You are here:
Set up and Integrate OKTA with Salesforce Identity
This guide serves as a general integration overview. For precise instructions, Salesforce advises consulting the most up-to-date integration documentation specific to your Identity Provider (IDP), such as Okta.
The SSO support for B2C Commerce is done via core-licensed products and requires three connections.
- Account Manager
- Salesforce Platform
- OKTA
Step 1: To enable Salesforce SSO and enable Salesforce provisioning with OKTA, use OKTA documentation.
This document contains instructions for configuring SAML 2.0 for Salesforce (see Configuring SAML), and other useful information about How to Configure SP-Initiated SAML between Salesforce and Okta and How to Configure Delegated Authentication in Salesforce (optional).
Step 2: To allow authenticated users to flow from OKTA to Salesforce, configure Salesforce as the Service Provider.
SAML is an open-standard authentication protocol that Salesforce uses for SSO into a Salesforce org from a third-party identity provider. You can also use SAML to automatically create user accounts with Just-in-Time (JIT) user provisioning.
When you configure Salesforce as the service provider using SAML, authenticated users can flow from a third-party identity provider into Salesforce.
SAML allows your identity provider to exchange user information with Salesforce. When a user tries to log in, your identity provider sends SAML assertions containing facts about the user to Salesforce. Salesforce receives the assertion, validates it against your Salesforce configuration, and allows the user to access your org.
If your users can’t log in, review the SAML login history to determine why. Use the SAML Assertion Validator to troubleshoot errors in the SAML assertion.
Configuration Help
To configure SSO into your org, establish a SAML identity provider and follow these general steps.
- Gather Information from Your Identity Provider
- Before you configure SAML settings for SSO into Salesforce, work with your identity provider to gather SAML information and assertion parameters.
- Customize SAML Start, Login, Logout, and Error Pages
- When you configure SAML single sign-on into Salesforce, you define URLs for the pages users see throughout the SSO flow. Your identity provider can provide the URLs for the start, login, and logout pages. Or you can provide your own URLs for these pages. You can also specify a custom error page.
- Configure Salesforce as the Service Provider with SAML Single Sign-On
- Configure Salesforce as a service provider with SAML single sign-on.
- View and Edit Single Sign-On Settings
- After you configure your Salesforce org to use SAML, you can manage the SAML configuration from the Single Sign-On Settings page.
- Review the Login History
- When users fail to log in to your org with SSO, search the login history to find out why. For example, see if a login failure is related to the SAML assertion or to your Salesforce configuration.
- Troubleshoot SAML Assertion Errors
- Use the SAML Assertion Validator to troubleshoot SSO login problems and identify errors in SAML assertions sent by your identity provider.
- SAML Login Errors
- If users have trouble accessing your org with SSO, use the login history to determine whether it’s a SAML assertion error or a configuration problem. If it’s an assertion-related error, identify specific assertion problems with the SAML Assertion Validator. Work with your identity provider to make sure that both the SAML assertion and your SSO configuration are valid.
- Configure SSO to Salesforce Using Microsoft AD FS as the Identity Provider
- Let your users log in from a Microsoft environment to a Salesforce org using Microsoft Active Directory Federation Services (AD FS) 2.0. Microsoft AD FS functions as the identity provider for single sign-on authentication.
- Just-in-Time Provisioning for SAML
- Use JIT provisioning to automatically create a user account in your Salesforce org the first time a user logs in with single SSO. JIT provisioning can reduce your workload and save time. JIT provisioning also automatically applies password policies for your corporate network to your org, potentially increasing security.
