Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Just-in-Time SAML Assertion Fields for Experience Cloud

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Just-in-Time SAML Assertion Fields for Experience Cloud

            With Just-in-Time (JIT) provisioning for Experience Cloud, you can use a SAML assertion to create Experience Cloud site users the first time they log in from an identity provider. The identity provider sends user information to your Salesforce org in an Attributes statement in a SAML assertion. Work with your identity provider to determine which user information you want to pass to your org and that the Attributes statement is formatted correctly.

            SAML Single Sign-On Settings

            Configure SAML single sign-on (SSO) with Salesforce as the service provider, and enable JIT provisioning. Set the values for your configuration, as needed, and include these values specific to your site for JIT provisioning.

            • Check User Provisioning Enabled.
              • Just-in-Time provisioning requires a Federation ID in the user type. In SAML User ID Type, select Assertion contains the Federation ID from the User object.
              • If your identity provider previously used the Salesforce username, communicate to them that they must use the Federation ID.
            • The Entity ID must be unique across your org and begin with https. You can’t have two SAML configurations with the same Entity ID in one org. Specify whether you want to use the base domain (https://saml.salesforce.com) or the site URL (https://acme.my.site.com/customers) for the Entity ID. Share this information with your identity provider.
              Tip
              Tip Generally, use the site URL as the entity ID. If you’re providing Salesforce to Salesforce services, you must specify the site URL.

              If you’re not using enhanced domains, your org’s Experience Cloud sites URL is different. For details, see My Domain URL Formats in Salesforce Help.

            • In SAML User ID Type, select Assertion contains the Federation ID from the User object. If your identity provider previously used the Salesforce username, communicate to them that they must use the Federation ID.=

            Recipient URLs

            The SAML assertion needs a Recipient URL. This URL is the Site Login URL from the SAML Single Sign-On Settings detail page. The URL is in this form. 

            https://domainName/login?so=orgID

            For example, Recipient="https://acme.my.site.com/customers/login?so=00DD0000000JsCM" where acme.my.site.com/customers is the site home page and 00DD0000000JsCM is the Organization ID.

            If an Assertion Decryption Certificate has been uploaded to the org’s SAML Single Sign-On Settings, include the certificate ID in the URL using the sc parameter. For example, Recipient="https://acme.my.site.com/customers/login?so=00DD0000000JsCM&sc=0LE000000Dp" where 0LE000000Dp is the certificate ID.

            Federation IDs

            Salesforce attempts to match the Federation ID in the subject of the SAML assertion to the User.FederationIdentifier field of an existing user record. Salesforce can also use the attribute element to match, depending on how the SAML Identity Location is defined in the SAML Single Sign-On Settings.

            If a matching user record is found, Salesforce uses the attributes in the SAML assertion to update the specified fields. If a user with a matching user record isn’t found, Salesforce searches the contacts for a match based on the Contact ID (User.Contact) or email (Contact.Email). Contact.Email and Contact.LastName are both required properties when User.Contact isn’t specified, but matching is only based on Contact.Email when both properties exist.

            If a matching contact record is found, Salesforce uses the attributes in the SAML assertion to update the specified contact fields and then inserts a new user record. If a matching contact record isn’t found, then Salesforce searches the accounts for a match based on the Contact.Account or Account.AccountNumber specified in the SAML assertion. Account.AccountNumber and Account.Name are required properties when Contact.Account isn’t specified, but matching is only based on Account.AccountNumber when both properties exist.

            If a matching account record is found, Salesforce inserts a new user record and updates the account records based on the attributes provided in the SAML assertion. If a matching account record isn’t found, Salesforce inserts new account, contact, and user records based on the attributes provided in the SAML assertion.​

            If the user account is inactive, the user account is updated but left inactive unless User.IsActive in the JIT assertion is set to true. If there’s no user account with that Federation ID, the system creates a user.

            Profile Name and ID

            If the site doesn’t have self-registration enabled and a default new user profile and role aren’t specified, the User.ProfileId field must contain a valid profile name or ID.

            Supported Fields for the Site SAML Assertion

            To correctly identify which object to create in Salesforce, you must use a prefix. In the SAML assertion, use the Account prefix for all fields in the Account schema, for example, Account.AccountId. And use the Contact prefix for all fields in the Contact schema. In this example, the Contact prefix was added to the Email field name.

            <saml:Attribute 
   Name="Contact.Email" 
   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
      <saml:AttributeValue xsi:type="xs:anyType">testuser@123.org</saml:AttributeValue>
</saml:Attribute>
            Note
            Note Salesforce also supports custom fields on the User object in the SAML assertion. Any attribute in the assertion that starts with User is parsed as a custom field. For example, the attribute User.NumberOfProductsBought__c in the assertion is placed into the field NumberOfProductsBought for the provisioned user. Custom fields aren’t supported for Accounts or Contacts.

            Supported Account Fields

            In addition to the standard User attributes supported for regular SAML JIT users, these Account attributes are also supported. For example, specifying an Account.Phone attribute in the assertion updates the account’s Phone field on the corresponding Account object.

            • Name
            • AccountNumber
            • BillingCity
            • BillingCountry
            • BillingPostalCode
            • BillingState
            • BillingStreet
            • Owner (The Owner field on the Account object is Account.OwnerId in the API.)
            • AnnualRevenue
            • Description
            • NumberOfEmployees
            • Fax
            • Industry
            • Ownership
            • Phone
            • Rating
            • ShippingAddress (The Shipping Address field is a compound field.)
            • ShippingCity
            • ShippingCountry
            • ShippingPostalCode
            • ShippingState
            • ShippingStreet
            • Sic
            • TickerSymbol
            • Website

            Supported Contact Fields

            These Contact fields are supported.

            • Account (This value is the Account Name field on the Contact object and Account.Name in the API.)
            • Email
            • FirstName
            • LastName
            • Phone
            • CanAllowPortalSelfReg
            • AssistantName
            • AssistantPhone
            • Birthdate
            • Owner (This value is the Contact Owner field on the Contact object and Contact.OwnerId in the API.)
            • Department
            • Description
            • DoNotCall
            • HasOptedOutOfEmail
            • Fax
            • HasOptedOutOfFax
            • HomePhone
            • LastCUUpdatetDate (This value is the Last Modified By field on the Contact object and Contact.LastModifiedDate in the API.)
            • LeadSource
            • MailingAddress (The Mailing Address field is a compound field.)
            • MailingCity
            • MailingCountry
            • MailingPostalCode
            • MailingState
            • MailingStreet
            • MobilePhone
            • Salutation
            • OtherAddress (The OtherAddress field is a compound field.)
            • OtherCity
            • OtherCountry
            • OtherPostalCode
            • OtherState
            • OtherStreet
            • OtherPhone
            • Title

            See Also

             
            Loading
            Salesforce Help | Article