From Setup, enter Apps in the Quick Find box, then select Apps.
Under Connected Apps, click New.
Specify the required fields under Basic Information.
Under Web App Settings, select Enable SAML and then provide the following:
This value comes from the service provider. Each entity ID in an organization must be unique. If you’re accessing multiple apps from your service provider, you only need to define the service provider once, and then use the RelayState parameter to append the URL values to direct the user to the correct app after signing in.
The ACS, or assertion consumer service, URL comes from the SAML service provider.
Specifies which field defines the user’s identity for the app. Options include the user’s username, federation ID, user ID, a custom attribute, or an algorithmically calculated persistent ID. A custom attribute can be any custom field added to the User object in the organization, as long as it is one of the following data types: Email, Text, URL, or Formula (with Text Return Type). After you select Custom Attribute for the Subject Type, Salesforce displays a Custom Attribute field with a list of the available User object custom fields in the organization.
Name ID Format
Specifies the format attribute sent in SAML messages. “Unspecified” is selected by default. Depending on your SAML service provider, you may want to set this to email address, persistent, or transient.
By default, the standard issuer for your identity provider is used (your organization’s My Domain). If your SAML service provider requires a different value, specify it here.
Optionally specify the following:
Directs users to a specific location when they run the application. The Start URL can be an absolute URL, such as https://na1.salesforce.com/001/o, or it can be the link for the application name, such as https://customer.goodApp.com for GoodApp. Specifying a Start URL makes the application available in the Force.com app menu and in App Launcher.
Verify Request Signatures
Select Verify Request Signatures if the service provider gave you a security certificate. Browse your system for the certificate. This is only necessary if you plan to initiate logging into Salesforce from the service provider and the service provider signs their SAML requests.
If you upload a certificate, all SAML requests must be signed. If no certificate is uploaded, all SAML requests are accepted.
Encrypt SAML Response
Select Encrypt SAML Response to upload a certificate and select an encryption method for encrypting the assertion. Valid encryption algorithm values are AES–128 (128–bit key). AES–256 (256–bit key). and Triple-DES (Triple Data Encryption Algorithm).
To authorize users for this SAML application:
From Setup, enter Connected Apps in the Quick Find box, then select the option for managing connected apps.
Click the name of the application.
Select the profiles and/or permission sets that can access the application.