Complete Prerequisites for SAML Service Provider Integration
Before integrating a service provider with Salesforce, enable your org as an identity provider and exchange SAML single sign-on (SSO) information with your service provider.
Required Editions
| Available in: both Salesforce Classic and Lightning Experience |
| Available in: Developer, Enterprise, Performance, Unlimited, and Database.com Editions |
| User Permissions Needed | |
|---|---|
| Define and modify identity providers and service providers: | Customize Application |
Before you start, enable Salesforce as an identity provider.
-
Give your service provider information about your configuration of Salesforce as an
identity provider. Depending on what format your service provider supports, you can share
this information as metadata in an XML file or as a certificate. To access this
information, take these steps.
- From Setup, in the Quick Find box, enter Identity Provider, and then select Identity Provider.
- If your service provider supports metadata, click Download Metadata. If your service provider supports certificates, click Download Certificate.
Note Salesforce also defines a lifetime for SAML assertions sent to your service provider. A SAML assertion sent by a Salesforce identity provider is valid for 5 minutes after it's issued, with a 30-second buffer to account for clock skew. For example, if the assertion is issued at 12:00:00 GMT, it's valid between 11:59:30 GMT and 12:05:00 GMT. If the service provider receives the SAML response outside of this interval, it typically rejects the assertion. Work with your service provider to ensure that it complies with this requirement. -
Get this configuration information from your service provider.
- Assertion consumer service (ACS) URL—The URL where the identity provider sends SAML responses.
- Entity ID—The unique identifier of the service provider.
- Subject type—Specifies where the service provider expects Salesforce to send user identity information in SAML assertions. Salesforce can send user information in the subject of the assertion or in a custom attribute.
- Security certificate—Required when the service provider is initiating login via Salesforce and signing their SAML requests.
-
To add extra protection for sensitive resources, configure forced authentication on the
service provider. With forced authentication, users who are already logged in to
Salesforce must reenter their credentials when they try to access the service
provider.
To configure forced authentication, work with your service provider to add a
ForceAuthnparameter to the SAML request. You can share this example forced authentication SAML request. During SSO, the service provider uses this parameter to tell Salesforce that the user must reauthenticate. There's no additional setup in your org. When Salesforce acts as the identity provider, forced authentication is automatically supported.Here's an example SAML request that Salesforce accepts for forced authentication.
<?xml version="1.0" encoding="UTF-8"?> <samlp:AuthnRequest AssertionConsumerServiceURL="ACS_URL" Destination="IDP_INIT_LOGIN_URL" Version="2.0" IssueInstant="2011-05-20T13:01:00.000Z' ProviderName="https://saml.salesforce.com" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ForceAuthn = "true"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">ENTITY_ID</saml:Issuer> </samlp:AuthnRequest>
After you complete these prerequisites, complete these steps.
