Home > How-tos > Manage SAML service providers > Salesforce SAML integration

Integrating Salesforce SAML

This article provides a sample Salesforce SAML integration with Cloud Identity Plane.

Salesforce integration in a nutshell

Salesforce can be configured to authenticate with CIP as single sign-on (SSO) identity provider, allowing end users to easily and securely access Salesforce.

Salesforce

The steps below are for guidance only. Follow the latest Salesforce documentation to complete the setup below.

  1. Fetch the CIP SAML metadata and the IDP certificate. For more information, read Download SAML IDP metadata.

  2. Log in to Salesforce and set up a new SAML single sign-on under Security Controls (unless an IDP setup already exists).

    1. Select New from Metadata File.

      image

    2. Upload the CIP metadata file as prompted.

      image

  3. Set up Salesforce for consuming SAML assertions, JIT, and so on.

    image

    Note

    Based on SAML Identity Type and SAML Identity Location, the registration mapping within CIP should be adjusted as well.

  4. Configure Salesforce domain settings to allow the newly set up IDP as one of the authentication mechanisms.

    1. Select Edit to start editing your domain.

      image

    2. Configure the domain settings.

      image

    3. Configure the domain authentication.

      image

    Result

    When done, the selected Identity Providers are available in the Salesforce login page as supported authentication providers.

  5. Register Salesforce as a SAML SP in CIP. For more information, read Register Service Provider.

    Note

    Mappings should be based on organization’s preference on how an organization wants toto map user and profile attributes. If JIT is not enabled, it’s critical that the Salesforce user information can be matched up based on the mapping in the SAML assertion.

    Salesforce JIT

    Below you can find an example of how a SAML SP mapping can look like.

    image

    Note

    Identifier from attribute must be set to true if NameID needs to be released and set in the SAML response assertion. Identifier attribute defines the authenticated session attribute that is used to set the value of NameID.

  6. Verify the authentication using one of the following methods:

    • SP-initiated SSO

    • IDP-initiated SSO

Troubleshoot

Salesforce-related errors: