Salesforce Single Sign-On Integration

The Salesforce Single Sign-on (SSO) Integration creates a client application that uses Auth0 for authentication and provides SSO capabilities for Salesforce. Your users log in to Salesforce with Auth0 identity providers, which means the identity provider performs the identity credentials verification.

Prerequisites

Before you begin:

  • Sign up for a Salesforce account.
  • Set up a connection, which is a source of users. Connections can be databases, social identity providers, or enterprise identity providers, and can be shared among different applications. You may set up more than one connection for use with SSO integrations.
  1. Navigate to Auth0 Dashboard > Applications > SSO Integrations, and click + Create SSO Integration. Create SSO Integration

  2. Select Salesforce. Select Service

  3. Click Continue to grant the integration access to the listed permissions. Authorize Service

Configure Auth0 SSO Integration

Enter a name for your SSO Integration, configure the following settings, and click Save.

Setting Description
Salesforce Domain Your Salesforce Domain.
Entity ID Arbitrary URL that identifies the Salesforce resource.
Use Auth0 instead of the IdP to do Single Sign-on (SSO). **Legacy tenants only.** If enabled, Auth0 will handle SSO instead of Salesforce.

Save Integration

Configure integration with Salesforce

To configure the integration with Salesforce, follow the instructions listed in the Tutorial view.

Salesforce SSO integration

Important: This only works on certain Salesforce editions. It will not work on trial accounts.

Before you continue, make sure you have your SSO integration Client ID. You will use the Client ID to replace the SSO_CLIENT_ID placeholders.

Locate Client ID

  1. Log in to Salesforce.

  2. Navigate to Setup > Settings > Identity > Single-Sign-On Settings.

  3. Enable SAML by clicking Edit, selecting the SAML Enabled checkbox, and clicking Save.

  4. Click New to create a new SAML Single Sign-On Setting, and enter the following settings:

    • Name: anything (e.g., auth0)

    • Issuer: urn:YOUR_DOMAIN

    • Identity Provider Certificate: Download your Auth0 signing certificate

    • Identity Provider Login URL (be sure to replace the SSO_CLIENT_ID placeholder with the Client ID of your SSO Integration): https://YOUR_DOMAIN/samlp/SSO_CLIENT_ID

    Alternatively, to log in with a specific identity provider, you can add a connection parameter (be sure to replace the SSO_CLIENT_ID placeholder with the Client ID of your SSO Integration):

    https://YOUR_DOMAIN/samlp/SSO_CLIENT_ID?connection=email
    https://YOUR_DOMAIN/samlp/SSO_CLIENT_ID?connection=google-oauth2
    https://YOUR_DOMAIN/samlp/SSO_CLIENT_ID?connection=Username-Password-Authentication
    

    In this case, Auth0 will redirect users to the specified connection and will not display the Login widget. Make sure you send the SAMLRequest using HTTP POST.

    • Entity ID: https://test/salesforce.com

Other settings

  • Request Signing Certificate: Generate self-signed certificate
  • Request Signature Method: RSA-SHA256
  • Assertion Decryption Certificate: Leave default
  • SAML Identity Type:
    • Assertion contains the User's Salesforce username: Auth0 will send by default the unique id (user_id) of the user as NameIdentifier (the default), and Salesforce will match that with the Username field. If you want to use the email instead, you can create a rule that maps the email to NameIdentifier (here is an example).
    • Assertion contains the Federation ID from the User Object: Auth0 will send the unique id (user_id) of the user as NameIdentfier (the default), and Salesforce will match that with the Federation ID field.
    • Assertion contains the User ID from the User Object: Auth0 will send the unique identifier of the user (as NameIdentfier), and Salesforce will match that with the User ID field.
  • SAML Identity Location: Identity is in the NameIdentifier element of the Subject statement
  • Server Provided Initiated Request Binding: HTTP POST
  • Custom Logout URL: https://YOUR_DOMAIN/logout
  • Custom Error URL: Leave default
  • Single Logout Enabled: Enable this to set the Identity Provider Single Logout URL.
  • API Name: Leave default
  • User Provisioning Enabled: If checked, users will be just-in-time provisioned the first time they log in.

If you have issues while logging in, you can use the SAML Assertion Validator tool. You will find it on Salesforce Single Sign-On settings page.

Enable connections

Choose the connections to use with your SSO integration. Users in enabled connections will be allowed to log in to Salesforce. By default, all configured connections are enabled.

  1. Select the Connections view.

  2. Toggle the sliders next to connection names to enable or disable them. Enable/Disable Connections