the prompts to deploy the domain.
- Ensure the domain is active. (Required for enabling SSO.)
Step 3. Configure the Identity Provider (IdP)
- Navigate to Setup→ Quick Find → Identity Provider->Enable Identity Provider
- Create new Self signed Certificate and Provide the following details:
- Label: Enter a descriptive label for the certificate (e.g., “MySSO_Certificate”).
- Unique Name: This is auto-populated but can be customized if needed.
Click Save to generate the self-signed certificate.
Step 4: Configure the Remote Site Settings in Salesforce (Service Provider)
1.Navigate to Remote Site Settings:
- Go to Setup in Salesforce.
- In the Quick Find box, type Remote Site Settings and select it.
2. Create a New Remote Site:
Click on the New Remote Site
- Enter the Details:
- Remote Site Name: Enter a descriptive name for the Identity Provider (e.g., “IdP_Remote_Site”).
- Remote Site URL: Enter the domain URL of the Identity Provider (IdP) (e.g., https://idp.example.com).
- Optionally, provide a description for better clarity.
3. Save the Configuration:
Click Save to add the new Remote Site.
Step 5. Configure Single Sign-On Settings in Salesforce (SP)
- Navigate to Setup→ Quick Find → Single Sign-On Settings -> SAML Enabled
- Configure SAML Settings in Salesforce (SP)
Navigate to Setup→ Quick Find → Single Sign-On Settings -> New
The user can configure the Single Sign-On using the New button by
Provide the following details:
- Name: Descriptive name (e.g., “Okta SSO”).
- SAML Version: Select 2.0.
- Issuer: Enter the Issuer URL provided by your IdP.
- Entity ID**: Use your Salesforce Org’s Entity ID (pre-filled in Salesforce).
- Identity Provider Login URL: Enter the IdP login URL.
- Identity Provider Certificate: Upload the certificate file from the IdP.
- Assertion Consumer Service (ACS) URL: Ensure this pre-filled field matches your Salesforce instance.
- Service Provider Initiated Request Binding: Select HTTP POST.
- SAML Identity Location: Use Identity is in the Name Identifier element of the Subject statement.
- Subject Type: Use User ID or Federated ID as appropriate.
- Save your configuration.
Configuring Single Sign-On (SSO) Using a New Metadata File
- Download the Metadata File:
- Access the Identity Provider (IdP) configuration interface.
- Download the metadata file (typically an XML file) provided by the IdP.
- Navigate to SAML Single Sign-On Settings in Salesforce:
- Go to Setup in Salesforce.
- In the Quick Find box, type Single Sign-On Settings and select it.
- Create a New SAML Single Sign-On Setting:
- Click on New to create a new SSO configuration.
- Select SAML as the SSO type.
- Upload the Metadata File:
- Locate the option to Upload Metadata File.
- Click Choose File and upload the metadata file downloaded from the IdP.
- Verify and Save:
- Salesforce will automatically populate the required SAML configuration fields (e.g., Entity ID, Assertion Consumer Service URL) based on the metadata file.
- Verify the details to ensure correctness.
- Click Save to complete the setup.
The user can configure Single Sign-On by using the Metadata URL from the Identity Provider (IdP) organization.
- Navigate to the Identity Provider Settings in Salesforce:
- Go to Setup in Salesforce.
- In the Quick Find box, type Identity Provider and select Salesforce Identity from the results.
- Copy the Metadata URL:
- Locate the Identity Provider Metadata section.
- Copy the provided Metadata URL.
- Paste the Metadata URL in the Service Provider (SP) Settings:
- Go to the Service Provider (SP) settings in your Salesforce org.
- Paste the copied Metadata URL into the relevant field labeled Metadata URL.
- Click on Create.
- Automatic Data Population:
- Once you click Create, Salesforce will automatically populate the SSO settings using the information from the Metadata URL.
- The populated details will be displayed on the screen for verification.
- Update the Identity Provider Certificate:
- Download the required certificate file from the Identity Provider (IdP) organization.
- In Salesforce:
- Navigate to Setup→ Quick Find→ Identity Provider.
- Locate the section for uploading a certificate.
- Upload the downloaded certificate file and save the changes.
- Select the Correct Identity Mapping:
- In the SAML Single Sign-On Settings:
- Specify how Salesforce should map users between the Identity Provider and Service Provider.
- Options for identity mapping include:
- Username: Match users based on their Salesforce username.
- -User ID: Match users based on their unique Salesforce user ID.
- Federation ID: Match users based on their federation ID.
- In this case, select Federation ID as the identity mapping method.
- Save and Verify the Configuration:
- Once all required fields are populated and the configuration is complete:
- Click Save.
- This will create the SAML Single Sign-On Settings record in Salesforce.
Review the settings to ensure that everything is configured correctly.
Step 6: Create a Connected App in the Identity Provider (IdP) Org
- Navigate to App Manager:
- Go to Setup in the IdP organization.
- In the Quick Find box, type App Manager and select it.
- Fill in the following required fields:
- Connected App Name: Enter a descriptive name for your app (e.g., “SSO_SAML_ConnectedApp”).
- API Name: This will be auto-filled based on the app name.
- Contact Email: Provide a valid email address for the app administrator.
- Enable SAML Settings:
- Check the Enable SAML box to configure SAML-based authentication for the app.
Configure SAML-Specific Settings:
- Enter the required fields under the SAML settings section:
- Entity ID: Enter a unique identifier for the app (often matches the Service Provider’s Entity ID).
Navigate to Setup→ Quick Find → single sign on settings (SP Org) à Entity Id
Enter the ACS URL which we will get from SP org single sign on setting data
Navigate to Setup→ Quick Find → single sign on settings à Login Url
Idp certificate select the new created self-signed certificate
Step 7 : Enter the Federation id on the both the user record on IDP and SP org
Navigate to Setup→ User setting → Advance user details à Edit -> Federation Id
Step 8: Manage the Connected App in the IDP Organization
- Navigate to Setup in the Identity Provider (IDP) organization.
- Go to App Manager.
- Locate and select the SDP Connected App that was created.
- Click on Manage to configure or review the connected app settings.
Log in to the Service Provider (SP) organization.
- Navigate to Setup → App Manager.
- Locate the SDP Connected App that was created and click Manage.
- Find the IdP-Initiated Login URL in the connected app settings.
Click the URL to log in to the SP organization using the IdP-initiated flow
Steps to Create an App on the App Launcher and Configure the Start URL:
- Create the App:
- Navigate to App Launcher and create a new app.
- Configure the Start URL:
- Go to Setup → App Manager.
- Locate the SDP Connected App that was created and click Manage.
- Select Edit Policies.
- In the Start URL field, enter the IdP-Initiated Login URL.
3. Login to the SP Organization:
- The app will now appear in the App Launcher.
- Click the app to log in to the Service Provider (SP) organization using the configured start URL.