Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Step 2: Create a SAML Single Sign-On Setting in Salesforce

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Step 2: Create a SAML Single Sign-On Setting in Salesforce

            For SAML configurations where your org or Experience Cloud site acts as a service provider, create a SAML single sign-on (SSO) setting with the information from your identity provider.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience

            Federated Authentication is available in: All Editions

            Delegated Authentication is available in: Professional, Enterprise, Performance, Unlimited, Developer, and Database.com Editions

            Authentication Providers are available in: Professional, Enterprise, Performance, Unlimited, and Developer Editions
            User Permissions Needed
            To view the settings: View Setup and Configuration
            To edit the settings:

            Customize Application

            AND

            Modify All Data

            Before you start, gather information from your identity provider.

            1. From Setup, in the Quick Find box, enter Single, and then select Single Sign-On Settings.
            2. If SAML isn’t enabled, turn it on.
              1. Click Edit.
              2. Select SAML Enabled.
                The "Make Federation ID case-insensitive" setting is enabled by default when you enable SAML for the first time. This setting prevents you from creating unique users with similar Federation IDs, such as csmith and CSmith. Because some external identity providers don't consistently recognize case-sensitivity, we recommend that you keep this setting enabled.
              3. Save the change.
            3. In SAML Single Sign-On Settings, click the appropriate button to create your configuration.
              • New—specify all settings manually.
              • New from Metadata File—import SAML 2.0 settings from an XML file provided by your identity provider. Salesforce uses the XML file to fill out as many settings as possible. If your XML file contains information for multiple configurations, Salesforce uses the first one.
              • New from Metadata URL—import SAML 2.0 settings from a public URL that hosts an XML file. Salesforce reads the XML file and fills out as many settings as possible.
            4. Enter a name for your SSO setting so that you can reference it easily.
              If you add your identity provider to your My Domain or Experience Cloud login page, this name is shown to end users. We recommend giving the setting the same name as your identity provider.
              Salesforce automatically creates an API name based on the name that you enter. You can change the API name or leave it as is.
            5. For Issuer, enter a unique URL that identifies your identity provider. When your identity provider sends SAML assertions, the assertion includes a <saml:Issuer> attribute to identify the identity provider. The issuer value that you enter here must match the value of the <saml:Issuer> attribute in the SAML assertion.
            6. For Entity ID, enter a unique URL that specifies who the SAML assertion is intended for—the service provider. For most use cases, this value is a URL identifying your Salesforce instance, such as your My Domain. When your identity provider sends SAML assertions, the assertion includes one or more <saml:Audience> attributes to identify valid service providers. The entity ID that you enter here must match one of <saml:Audience> attributes in the SAML assertion.
            7. For Identity Provider Certificate, upload the authentication certificate issued by your identity provider.
            8. For Request Signing Certificate, select an option based on your configuration. The request signing certificate generates the signature on a SAML request to the identity provider for a service provider-initiated login.
              • If you saved a certificate in your Certificate and Key Management settings, it appears as an option in the dropdown.
              • If you haven’t saved a signing certificate, select Generate self-signed certificate.
              For more information on adding and generating certificates, see Certificates and Keys in Salesforce Help.
            9. To determine the hashing algorithm for signed requests, for Request Signature Method, select either RSA-SHA1 or RSA-SHA256.

              For configurations created after Spring ’22, the Request Signature Method (RSM) that you select determines the digest algorithm. For example, if you select RSA-SHA256, your digest algorithm is automatically set to SHA256.

              For configurations created before Spring ’22, the digest algorithm is SHA1 by default. To set the digest algorithm to match the Request Signature Method, select Use digest algorithm based on Request Signature Method.

            10. If your identity provider encrypts SAML assertions, for Assertion Decryption Certificate, select the appropriate certificate saved in your Certificate and Key Management settings. Otherwise, select Assertion not encrypted.
              The Assertion Decryption Certificate is available only if your Salesforce instance supports multiple SSO configurations.
            11. For SAML Identity Type, select an option based on how your identity provider identifies Salesforce users in SAML assertions.
              • If your identity provider passes the user’s Salesforce username, select Assertion contains User’s Salesforce username.
              • If your identity provider passes a user identifier for external Experience Cloud users, also known as customers and partners, select Assertion contains the Federation ID from the User object.
              • If your identity provider passes a user identifier for internal users in your org, also known as employees, select Assertion contains the User ID from the User object.
            12. For SAML Identity Location, select an option based on where your identity provider stores the user’s identifier, meaning their Salesforce username or federationIdentifier, in SAML assertions.
              • If the user’s identifier is in the <Subject> statement of the assertion, select Identity is in the NameIdentifier element of the Subject statement.
              • If the user’s identifier is in an <AttributeValue> in the assertion’s <Attribute>, select Identity is in an Attribute element.
            13. If you selected Identity is in an Attribute element, fill out these fields.
              • Attribute Name—Enter the value of the AttributeName parameter specified in the <Attribute> element in your identity provider’s SAML assertions. This value matches the User ID.
              • Name ID Format—Enter the value of the nameid-format in your identity provider’s SAML assertions, such as unspecified, emailAddress, or persistent. For a list of all possible values, see the Name Identifier Format Identifiers section in the Assertions and Protocols SAML 2.0 specification.
            14. For Service Provider Initiated Request Binding, select the binding mechanism that your identity provider requests for your SAML messages.
              • HTTP POST—this binding method sends SAML messages using base64-encoded HTML forms.
              • HTTP Redirect—this binding method sends base64-encoded and URL-encoded SAML messages with URL parameters.
            15. To customize where Salesforce sends a SAML request to start the login sequence, specify a URL in Identity Provider Login URL. The URL must start with the https:// prefix.
              If the login URL isn’t available—for example, if your identity provider is down—you can direct users to the standard Salesforce login page as a backup. To use this option, append the login query string parameter to the URL, such as https://MyDomainName.my.salesforce.com?login.
            16. To direct the user to a specific URL when they log out of Salesforce, specify a URL for Custom Logout URL. If you don’t enter anything, the default value is https://salesforce.com.
            17. To direct the user to a custom page when there’s a login error, specify a URL for Custom Error URL. You must use a URL that is publicly accessible, such as a public site Visualforce page. The URL can be absolute or relative.
            18. Save your changes.

            After you save the setting, Salesforce generates SAML endpoints for your org and any Experience Cloud sites. To continue your SAML SSO setup, share these endpoints with your identity provider.

            To change your configuration so that your identity provider can encrypt SAML assertions, see Set Up an External Identity Provider to Encrypt SAML Assertions.

             
            Loading
            Salesforce Help | Article