Configure Salesforce SAML Single Sign-On [2024]

Configure Salesforce SAML Single Sign-On (SSO) is a critical step in enhancing both the security and user experience within your organization. SAML (Security Assertion Markup Language) is an open standard that facilitates the exchange of authentication and authorization data between an identity provider (IdP) and a service provider (SP) like Salesforce. By implementing SAML SSO, users can seamlessly access Salesforce and other integrated applications with a single set of credentials, reducing the need for multiple logins and minimizing password fatigue. This streamlined access not only improves user efficiency but also strengthens security by centralizing and managing authentication through a trusted identity provider. In this blog, we will be going through the steps to Configure Salesforce SAML Single Sign-On.

Introduction to SAML(Security Assertion Markup Language)

SAML is an open federation standard authentication protocol that allows an identity provider to authenticate users and pass the user identity and security information to the service provider.

So basically we can take SAML as a protocol which is an authentication layer between Identity provider and Service provider and the authentication is done through a secure method in which a certificate is being generated and shared between the identity provider and the service provider.

There are two flows in which authentication can be provided using SAML.

1. Service Provider Initiated Flow
2. Identity Provider Initiated Flow

SAML terminologies

SAML uses a specific terminology that we must understand before implementing it in salesforce. There are below terms which we first need to understand before jumping into its implementation.

1. Identity Provider: A trusted service which authenticates a user For example: Google, Facebook, salesforce etc.
2. Service provider: It is a service which a user wants to access. For example salesforce, a web application etc.
3. SAML Request: When a user attempts to access  the service provider, the service provider sends a SAML request asking the identity provider to authenticate the user.
4. SAML Response: To authenticate the User, the identity provider sends a SAML response to the service provider The response contains a signed SAML assertion with facts about the user.
5. SAML Assertion: A SAML assertion which is part of a SAML response, describes a user by asserting facts, like username or email address. During authentication, the identity provider signs the SAML assertion and the service provider validates the signature.

SAML Flow

In Single Sign-On using SAML we can initiate user login either from Identity provider or Service Provider, both have different flows as defined below: 

Identity Provider-Initiated SAML flow: 

1. The user logs into the identity provider.
2. The identity provider initiated login by sending a cryptographically signed SAML response to the service provider.
3. The SAML response contains a SAML assertion that tells the service provider who the user is.
4. The service provider validates the signature in the SAML response and identifies the user. 
5. The user is now logged in to the service provider.

Below are the information required from Service Provider

1. Assertion Consumer service(ACS) URL: The URL where the Identity provider sends SAML responses.
2. Entity ID: The unique identifier of the service provider.
3. Subject type: Specifies where to send user identity information assertions. Salesforce can send user information in the subject of the assertion or in a customer attribute.
4. Security certificate: Required when the Service provider is initiating login via salesforce and signing their SAML requests.

Service provider-Initiated SAML flow

1. The user tries to access the service provider.
2. The service provider initiates login by sending a SAML request to the identity provider, asking it to authenticate the user.
3. The identity provider sends the user to a login page.
4. The user enters their identity provider login credentials and the identity provider authenticates the user.
5. The identity provider now knows who the user is, so it sends a cryptographically signed SAML response to the service provider. The SAML response contains a SAML assertion file that tells the service provider who the user is.
6. The service provider validates the signature in the SAML response and identifies the user.
7. The user is now logged in to the service provider and can access the protected resource or we can say that service provider initiated SAML flow.

Below is the information required from Identity Provider

1. Issuer ID: The unique identifier of the identity provider and the issuer ID.
2. Certificate: An authentication certificate.
3. Assertion Parameters: The following SAML assertion parameters, as appropriates: 
   1.  The SAML User ID type
   2. The SAML user ID location

SetUp salesforce as Identity Provider

Salesforce as an Identity Provider (IdP) in Security Assertion Markup Language (SAML) involves several steps.

1. Login to Salesforce: Navigate to your Salesforce organization.
2. Enable Identity Provider:

• Go to Setup.
• In the Quick Find box, type Identity Provider.
• Click on Identity Provider.
• Click Enable Identity Provider.

3) Download Metadata: Download the Identity Provider metadata XML file.

4) Create a Connected App : 

1. Go to Setup: Search for App Manager.
2. Create a New Connected App: Click New Connected App.
3. Basic Information: Enter the Connected App Name, API Name, and Contact Email.

5) Enable SAML Settings : 

• Enable SAML: Check Enable SAML.

• Entity Id: Enter a unique identifier.

• ACS URL: Enter the Assertion Consumer Service URL.

• Subject Type: Typically Federation ID or Username. 

• Name ID Format: Often urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.

6) Manage Profiles and Permission Sets: Assign the Connected App to appropriate profiles and permission sets.

Note : All the information in a connected app is derived from the SAML Single Sign-On Settings of the Service Provider.

SetUp salesforce as Service Provider

Salesforce as a Service Provider (SP) in Security Assertion Markup Language (SAML) involves several steps.

1. Login to Salesforce: Navigate to your Salesforce organization.
2. Configure SAML Settings :   A) In Setup, type Single Sign-On Settings in the Quick Find        box. B) Click on Single Sign-On Settings. C) Click New to create a new SAML SSO setting and also enable SAML.
3. Import Metadata: In the SP, import the Identity Provider metadata XML file.

       4. After importing metadata file and successfully create SAML Single Sign-On Settings enable Authentication Service from my domain

Note : Before logging in from the Service Provider, ensure that the Federation ID matches in both the Identity Provider (Salesforce) and the Service Provider for the user attempting to log in.

Do contact us if you want to Configure Salesforce SAML Single Sign-On

Please enable JavaScript in your browser to complete this form.

Name *

Email *

Message *

Submit

About Kizzy Consulting:

Kizzy Consulting is a leading provider of Salesforce consulting and implementation partner in the USA and Australia. We specialize in helping businesses leverage AI and other advanced technologies to optimize their CRM processes and achieve their strategic goals. Contact us at [email protected] to learn more about how we can support your Salesforce journey.