Configuring SAML Settings for Single Sign-On

Federated Authentication is available in: All Editions

Delegated Authentication is available in: Professional, Enterprise, Performance, Unlimited, Developer, and Database.com Editions

Authentication Providers are available in: Professional, Enterprise, Performance, Unlimited, and Developer Editions


User Permissions Needed
To view the settings: “View Setup and Configuration”
To edit the settings: “Customize Application”

AND

“Modify All Data”

From this page, you can configure your organization to use single sign-on. You can also set up just-in-time provisioning. Work with your identity provider to properly configure these settings. For more information about single sign-on, see About Single Sign-On. For more information about just-in-time provisioning, see About Just-In-Time Provisioning.

Configuring Single Sign-On

To configure SAML settings for single sign-on from your corporate identity provider to Salesforce:

  1. Gather information from your identity provider.
  2. Provide information to your identity provider.
  3. In Salesforce, from Setup, click Security Controls | Single Sign-On Settings, and click Edit.
  4. Select SAML Enabled. You must enable SAML to view the SAML single sign-on settings.
  5. Specify the SAML version used by your identity provider.
  6. Click Save.
  7. In SAML Single Sign-On Settings, click New.
  8. Give this setting a Name for reference within your organization.

    Salesforce inserts the corresponding API Name value, which you can customize if necessary.

  9. If you are enabling just-in-time provisioning for security, check User Provisioning Enabled.
    Note
    • Just-in-time provisioning requires a Federation ID in the user type. In SAML User ID Type, select Assertion contains the Federation ID from the User object.
    • If your identity provider previously used the Salesforce username, communicate to them that they must use the Federation ID.
  10. Enter the Issuer. This is often referred to as the entity ID for the identity provider.
  11. If your Salesforce organization has domains deployed, specify whether you want to use the base domain (https://saml.salesforce.com) or the custom domain for the Entity ID. You must share this information with your identity provider.
    Tip
    Generally, use the custom domain as the entity ID. If you already have single sign-on configured before deploying a domain, the base domain is the entity ID. If you are providing Salesforce to Salesforce services, you must specify the custom domain.
  12. For the Identity Provider Certificate, use the Browse button to locate and upload the authentication certificate issued by your identity provider.
  13. For the Signing Certificate, select the certificate you want from the ones saved in your Certificate and Key Management settings.
  14. Optionally, if the identity provider encrypts SAML assertions, select the Assertion Decryption Certificate they’re using from the ones saved in your Certificate and Key Management settings. This field is available only if your organization supports multiple single sign-on configurations. For more information see Setting up an identity provider to encrypt SAML assertions.
  15. For the SAML Identity Type, SAML Identity Location, and other fields described in Identity Provider Values, specify the values provided by your identity provider as appropriate.
  16. For SAML 2.0, if your identity provider has specific login or logout pages, specify them in Identity Provider Login URL and Identity Provider Logout URL, respectively.
    Note
    These fields appear in Developer Edition and sandbox organizations by default and in production organizations only if My Domain is enabled. The fields do not appear in trial organizations or sandboxes linked to trial organizations.
  17. For the Custom Error URL, specify the URL of the page users should be directed to if there's an error during SAML login. It must be a publicly accessible page, such as a public site Visualforce page. The URL can be absolute or relative.
  18. For the Service Provider Initiated Request Binding, select the appropriate value based on the information provided by your identity provider.
  19. Click Save.

If your identity provider supports metadata, and if you've configured SAML using version 2.0, you can click Download Metadata to download an XML configuration file to send them, which they can then upload to automatically configure their settings for connecting to your Salesforce organization or community.

After you have configured and saved your SAML settings, test them by trying to access the identity provider's application. Your identity provider directs the user's browser to POST a form containing SAML assertions to the Salesforce login page. Each assertion is verified, and if successful, single sign-on is allowed.

If you have difficulty signing on using single sign-on after you have configured and saved your SAML settings, use the SAML Assertion Validator. You may have to obtain a SAML assertion from your identity provider first.

If your users are having problems using SAML to login, you can review the SAML login history to determine why they were not able to log in and share that information with your identity provider.

If you are using SAML version 2.0, after you've finished configuring SAML, the OAuth 2.0 Token Endpoint field is populated. Use this with the Web single sign-on authentication flow for OAuth 2.0.

Setting up an identity provider to encrypt SAML assertions

When Salesforce is the service provider for inbound SAML assertions, you can pick a saved certificate to decrypt inbound assertions from third party identity providers. You need to provide a copy of this certificate to the identity provider.

  1. In Security Controls | Single Sign-On Settings, add a new SAML configuration.
  2. In the Assertion Decryption Certificate field, specify the certificate for encryption from the ones saved in your Certificate and Key Management settings.
    Note
    If you don’t see the Assertion Decryption Certificate field you need to enable multiple single sign-on for your organization (this applies to organizations created before the Summer ’13 release that are not using SAML 1.1).To enable multiple single sign-on configurations, select Enable Multiple Configs on the Single Sign-On Settings page. If this setting has already been enabled, the field appears, and you won’t see the Enable Multiple Configs button.
  3. Set the SAML Identity Location to Identity is in the NameIdentifier element of the Subject statement.

    For a successful authentication, the user must be identified in the <Subject> statement of the assertion. For more information, see Identity Provider Values.

  4. When you save the new SAML configuration, your organizaton’s SAML settings value for the Salesforce Login URL (also known as the “Salesforce ACS URL”) changes. Get the new value in Security Controls | Single Sign-On Settings, and click the name of the new SAML configuration. The value is in the Salesforce Login URL field.
  5. The identity provider must use the Salesforce Login URL value.
  6. You also need to provide the identity provider with a copy of the certificate selected in the Assertion Decryption Certificate field to use for encrypting assertions.
© Copyright 2000–2014 salesforce.com, inc. All rights reserved.
Various trademarks held by their respective owners.