Loading
Sales Performance Management
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Set Up Single Sign-On for Salesforce Spiff

            You are here:

            1. Salesforce Help
            2. Docs
            3. Sales Performance Management

            Set Up Single Sign-On for Salesforce Spiff

            Support a more efficient experience for users who log in to Salesforce Spiff by setting up SAML single sign-on (SSO) with an identity provider, including Google, Okta, and Microsoft Azure Active Directory. Configure settings in your identity provider and in Spiff.

            Required Editions

            Available in: both Salesforce Classic (not available in all orgs) and Lightning Experience
            Available in: Enterprise, Unlimited, and Developer Editions
            Available for an additional cost in: Professional Edition with Web Services API Enabled
            User Permissions Needed
            To manage SSO settings in Spiff:

            A Spiff user role with this permission turned on.

            SSO Settings: Manage

            Review Identity Provider Requirements

            Review these important requirements for the identity provider that you select.

            • Spiff is compatible with multiple identity providers that support the SAML 2.0 standard. The steps for setting up Google Workspace, Okta, or Microsoft Entra ID (Azure Active Directory) are available for your convenience, but Salesforce Customer Support can't advise or assist with setting up any identity provider.
            • When you set up your identity provider, verify that the app signature uses the SHA-256 secure hash algorithm. Spiff doesn’t support the SHA-1 algorithm for SAML SSO.

            Option 1: Set Up Google Workspace as an Identity Provider

            Follow the steps in Set up your own custom SAML app in Google Workspace Admin Help.

            1. On the App details step, enter Spiff for the name.
            2. On the Google Identity Provider details step, choose Download IdP metadata.
              This XML file contains the identity provider details that you need for completing setup in Spiff.
            3. On the Service provider details step, enter an ACS URL, depending on your region.
              • If you’re in the US, enter https://us1.spiff.com/api/v1/saml_consume
              • If you’re in the EU, enter https://eu1.spiff.com/api/v1/saml_consume
            4. On the Service provider details step, enter an Entity ID, depending on your region.
              • If you’re in the US, enter https://us1.spiff.com/api/v1/saml_metadata
              • If you’re in the EU, enter https://eu1.spiff.com/api/v1/saml_metadata
            5. On the Service provider details step, enter a Start URL, depending on your region.
              • If you’re in the US, enter https://us1.spiff.com/api/v1/saml_init
              • If you’re in the EU, enter https://eu1.spiff.com/api/v1/saml_init
            6. On the Attribute mapping step, don't modify any values.
            7. Click Finish.
            Note
            Note If your company requires signed requests and responses, contact Salesforce Customer Support.

            Next, complete the setup in Spiff. See Configure SSO Settings in Spiff.

            Option 2: Set Up Okta as an Identity Provider

            Follow the steps in Create SAML app integrations in Okta Docs.

            1. On the General Settings step, enter Spiff for the App name.
            2. On the Configure SAML step, enter a single sign-on URL, depending on your region.
              • If you’re in the US, enter https://us1.spiff.com/api/v1/saml_consume
              • If you’re in the EU, enter https://eu1.spiff.com/api/v1/saml_consume
            3. On the Configure SAML step, enter an Audience URI (SP Entity ID), depending on your region.
              • If you’re in the US, enter https://us1.spiff.com/api/v1/saml_metadata
              • If you’re in the EU, enter https://eu1.spiff.com/api/v1/saml_metadata
            4. On the Configure SAML step, for Application username format, select Email.
            5. On the Feedback step, select I'm an Okta customer adding an internal app.
            6. Click Finish.
            7. In Applications, go to the Spiff app, go to Sign on methods, click View IdP metadata, and save the page as an XML file.
              This XML file contains the identity provider details that you need for completing setup in Spiff.

            Next, complete the setup in Spiff. See Configure SSO Settings in Spiff.

            Option 3: Set Up Microsoft Entra ID (Azure Active Directory) as an Identity Provider

            Follow the steps in Enable single sign-on for an enterprise application with a relying party STS in Microsoft Entra documentation.

            1. In the Basic SAML Configuration section, enter an Identifier (Entity ID), depending on your region.
              • If you’re in the US, enter https://us1.spiff.com/api/v1/saml_metadata
              • If you’re in the EU, enter https://eu1.spiff.com/api/v1/saml_metadata
            2. In the Basic SAML Configuration section, enter a Reply URL (Assertion Consumer Service URL), depending on your region.
              • If you’re in the US, enter https://us1.spiff.com/api/v1/saml_consume
              • If you’re in the EU, enter https://eu1.spiff.com/api/v1/saml_consume
            3. In the Attributes & Claims section, update the required claim.
              1. Select the row Unique User Identifier (Name ID).
              2. In the Manage claim window, enter user.mail for Source attribute.
              3. Save your changes.
            4. In the SAML Certificates section, download Federation Metadata XML.
              This XML file contains the identity provider details that you need for completing setup in Spiff.

            Next, complete the setup in Spiff. See Configure SSO Settings in Spiff.

            Configure SSO Settings in Spiff

            1. From the Admin menu, select Settings, and then click Security.
            2. For SSO Email Domains, enter a domain for the email addresses that must use SSO to log in.
              For example, to require users with email addresses that end with company.com to log in with SSO, enter company.com.
              Users with email addresses for other domains must log in with a Spiff username and password.
            3. For SAML Settings, click Upload and select the XML file that you downloaded from Google Workspace, Okta, or Microsoft Entra ID (Azure Active Directory).
              Important
              Important If the XML file that you downloaded from the identity provider doesn't specify a redirect URL but includes a POST URL, Spiff uses the POST URL as the redirect URL. Spiff doesn't support POST authentication directly.

            After you configure SSO settings successfully, the current authentication mode changes to SSO.

            Users with the email domain that you specified must log in with SSO.

            Log in to Spiff with SSO.

            See Also

             
            Loading
            Salesforce Help | Article