Enable Salesforce as a SAML Identity Provider
You can configure Salesforce as a single sign-on (SSO) SAML identity provider to external service providers. When your org acts as a SAML identity provider, users can access multiple apps with a single login. To get started with this configuration, enable Salesforce as an identity provider and share configuration information with your service provider.
Required Editions
| Available in: both Salesforce Classic and Lightning Experience |
| Available in: Developer, Enterprise, Performance, Unlimited, and Database.com Editions |
| User Permissions Needed | |
|---|---|
| Define and modify identity providers and service providers: | Customize Application |
Determine which certificate you want to use to enable your org to communicate with the service provider. You can use the default certificate or create your own. See Certificates and Keys.
- By default, a Salesforce identity provider uses a self-signed certificate generated with the SHA-256 signature algorithm. If you want to use the default certificate, proceed to step 1.
- To create a self-signed certificate, follow the instructions in Generate a Self-Signed Certificate , then proceed to step 1.
- To create a CA-signed certificate, follow the instructions in Generate a Certificate Signed by a Certificate Authority, then proceed to step 1.
- From Setup, in the Quick Find box, enter Identity Provider, then select Identity Provider.
- Click Enable Identity Provider.
- Select a certificate from the dropdown menu.
- Save your changes.
To review your identity provider information, from Setup, in the Quick Find box, enter Identity Provider, then select Identity Provider.
From this page, you can take these actions.
- To change your identity provider certificate, click Edit.
- To disable your org as an identity provider, click Disable.
Warning If you disable your org as an identity provider, users can no longer access any external applications with SSO. - To download your identity provider certificate, click Download Certificate. Your service provider can use the certificate to connect to Salesforce.
- To download an XML file with metadata about your identity provider, click Download Metadata. Your service provider can use the metadata to connect to Salesforce.
- In the Details section, view the Issuer, which is the unique identifier for your Salesforce identity provider.
- In the SAML Metadata Discovery Endpoints section, access the identity provider metadata
for your custom domain and any Experience Cloud sites. Some service providers use these
URLs to configure SSO to connect to Salesforce. For example, when configuring Amazon Web Services (AWS) as a service provider, you upload your
Salesforce identity provider metadata to AWS.
You can find the identity provider metadata for a custom domain or site in these fields:
- Salesforce Identity—URL of identity provider metadata for your custom domain.
- Community Identity—URL of identity provider metadata for a specific Experience Cloud site. For example, if you set up a site named XYZ, you see XYZ Community Identity.
Salesforce also defines a lifetime for SAML assertions sent to your service provider. A SAML assertion sent by a Salesforce identity provider is valid for 5 minutes after it's issued, with a 30-second buffer to account for clock skew. For example, if the assertion is issued at 12:00:00 GMT, it's valid between 11:59:30 GMT and 12:05:00 GMT. If the service provider receives the SAML response outside of this interval, it typically rejects the assertion.
After you enable Salesforce as an identity provider, complete these steps.
