Single Sign-On (SSO) in Salesforce

Single Sign-On (SSO) allows users to authenticate with a trusted Identity Provider (IdP) and gain access to a Service Provider (SP), in this case, Salesforce, without re-entering credentials. This guide explains the setup process and clarifies where each step is performed.

Step 1. Prerequisites

Before configuring SSO, ensure the following prerequisites are met:

  1. Salesforce Org (SP):
  • Admin access to configure SSO in Salesforce.
  • My Domain enabled and deployed.
  1. Identity Provider (IdP):
  • Admin access to configure the IdP.
  •  Access to download SAML metadata or certificates.

Step 2. Enable My Domain in Salesforce (SP)

  • Log in to your Salesforce org as an admin.
  • Navigate to Setup→ Quick Find → Type My Domain.
  • Configure a unique domain name for your Salesforce org.

Example: `https://yourcompany.my.salesforce.com`.

  • Follow the prompts to deploy the domain.
  • Ensure the domain is active. (Required for enabling SSO.)

Step 3. Configure the Identity Provider (IdP)

  • Navigate to Setup→ Quick Find → Identity Provider->Enable Identity Provider

single-signon

  • Create new Self signed Certificate and Provide the following details:
  • Label: Enter a descriptive label for the certificate (e.g., “MySSO_Certificate”).
  • Unique Name: This is auto-populated but can be customized if needed.

Click Save to generate the self-signed certificate.

single-signon

Step 4: Configure the Remote Site Settings in Salesforce (Service Provider)

      1.Navigate to Remote Site Settings:

  • Go to Setup in Salesforce.
  • In the Quick Find box, type Remote Site Settings and select it.

     2. Create a New Remote Site:
     Click on the New Remote Site

  • Enter the Details:
  • Remote Site Name: Enter a descriptive name for the Identity Provider (e.g., “IdP_Remote_Site”).
  • Remote Site URL: Enter the domain URL of the Identity Provider (IdP) (e.g., https://idp.example.com).
  • Optionally, provide a description for better clarity.

     3. Save the Configuration:

Click Save to add the new Remote Site.

single-signon-img5

Step 5. Configure Single Sign-On Settings in Salesforce (SP)

  1. Navigate to Setup→ Quick Find → Single Sign-On Settings -> SAML Enabled

  1. Configure SAML Settings in Salesforce (SP)

Navigate to Setup→ Quick Find → Single Sign-On Settings -> New

 The user can configure the Single Sign-On using the New button by

Provide the following details:

  • Name: Descriptive name (e.g., “Okta SSO”).
  • SAML Version: Select 2.0.
  • Issuer: Enter the Issuer URL provided by your IdP.
  • Entity ID**: Use your Salesforce Org’s Entity ID (pre-filled in Salesforce).
  • Identity Provider Login URL: Enter the IdP login URL.
  • Identity Provider Certificate: Upload the certificate file from the IdP.
  • Assertion Consumer Service (ACS) URL: Ensure this pre-filled field matches your Salesforce instance.
  • Service Provider Initiated Request Binding: Select HTTP POST.
  • SAML Identity Location: Use Identity is in the Name Identifier element of the Subject statement.
  • Subject Type: Use User ID or Federated ID as appropriate.
  • Save your configuration.

Configuring Single Sign-On (SSO) Using a New Metadata File

  1. Download the Metadata File:
  • Access the Identity Provider (IdP) configuration interface.
  • Download the metadata file (typically an XML file) provided by the IdP.
  1. Navigate to SAML Single Sign-On Settings in Salesforce:
  • Go to Setup in Salesforce.
  • In the Quick Find box, type Single Sign-On Settings and select it.
  1. Create a New SAML Single Sign-On Setting:
  • Click on New to create a new SSO configuration.
  • Select SAML as the SSO type.
  1. Upload the Metadata File:
  • Locate the option to Upload Metadata File.
  • Click Choose File and upload the metadata file downloaded from the IdP.
  1. Verify and Save:
  • Salesforce will automatically populate the required SAML configuration fields (e.g., Entity ID, Assertion Consumer Service URL) based on the metadata file.
  • Verify the details to ensure correctness.
  • Click Save to complete the setup.

single-signon-img8

single-signon-img9

The user can configure Single Sign-On by using the Metadata URL from the Identity Provider (IdP) organization.

  1. Navigate to the Identity Provider Settings in Salesforce:
  • Go to Setup in Salesforce.
  • In the Quick Find box, type Identity Provider and select Salesforce Identity from the results.
  1. Copy the Metadata URL:
  • Locate the Identity Provider Metadata section.
  • Copy the provided Metadata URL.
  1. Paste the Metadata URL in the Service Provider (SP) Settings:
  • Go to the Service Provider (SP) settings in your Salesforce org.
  • Paste the copied Metadata URL into the relevant field labeled Metadata URL.
  • Click on Create.
  1. Automatic Data Population:
  • Once you click Create, Salesforce will automatically populate the SSO settings using the information from the Metadata URL.
  • The populated details will be displayed on the screen for verification.

single-signon-img11

single-signon-img12

  1. Update the Identity Provider Certificate:
  • Download the required certificate file from the Identity Provider (IdP) organization.
  • In Salesforce:
  • Navigate to Setup→ Quick Find→ Identity Provider.
  • Locate the section for uploading a certificate.
  • Upload the downloaded certificate file and save the changes.
  1. Select the Correct Identity Mapping:
  • In the SAML Single Sign-On Settings:
  • Specify how Salesforce should map users between the Identity Provider and Service Provider.
  • Options for identity mapping include:
  • Username: Match users based on their Salesforce username.
  • -User ID: Match users based on their unique Salesforce user ID.
  • Federation ID: Match users based on their federation ID.
  • In this case, select Federation ID as the identity mapping method.
  1. Save and Verify the Configuration:
  • Once all required fields are populated and the configuration is complete:
  • Click Save.
  • This will create the SAML Single Sign-On Settings record in Salesforce.

Review the settings to ensure that everything is configured correctly.

single-signon-img13

Step 6: Create a Connected App in the Identity Provider (IdP) Org

  1. Navigate to App Manager:
  • Go to Setup in the IdP organization.
  • In the Quick Find box, type App Manager and select it.

single-signon-img14

  • Fill in the following required fields:
  • Connected App Name: Enter a descriptive name for your app (e.g., “SSO_SAML_ConnectedApp”).
  • API Name: This will be auto-filled based on the app name.
  • Contact Email: Provide a valid email address for the app administrator.
    • Enable SAML Settings:
  • Check the Enable SAML box to configure SAML-based authentication for the app.

single-signon-img15

Configure SAML-Specific Settings:

  • Enter the required fields under the SAML settings section:
  • Entity ID: Enter a unique identifier for the app (often matches the Service Provider’s Entity ID).

Navigate to Setup→ Quick Find → single sign on settings (SP Org) à Entity Id

single-signon-img16

Enter the ACS URL which we will get from SP org single sign on setting data

Navigate to Setup→ Quick Find → single sign on settings à Login Url

Idp certificate select the new created self-signed certificate

single-signon-img18

Step 7 : Enter the Federation id on the both the user record on IDP and SP org

Navigate to Setup→ User setting → Advance user details à Edit -> Federation Id

single-signon-img21

Step 8: Manage the Connected App in the IDP Organization

  1. Navigate to Setup in the Identity Provider (IDP) organization.
  2. Go to App Manager.
  3. Locate and select the SDP Connected App that was created.
  4. Click on Manage to configure or review the connected app settings.

single-signon-img23

single-signon-img24

 Log in to the Service Provider (SP) organization.

  • Navigate to Setup → App Manager.
  • Locate the SDP Connected App that was created and click Manage.
  • Find the IdP-Initiated Login URL in the connected app settings.

Click the URL to log in to the SP organization using the IdP-initiated flow

single-signon-img25

    Steps to Create an App on the App Launcher and Configure the Start URL:

  1. Create the App:
  • Navigate to App Launcher and create a new app.
  1. Configure the Start URL:
  • Go to SetupApp Manager.
  • Locate the SDP Connected App that was created and click Manage.
  • Select Edit Policies.
  • In the Start URL field, enter the IdP-Initiated Login URL.

3. Login to the SP Organization:

  • The app will now appear in the App Launcher.
  • Click the app to log in to the Service Provider (SP) organization using the configured start URL.

single-signon-img28

 

Explore
Drag