Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Set Up an External Identity Provider to Encrypt SAML Assertions

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Set Up an External Identity Provider to Encrypt SAML Assertions

            When you configure Salesforce as the service provider in a SAML single sign-on (SSO) configuration, you can pick a saved certificate to decrypt inbound assertions from external identity providers. These instructions show you how to edit your SSO configuration so that your external identity provider can encrypt SAML assertions.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience

            Federated Authentication is available in: All Editions

            Delegated Authentication is available in: Professional, Enterprise, Performance, Unlimited, Developer, and Database.com Editions

            Authentication Providers are available in: Professional, Enterprise, Performance, Unlimited, and Developer Editions
            User Permissions Needed
            To view the settings: View Setup and Configuration
            To edit the settings:

            Customize Application

            AND

            Modify All Data

            To save a certificate in Salesforce, see Certificates and Keys in Salesforce Help.

            1. From Setup, in the Quick Find box, enter Single, and then select Single Sign-On Settings.
            2. Next to your SSO configuration, click Edit.
            3. For Assertion Decryption Certificate, select the certificate that you want to use for encryption.
            4. Verify that your SAML Identity Location from your original configuration is accurate. If not, select an option based on where your identity provider stores the user’s identifier, meaning their Salesforce username or federationIdentifier, in SAML assertions.
              • If the user’s identifier is in the <Subject> statement of the assertion, select Identity is in the NameIdentifier element of the Subject statement.
              • If the user’s identifier is in an <AttributeValue> in the assertion’s <Attribute>, select Identity is in an Attribute element.
            5. If you selected Identity is in an Attribute element, fill out these fields.
              • Attribute Name—Enter the value of the AttributeName parameter specified in the <Attribute> element in your identity provider’s SAML assertions. This value matches the User ID.
              • Name ID Format—Enter the value of the nameid-format in your identity provider’s SAML assertions, such as unspecified, emailAddress, or persistent. For a list of all possible values, see the Name Identifier Format Identifiers section in the Assertions and Protocols SAML 2.0 specification.
            6. Save the settings.
              After you make these changes, the value for the Salesforce Login URL changes in your SAML configuration.
            7. Copy your new Salesforce Login URL value.
            8. Share the new Salesforce Login URL with your identity provider.
            9. To help your identity provider encrypt assertions, share a copy of the certificate in the Assertion Decryption Certificate field.
             
            Loading
            Salesforce Help | Article