Step 1: Gather Information from Your Identity Provider
During a SAML single sign-on (SSO) flow where you use Salesforce as a service provider,
your identity provider sends a SAML response to Salesforce, which Salesforce then validates. To
make sure that Salesforce can recognize and validate the SAML response, gather SAML information
from your identity provider so that you can share it with Salesforce.
Required Editions
Available in: both Salesforce Classic and Lightning Experience
Federated Authentication is available in: All
Editions
Delegated Authentication is available in:
Professional, Enterprise, Performance,
Unlimited, Developer, and Database.com
Editions
Authentication Providers are available in:
Professional, Enterprise, Performance,
Unlimited, and Developer Editions
User Permissions
Needed
To view the settings:
View Setup and Configuration
To edit the settings:
Customize Application
AND
Modify All Data
Tip To set up SSO, on the Single Sign-On Settings page, import SAML 2.0 settings
from an XML file or from a URL pointing to the file. Get the XML file from your identity
provider.
For more information about how SAML SSO works, see SAML SSO Flows.
Gather SAML configuration information from your identity provider as appropriate. This
list includes an identifier and several SAML assertion parameters. Some identity providers
give you all these parameters, and others give you a subset of this list.
The unique identifier of the identity provider, known as the issuer ID
The SAML user ID type
The SAML user ID location
Attribute Name
Attribute URI
Name ID format
Attribute Name, Attribute URI, and Name ID format are only necessary if the SAML User
ID location is in an Attribute element, and not in the
NameIdentifier element of a Subject statement. For more information, see Step 2: Create a SAML Single Sign-On Setting in Salesforce.
Salesforce requires the identity provider to sign either the response body or the
assertion, but it’s not necessary to sign both. Salesforce first validates the signature
in the response body. If the signature is missing or invalid, Salesforce then validates
the signature in the assertion.
Get your identity provider’s authentication certificate. Store it where you can access
it from your browser. You upload it to Salesforce when you configure SAML settings.
If you have a Request Signing Certificate that you want to use, upload it to
Salesforce. See Certificates and Keys in
Salesforce Help.
We use three kinds of cookies on our websites: required, functional, and advertising. You can choose whether functional and advertising cookies apply. Click on the different cookie categories to find out more about each category and to change the default settings.
Privacy Statement
Required Cookies
Always Active
Required cookies are necessary for basic website functionality. Some examples include: session cookies needed to transmit the website, authentication cookies, and security cookies.
Functional Cookies
Functional cookies enhance functions, performance, and services on the website. Some examples include: cookies used to analyze site traffic, cookies used for market research, and cookies used to display advertising that is not directed to a particular individual.
Advertising Cookies
Advertising cookies track activity across websites in order to understand a viewer’s interests, and direct them specific marketing. Some examples include: cookies used for remarketing, or interest-based advertising.
