Configure Salesforce as SAML Identity Provider

Configure Salesforce as SAML Identity Provider

Configure Salesforce as a SAML identity provider by completing the following steps:

  1. Obtain Salesforce certificate and metadata.

  2. Set up Auth0 as a service provider.

  3. Configure the Salesforce identity provider (IdP).

  4. Grant privileges to users in Salesforce.

  5. Test the connection to the Salesforce IdP.

Prerequisite

Register for a Salesforce.com account. You must select one of the account types that include identity provider support.

Obtain Salesforce certificate and metadata

  1. Log in to your Salesforce account.

  2. Create your Salesforce Domain.

  3. Log into your Salesforce domain https://YOUR_DOMAIN.my.salesforce.com and click on Setup on the top right.

  4. Enable the Enable SAML toggle in the Salesforce Connecting App.

  5. In the left menu, expand Security Controls and select Identity Provider.

  6. Create an identity provider by clicking Enable Identity Provider.

  7. Select the default certificate and click Save.

  8. Click Download Certificate to download the identity provider certificate.

  9. Click Download Metadata to download the identity provider metadata.

Set up Auth0 as a service provider

Configure Auth0 as a service provider to communicate with the Salesforce identity provider for SSO.

  1. Go to the Dashboard > Authentication > Enterprise and click SAML.

  2. Click Create Connection.

  3. In the configuration window, enter the following information:

    Setting Description
    Connection Name Name your connection. For example SFIDP.
    Email Domains Enter the email domain name that your users will be loggin in from. For example, if your users have an email domain of abc-example.com, enter that into this field. You can enter multiple domains.
    Sign In URL Open the metadata file you downloaded from Salesforce and locate the line that contains the SingleSignOnService binding. The value of the location attribute on this line is your Sign In URL. It will be something like: https://{sf-account-name}.my.salesforce.com/idp/endpoint/HttpRedirect where {sf-account-name} is your Salesforce domain name.
    Sign Out URL Enter the same URL you entered for Sign In URL.

  4. For the Certificate, you convert the certificate downloaded from Salesforce to .pem format with the following command: openssl x509 -in original.crt -out sfcert.pem -outform PEM where original.crt is the filename of the downloaded .crt file.

    1. Click UPLOAD CERTIFICATE and select the .pem file you just created. (sfcert.pem in the example above). You can ignore the rest of the fields for now.

    2. Click SAVE.

    3. Click CONTINUE. In the window that appears, SAML metadata for the Auth0 Service Provider will be displayed. Keep this window open since you will need to enter some of this information into Salesforce to finish the configuration.

You can access the metadata for an Auth0 SAML connection with this URL syntax: https://YOUR_DOMAIN/samlp/metadata?connection=YOUR_CONNECTION_NAME.

Configure Salesforce as an identity provider

Configure Salesforce with the metadata from Auth0 so it can receive and respond to SAML-based authentication requests from Auth0.

  1. Open salesforce.com.

  2. Go to Setup > Manage Apps. Click Connected Apps.

  3. Create a new Connected App and fill out the following fields:

    Setting Description
    Entity ID urn:auth0:YOUR_DOMAIN:YOUR_CONNECTION_NAME
    ACS URL https://YOUR_DOMAIN/login/callback
    Subject Type Persistent ID
    Name ID Format Choose the one with emailAddress
    Issuer https://{your-saleforce-domain}.my.salesforce.com

  4. Click Save to complete the configuration.

Grant privileges to users in Salesforce

  1. Open salesforce.com and click Setup.

  2. Under Manage Users, click Profiles.

  3. Scroll down to find the profile called Standard User (on page 2).

  4. Click on Edit to edit the profile.

  5. Scroll down to the Connected App Access section.

  6. Check the box next to the name of your connected app to enable it for this profile.

  7. Click Save.

  8. Under Manage Users, click Users.

  9. Click Edit to edit your test user and set the profile to Standard User. To use a different Salesforce profile, enable the connected app for that profile and ensure that all users that login through the Salesforce Identity Provider have that profile.

Test connection to Salesforce

  1. Navigate to the Authentication > Enterprise section of the Auth0 dashboard. Select the SAMLP Identity Provider.

  2. Click the Try button for the SAML connection you created earlier. You should be redirected from Auth0 to the Salesforce login page.

  3. Once you are at the Salesforce login screen, login with the credentials you provided when you created the Salesforce account.

    1. If the SAML configuration works, your browser will be redirected back to an Auth0 page that says "It works!!!". This page will display the contents of the SAML authentication assertion sent by the Salesforce IDP to Auth0.

    2. If it didn't work, double check the steps above and consult the troubleshooting section below.

When troubleshooting SSO, it is often helpful to capture an HTTP trace of the interaction and save it in a HAR file. To learn more, read Generate and Analyze HAR Files.

Once you have an http trace tool, capture the login sequence from start to finish and analyze the trace for the sequence of GETs. You should see a redirect from your original site to the IDP, a post of credentials if you had to log in, and then a redirect back to the callback URL. The HAR file will also contain the SAML response.

Make sure that cookies and JavaScript are enabled for your browser.

Make sure that the user's profile in Salesforce has permission to login via the Salesforce IDP (See section 4 above).