Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Configure the External Client App's SAML 2.0 Settings and Policies

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Configure the External Client App's SAML 2.0 Settings and Policies

            To integrate a service provider with your Salesforce org, you can use an external client app that implements SAML 2.0 for user authentication. Salesforce supports SAML single sign-on (SSO) when the service provider or the identity provider initiates the flow. To use this option, configure an external client app with SAML 2.0 enabled for your service provider. Define your Salesforce org as the SAML identity provider.

            Available in: Lightning Experience
            Available in: Professional, Performance, Unlimited, and Developer Editions
            User Permissions Needed
            To configure External Client Apps SAML settings Create, edit, and delete External Client Apps

            For example, suppose you build a custom Your Benefits web app that implements SAML 2.0 for user authentication. You want your users to be able to log in to this app with their Salesforce credentials. To set up this SSO flow, configure the Your Benefits web app as an external client app. Define your Salesforce org as the SAML identity provider for the external client app. Your users can now log in to the Your Benefits web app with their Salesforce credentials.

            1. Complete the prerequisites for defining service providers.
            2. Create your external client app, and complete its basic information.
            3. In the Web App (Enable SAML Settings) section, select Enable SAML.
            4. Enter the required information, which is available from your service provider.
              Entity ID
              The globally unique ID of the service provider. If you’re accessing multiple apps from your service provider, define the service provider. Then use the RelayState parameter to append the URL values to direct the user to the correct app after signing in.
              ACS URL
              The URL for the Assertion Consumer Service. This is the service provider’s endpoint that receives SAML assertions.
              Subject Type
              Specifies which field defines the user’s identity for the app. Options include the user’s username, federation ID, 15-character user ID, an algorithmically calculated persistent ID, or a custom attribute. A custom attribute can be any custom field added to the User object in the org, as long as it’s one of these data types: Email, Text, URL, or Formula (with Text Return Type). If you select Custom Attribute for the subject type, Salesforce displays a Custom Attribute field with a list of the available User object custom fields in the org.
              Name ID Format
              Specifies the format attribute sent in SAML messages. The default selection is Unspecified. Depending on your SAML service provider, you can set the format to email address, persistent, or transient. If you set the format to email address, your identity provider describes org users and Experience cloud users differently in SAML messages. For org users, SAML messages include only the user’s email address. This sample shows the SAML message sent when an org user logs in, with the NameID Format set to emailAddress.
              <saml:Subject>
         <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
         sandy@salesforce.com</saml:NameID>
         <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
         <saml:SubjectConfirmationData NotOnOrAfter="2021-02-04T20:24:41.098Z" Recipient=
         "https://playground-test.salesforce.com?so=00DR00000000R6N"/>
         </saml:SubjectConfirmation>
         </saml:Subject>
              For Experience Cloud users, SAML messages append the org ID to the user’s email address. This sample shows the SAML message sent when an Experience Cloud user logs in, with the NameID Format set to emailAddress.
              <saml:Subject>
         <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
         00DR00000008fLq@sandy@play-test.com</saml:NameID>
         <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
         <saml:SubjectConfirmationData NotOnOrAfter="2021-02-04T20:17:12.647Z" Recipient=
         "https://playground-test.salesforce.com?so=00DR00000000R6N"/>
         </saml:SubjectConfirmation>
         </saml:Subject>
              If your service provider accepts only the email address and not the org ID, create a custom attribute for email address. See Configure a Custom Attribute for External Client Apps.
              Issuer
              By default, your org’s My Domain login URL is the standard issuer for your identity provider. If your SAML service provider requires a different value, specify it here.
            5. To automatically log users out of the external client app service provider when they log out of Salesforce:
              1. Select Enable Single Logout.
              2. Enter the single logout endpoint of the service provider. Salesforce sends logout requests to this URL when users log out of Salesforce. The single logout URL must be an absolute URL that starts with https://.
              3. Provide your service provider with the Salesforce IdP SLO endpoint.
                The endpoint is listed in your SAML Login Information as the Single Logout Endpoint. It’s also listed in the SAML Metadata file as the Discovery Endpoint. The format for the endpoint is https://MyDomainName.my.salesforce.com/services/auth/idp/saml2/logout, where MyDomainName is your org’s My Domain name.
              4. Select the HTTP binding type for single logout provided by your service provider.
            6. If your service provider requires a unique certificate to validate SAML requests from Salesforce, upload the certificate from your system. Otherwise, leave this setting as Default IdP Certificate.
              The certificate size is limited to 4 KB.
            7. If the service provider gave you a security certificate, select Verify Request Signatures. Browse your system for the certificate and upload it.
              The certificate is necessary only if you plan to initiate logging in to Salesforce from the service provider and the service provider signs its SAML requests.
              Important
              Important If you upload a certificate, all SAML requests must be signed. If no certificate is uploaded, all SAML requests are accepted.
            8. To encrypt the response, select Encrypt SAML Response to browse your system for the certificate and upload it. Select an encryption method for encrypting the assertion.

              Valid encryption algorithm values are AES-128 (128-bit key) and AES-256 (256-bit key).

            9. For Signing Algorithm for SAML Messages, select SHA1 or SHA256 to secure SAML messages sent from your Salesforce org.
              As the identity provider, Salesforce applies the selected algorithm to its SAML requests and responses. The selected signing algorithm is applied to single sign-on and single logout messages from your org to the service provider.
            10. After you configure all settings for your external client app, save your work.
             
            Loading
            Salesforce Help | Article