ISVforce Guide

Welcome to the ISVforce Guide
ISVforce Quick Start
Grow Your AppExchange Business
Design and Build Your Solution
Overview of Packages
Components Available in Managed Packages
About API and Dynamic Apex Access in Packages
Architectural Considerations for Group and Professional Editions
Connected Apps
Create a Connected App
Configure Basic Connected App Settings
Enable OAuth Settings for API Integration
Integrate Service Providers as Connected Apps with SAML 2.0
Create a Connected App for Mobile App Integration
Create a Custom Connected App Handler
Expose Your Connected App as a Canvas App
Test Push Notifications
Edit a Connected App
Manage Access to a Connected App
Environment Hub
Developer Hub
Notifications for Package Errors
Package and Test Your Solution
Pass the AppExchange Security Review
Publish Your Solution on AppExchange
Sell on AppExchange with Checkout
Monitor Performance with Analytics for AppExchange Partners
Manage Orders
Manage Licenses
Manage Features
Provide a Free Trial of Your Solution
Support Your AppExchange Customers
Update Your Solution
Appendices
Glossary
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Integrate Service Providers as Connected Apps with SAML 2.0

To integrate a service provider with your Salesforce org, you can use a connected app that implements SAML 2.0 for user authentication. Salesforce supports SAML single sign-on (SSO) when the service provider or the identity provider initiates the flow. To use this option, configure a connected app with SAML 2.0 enabled for your service provider. Define your Salesforce org as the SAML identity provider.
Available in: both Salesforce Classic (not available in all orgs) and Lightning Experience
Connected Apps can be created in: Group, Professional, Enterprise, Performance, Unlimited, and Developer Editions

Connected Apps can be installed in: All Editions

User Permissions Needed
To read, create, update, or delete connected apps: Customize Application AND either

Modify All Data OR Manage Connected Apps
To update all fields except Profiles, Permission Sets, and Service Provider SAML Attributes: Customize Application AND either

Modify All Data OR Manage Connected Apps
To update Profiles, Permission Sets, and Service Provider SAML Attributes: Customize Application AND Modify All Data AND Manage Profiles and Permission Sets
To install and uninstall connected apps: Customize Application AND either

Modify All Data OR Manage Connected Apps
To install and uninstall packaged connected apps: Customize Application AND either

Modify All Data OR Manage Connected Apps

AND Download AppExchange Packages

For example, you build a custom Your Benefits web app that implements SAML 2.0 for user authentication. You want your users to be able to log in to this app with their Salesforce credentials. To set up this SSO flow, configure the Your Benefits web app as a connected app. Define your Salesforce org as the SAML identity provider for the connected app. Your users can now log in to the Your Benefits web app with their Salesforce credentials.

  1. Complete the prerequisites listed in Prerequisites for Defining Service Providers.
  2. To direct users to a specific location after they authenticated, enter your app’s start URL.
    The Start URL can be an absolute URL, such as https://na1.salesforce.com/001/o, or it can be the link for the application name, such as https://customer.goodApp.com for GoodApp. Specifying a Start URL makes the application available in the app menu and in App Launcher.
    If the connected app that you’re creating is a canvas app, skip this field. The Canvas App URL field contains the URL that gets called for the connected app.
  3. Create your connected app, and complete its basic information.
  4. In the Web App Settings section, select Enable SAML, and enter the following information, which is available from your service provider.
    1. Entity Id—The globally unique ID of the service provider. If you’re accessing multiple apps from your service provider, define the service provider. Then use the RelayState parameter to append the URL values to direct the user to the correct app after signing in.
    2. ACS URL—(Assertion Consumer Service) The service provider’s endpoint that receives SAML assertions.
    3. Subject Type—Specifies which field defines the user’s identity for the app. Options include the user’s username, federation ID, user ID, a custom attribute, or an algorithmically calculated persistent ID. A custom attribute can be any custom field added to the User object in the organization, as long as it is one of the following data types: Email, Text, URL, or Formula (with Text Return Type). After you select Custom Attribute for the subject type, Salesforce displays a Custom Attribute field with a list of the available User object custom fields in the organization.
    4. Name ID Format—Specifies the format attribute sent in SAML messages. The default selection is Unspecified. Depending on your SAML service provider, you can set this format to email address, persistent, or transient.
    5. Issuer—By default, your organization’s My Domain is the standard issuer for your identity provider. If your SAML service provider requires a different value, specify it here.
  5. To automatically log users out of the connected app service provider when they log out of Salesforce, select Enable Single Logout. Then take these steps.
    1. Enter the single logout endpoint of the service provider. Salesforce sends logout requests to this URL when users log out of Salesforce. The single logout URL must be an absolute URL starting with https://.
    2. Provide your service provider with the Salesforce IdP SLO endpoint. The endpoint is listed in your SAML Login Information as the Single Logout Endpoint. It’s also listed in the SAML Metadata file as the Discovery Endpoint. The format for the endpoint is https://<domain>.my.salesforce.com/services/auth/idp/saml2/logout, where <domain> is your org’s My Domain name.Single Logout for SAML IdP
    3. Select the HTTP binding type for single logout provided by your service provider.
  6. If your service provider requires a unique certificate to validate SAML requests from Salesforce, upload the certificate from your system. Otherwise, leave this setting as Default IdP Certificate.
  7. If the service provider gave you a security certificate, select Verify Request Signatures. Browse your system for the certificate and upload it. The certificate is only necessary if you plan to initiate logging in to Salesforce from the service provider and the service provider signs its SAML requests.

    If you upload a certificate, all SAML requests must be signed. If no certificate is uploaded, all SAML requests are accepted.

    Important

  8. Optionally, select Encrypt SAML Response to browse your system for the certificate and upload it. Select an encryption method for encrypting the assertion. Valid encryption algorithm values are AES–128 (128–bit key), AES–256 (256–bit key), and Triple-DES (Triple Data Encryption Algorithm).
  9. When you’ve configured all settings for your connected app, click Save.