SAML SSO with Salesforce as the Service Provider
SAML is an open-standard authentication protocol that Salesforce uses for single sign-on (SSO) into a Salesforce org from a third-party identity provider. You can also use SAML to automatically create user accounts with Just-in-Time (JIT) user provisioning.
Required Editions
| Available in: both Salesforce Classic and Lightning Experience |
Federated Authentication is available in: All Editions Delegated Authentication is available in: Professional, Enterprise, Performance, Unlimited, Developer, and Database.com Editions Authentication Providers are available in: Professional, Enterprise, Performance, Unlimited, and Developer Editions |
| User Permissions Needed | |
|---|---|
| To view the settings: | View Setup and Configuration |
| To edit the settings: | Customize Application AND Modify All Data |
When you configure Salesforce as the service provider using SAML, authenticated users can flow from a third-party identity provider into Salesforce.
SAML allows your identity provider to exchange user information with Salesforce. When a user tries to log in, your identity provider sends SAML assertions containing facts about the user to Salesforce. Salesforce receives the assertion, validates it against your Salesforce configuration, and gives the user to access your org.
If your users can’t log in, review the SAML login history to determine why. Use the SAML Assertion Validator to troubleshoot errors in the SAML assertion.
Configuration Help
To configure SSO into your org, establish a SAML identity provider, and follow these general steps.
- Configure SSO with Salesforce as a SAML Service Provider
Configure your Salesforce org or Experience Cloud site as a service provider with SAML single sign-on (SSO). With this SAML configuration, your users can log in to Salesforce with credentials from an external identity provider. - Set Up an External Identity Provider to Encrypt SAML Assertions
When you configure Salesforce as the service provider in a SAML single sign-on (SSO) configuration, you can pick a saved certificate to decrypt inbound assertions from external identity providers. These instructions show you how to edit your SSO configuration so that your external identity provider can encrypt SAML assertions. - Customize SAML Start, Login, Logout, and Error Pages
When you configure SAML single sign-on (SSO) into Salesforce, you define URLs for the pages users see throughout the SSO flow. Your identity provider can provide the URLs for the start, login, and logout pages. Or you can provide your own URLs for these pages. You can also specify a custom error page. - Example SAML Assertions
Salesforce supports several SAML assertion formats sent by your identity provider, with extra requirements for specific features like encrypted assertions and Just-in-Time (JIT) provisioning. To help your identity provider determine the format of SAML assertions to use with your Salesforce org, share these examples. - View and Edit Single Sign-On Settings
After you configure your Salesforce org to use SAML, you can manage the SAML configuration from the Single Sign-On Settings page. - Review the Login History
When users fail to log in to your org with single sign-on (SSO), search the login history to find out why. For example, see if a login failure is related to the SAML assertion or to your Salesforce configuration. - Configure SSO to Salesforce Using Microsoft AD FS as the Identity Provider
Let your users log in from a Microsoft environment to a Salesforce org using Microsoft Active Directory Federation Services (AD FS) 2.0. Microsoft AD FS functions as the identity provider for single sign-on authentication. - Just-in-Time Provisioning for SAML
Use Just-in-Time (JIT) provisioning to automatically create a user account in your Salesforce org the first time a user logs in with a SAML identity provider. JIT provisioning can reduce your workload and save time because you don’t provision users or create user accounts in advance.
