|Available in: both Salesforce Classic and Lightning Experience
|Federated Authentication is available in: All Editions
Delegated Authentication is available in: Professional, Enterprise, Performance, Unlimited, Developer, and Database.com Editions
Authentication Providers are available in: Professional, Enterprise, Performance, Unlimited, and Developer Editions
|To view the settings:
||“View Setup and Configuration”
|To edit the settings:
From this page, you can configure your organization to use single sign-on. You can also set
up just-in-time provisioning. Work with your identity provider to properly configure these
settings. For more information about single sign-on, see About Single Sign-On. For more information about
just-in-time provisioning, see About Just-In-Time Provisioning.
Set up single sign-on
- In Salesforce, from Setup, enter Single Sign-On Settings in the Quick Find box, then select Single Sign-On Settings, and click Edit.
- Select SAML Enabled. You must enable SAML to view the SAML single
- Specify the SAML version used by your identity provider.
- Click Save.
- In SAML Single Sign-On Settings, click the appropriate button to create a new
configuration, as follows.
New - Specify all settings manually.
New from Metadata File - Import SAML 2.0 settings from a XML
file from your identity provider. This option reads the XML file and uses it to
complete as many of the settings as possible.
New from Metadata URL - Import SAML 2.0 settings from a
public URL. This option reads the XML file located at a public URL and uses it to
complete as many of the settings as possible. The URL must be added to Remote Site
Settings to access it from your Salesforce org.
- Give this setting a Name for reference within your
Salesforce inserts the
corresponding API Name value, which you can customize if
- Enter the Issuer. This is often referred to as the entity ID for
the identity provider.
- If your Salesforce organization has domains deployed, specify whether you want to use the base domain
(https://saml.salesforce.com) or the custom domain for the
Entity ID. You must share this information with your identity
- For the Identity Provider Certificate, use the
Browse button to locate and upload the authentication certificate
issued by your identity provider.
- For the Request Signing Certificate, select the certificate you
want from the ones saved in your Certificate and Key Management
- For the Request Signature Method, select the hashing algorithm for
encrypted requests, either RSA-SHA1 or RSA-SHA256.
- Optionally, if the identity provider encrypts SAML assertions, select the
Assertion Decryption Certificate they’re using from the ones saved in
your Certificate and Key Management settings. This field is
available only if your organization supports multiple single sign-on configurations. For
more information, see Set up an identity provider to encrypt SAML
- For the SAML Identity Type, SAML Identity
Location, and other fields described in Identity
Provider Values, specify the values provided by your identity provider as
- For the Service Provider Initiated Request Binding, select the
appropriate value based on the information provided by your identity provider.
- For SAML 2.0, if your identity provider has specific login or logout pages, specify them
in Identity Provider Login URL and Identity Provider
Logout URL, respectively.
- For the Custom Error URL, specify the URL of the page users should
be directed to if there's an error during SAML login. It must be a publicly accessible
page, such as a public site Visualforce page.
The URL can be absolute or relative.
- Optionally, set up Just-in-Time user provisioning. For more information, see Enable Just-in-Time user provisioning and About
Just-in-Time Provisioning for SAML..
- Click Save.
If your identity provider supports metadata, and if you've
configured SAML using version 2.0, you can click Download Metadata to
download an XML configuration file to send them, which they can then upload to automatically
configure their settings for connecting to your Salesforce organization or community.
Set up an identity provider to encrypt SAML
When Salesforce is the service provider for
inbound SAML assertions, you can pick a saved certificate to decrypt inbound assertions from
third party identity providers. You need to provide a copy of this certificate to the identity
- In the Single
Sign-On Settings page in
add a new SAML configuration.
- In the Assertion Decryption Certificate field, specify the
certificate for encryption from the ones saved in your Certificate and Key
- Set the SAML Identity Location to Identity is in the
NameIdentifier element of the Subject statement.
For a successful
authentication, the user must be identified in the <Subject> statement of the assertion. For more information, see Identity Provider Values.
- When you save the new SAML configuration, your organization’s SAML settings value
for the Salesforce Login
URL (also known as the “Salesforce ACS URL”) changes. Get the
new value (from the
Single Sign-On Settings page in
and click the name of the new SAML configuration. The value is in the Salesforce Login URL field.
- The identity provider must use the Salesforce Login URL value.
- You also need to provide the identity provider with a copy of the certificate selected in
the Assertion Decryption Certificate field to use for encrypting
Enable Just-in-Time user provisioning
- In SAML Single Sign-On Settings, select User Provisioning Enabled.
Standard - This option allows you to provision users
automatically using attributes in the assertion.
Custom SAML JIT with Apex handler - This option provisions
users based on logic in an Apex
- If you selected Standard, click Save and
test the single sign-on connection.. If you selected
Custom SAML JIT with Apex handler, proceed to the next step.
- In the SAML JIT Handler field, select an existing Apex class as the SAML JIT handler
class. This class must implement the SamlJitHandler interface. If you do not have an Apex
class, you can generate one by clicking Automatically create a SAML JIT handler
template. You must edit this class and modify the default content before
using it. For more information, see Edit the SAML JIT handler.
- In the Execute Handler As field, select the user that runs the Apex class. The user must have “Manage
- Just-in-time provisioning requires a Federation ID in the user type. In SAML
Identity Type, select Assertion contains the Federation ID from the
User object. If your identity provider previously used the Salesforce username, communicate to them that
they must use the Federation ID.
- Click Save.
Edit the SAML JIT handler
- From Setup, enter Apex Classes in the Quick Find box, then select Apex Classes.
- Edit the generated Apex SAML JIT
handler to map fields between SAML and Salesforce. In addition, you can modify the
generated code to support the following:
- Custom fields
- Fuzzy profile matching
- Fuzzy role matching
- Contact lookup by email
- Account lookup by account number
- Standard user provisioning into a community
- Standard user login into a community
- Default profile ID usage for portal Just-in-Time provisioning
- Default portal role usage for portal Just-in-Time provisioning
- Username generation for portal Just-in-Time provisioning
For example, to support custom fields in the generated handler code, find the
“Handle custom fields here” comment in the generated code. After that code comment,
insert your custom field code. For more information and examples, see the SamlJitHandler Interface
Test the single sign-on connection
After you have configured and saved your SAML settings, test them by trying to access the
identity provider's application. Your identity provider directs the user's browser to POST a
form containing SAML assertions to the Salesforce login page. Each assertion is verified, and if successful, single sign-on is allowed.
If you have difficulty signing on using single sign-on after you have configured and saved
your SAML settings, use the SAML
Assertion Validator. You may have to obtain a SAML assertion from your identity
If your users are having problems using SAML to login, you can review
the SAML login history to determine why they were not able to log in and share that
information with your identity provider.
If you are using SAML version 2.0, after you've finished configuring SAML, the OAuth 2.0
Token Endpoint field is populated. Use this with the Web single sign-on authentication flow
for OAuth 2.0.