Login  
Hello there!

Need Help? We are right here!

Support Icon
miniOrange Email Support
success

Thanks for your Enquiry. Our team will soon reach out to you.

If you don't hear from us within 24 hours, please feel free to send a follow-up email to info@xecurify.com

Search Results:

×

Configure Salesforce SAML Single Sign-On (SSO)

Streamline the configuration of Salesforce SSO with this comprehensive setup guide provided by miniOrange. Our SAML Single Sign-On (SSO) solution enables seamless login to Salesforce Channels and various applications using a unified set of credentials. By enabling SSO for Salesforce, users can securely access Salesforce with just one click, eliminating the need to re-enter their username and password. Simplify your Salesforce authentication process and enhance security with miniOrange's user-friendly SSO solution.

With miniOrange Salesforce SSO, you can:

  • Enable your users to automatically login to Salesforce
  • Have centralized and easy access control of the users
  • Connect easily with any external identity source like Microsoft Entra ID, Azure Active Directory, ADFS, Cognito, etc

Get Free Installation Help


miniOrange offers free help through a consultation call with our System Engineers to Install or Setup Salesforce SSO solution in your environment with 30-day free trial.

For this, you need to just send us an email at idpsupport@xecurify.com to book a slot and we'll help you in no time.



Supported SSO Features

miniOrange-Salesforce SAML integration supports the following features:

  • SP Initiated SSO Login: Users can access their Salesforce account via a URL or bookmark. They will automatically be redirected to the miniOrange portal for log in. Once they've signed on, they'll be automatically redirected and logged into Salesforce.
  • IdP Initiated SSO Login: Users need to log in to the miniOrange first , and then click on the Salesforce icon on the applications dashboard to access Salesforce.(If you have set up any more Identity Sources, you will log in to that platform).
  • JIT Provisioning: Enables the automatic creation of user accounts in Salesforce when a person logs in for the first time via Desktop SSO, IDP, or Active Directory (AD) authentication.
  • Single Logout: With this feature, you will be automatically logged out of all the Salesforce applications that are connected with Identity provider (IdP) when you log out from Salesforce org or any other app.
  • Mandate users to Login using SSO: Single Sign-on can make it mandatory for all Salesforce users to log in using SSO. This will prevent any person from logging win using any other source and bypassing the login system. No person will be able to have direct login making it a streamline and secure process.

Connect with External Source of Users


miniOrange provides user authentication from various external sources, which can be Directories (like ADFS, Microsoft Active Directory, OpenLDAP, AWS etc), Identity Providers (like Microsoft Entra ID, Okta, AWS), and many more. You can configure your existing directory/user store or add users in miniOrange.



Prerequisites

  • The following Subscription plans are required for the mentioned authentication methods:
    1. Federated Authentication: All Editions
    2. Delegated Authentication Professional, Enterprise, Performance, Unlimited, Developer, and How you integrate Editions.
    3. Authentication Providers: Professional, Enterprise, Performance, Unlimited, and Developer Editions.
  • Note - In order to do SP initiated SSO into Salesforce, you need to create a custom Domain. Check this link - Salesforce domain changes and follow the below steps:

  • Login to your Salesforce account.
  • Click on the Setup icon in the top-right section of the Salesforce lightening dashboard page.
    • Salesforce SSO : Salesforce Admin Dashboard- Setup

  • Now in the search field, search for the My Domain Settings.
  • Choose your domain name, check for availability and if available, proceed by saving the settings.
    • Salesforce SSO : Register domain

  • Search for Company Information in the search bar.
  • Copy the Organization Id. (This will be required later)
    • Salesforce SSO : copy organization id

  • Salesforce Metadata: After you have set up the SSO settings in Salesforce Admin Dashboard, you will get the Salesforce Metadata File. Click Download Metadata to download an XML file of your SAML configuration settings to send to your identity provider. The identity provider can then upload these configuration settings to connect to your Experience Cloud site.
    • Salesforce SSO : Download Salesforce Metadata

  • Login to your Salesforce account.
  • Go to Setup in the top-right section of the Salesforce classic dashboard page.
    • Salesforce Single Sign-On (sso)

  • Now in the left pane, select Domain Management.
  • Select My Domain.
  • Choose your domain name, check for availability and if available, proceed by clicking the Register Domain button.
    • Salesforce Single Sign-On (sso) Register domain

  • Test your domain once it is ready, by clicking the link and then click Deploy to Users.
  • Search for Company Information in the search bar.
  • Copy Organization Id. (This will be required later)
    • Salesforce Single Sign-On (sso) copy organization id

Follow the step-by-step guide given below for Salesforce Single Sign-On (SSO)

1. Configure Salesforce in miniOrange

  • Login into miniOrange Admin Console.
  • Go to Apps and click on Add Application button.
    • Salesforce Single Sign-On (SSO) add app

  • In Choose Application, select SAML/WS-FED from the application type dropdown.
    • Salesforce Single Sign-On (SSO) choose app type

  • Search for Salesforce in the list, if you don't find Salesforce in the list then, search for custom and you can set up your application in Custom SAML App.
    • Salesforce Single Sign-On (SSO) manage apps

  • Enter the following values in the respective fields.
    1. Application Name : Salesforce
    2. SP Entity ID or Issuer : https://[yourdomain].my.salesforce.com/
    3. ACS URL : https://[yourdomain].my.salesforce.com/?so=[organization_id]
    4. Single Logout URL : https://[yourdomain].my.salesforce.com
    5. Sign Response : ON
    Salesforce SSO (Single Sign-On) add IdP basic settings

  • Click Next. Now, in the Attribute Mapping, Click on Add Attribute and enter the attribute names with their values as shown below.

    (Follow the steps given here to find out Salesforce profileId.)

    • Salesforce SSO save configuration

  • Click on Save.
  • Your application is saved successfully. Now click on the icon ' ' in Actions against your newly created application. Go to Metadata.
    • Salesforce SSO (Single Sign-On) Select Metadata for SAML

  • On the View IDP Metadata page, click on Show Metadata Details and choose either of the two Metadata options :
    • If you want to use miniOrange as User-Store i.e., your employee identities will be stored in miniOrange then download the metadata file under the heading 'INFORMATION REQUIRED TO SET MINIORANGE AS IDP'.
    • If you want to authenticate your employees via any external Identity Provider (IDP) like Active Directory, Okta, OneLogin, Google, Apple ID, etc then download the Metadata file under the heading 'INFORMATION REQUIRED TO AUTHENTICATE VIA EXTERNAL IDPS'.
    Salesforce SSO (Single Sign-On) View IdP metadata

  • Keep SAML Login URL, SAML Logout URL, IdP Entity ID or Issuer and click on the Download Certificate button to download the certificate which you will require in Step 2.
    • Configure Salesforce SSO : Select Metadata details external IDP or miniOrange as IDP



2. Configure SSO in Salesforce Admin Account


  • Log in to your Salesforce account as Account Admin.
  • Click the gear icon, then navigate to Setup > Identity > Single Sign-On Settings.
    • Salesforce SSO: setup salesforce as sp-lightning

  • Log in to your Salesforce account as Account Admin.
  • Navigate to Setup > Security Controls > Single Sign-On Settings.
    • Salesforce SSO: setup salesforce as sp-classic

  • On the Single Sign-On Settings page, click on Edit.

    • SSO settings salesforce as sp-sso settings

  • Check the SAML Enabled box to enable the use of SAML Single-Sign On, then click on Save.

    • SSO settings salesforce- enable saml salesforce as sp

  • Click New to open SAML Single Sign-On Settings.

    • SSO Salesforce as sp

  • Enter the following values in the respective fields.
    1. Issuer : IDP Entity ID/Issuer in miniorange metadata
    2. Entity ID : https://[yourdomain].my.salesforce.com
    3. Identity Provider Certificate : Upload Certificate from miniOrange metadata
    4. Request Signature method : RSA-SHA256
    5. Assertion Decryption Certificate : Not encrypted
    6. SAML Identity Type : Assertion contains the User's Salesforce username
    7. SAML Identity Location : Identity is in the NameIdentifier element of the Subject statement
    8. Service Provider Initiated Request Binding : HTTP Redirect
    9. Identity Provider Login URL : SAML Login URL in miniOrange metadata
    10. Custom Logout URL : https://[yourdomain].my.salesforce.com
  • Click on Save.

    • Salesforce SSO: enter info sso salesforce as sp

  • Copy your Login URL value.

    • Salesforce SSO: copy login url salesforce as sp

  • If you want to enable "Login with SSO" button on the Salesforce Lightning login page, you can follow the steps below :
    • login Salesforce as an Admin > Setup.
    • Navigate to "My Domain".
    • Go to Authentication Configuration > Edit.
      • Salesforce SSO : Authentication Configuration

    • Choose the IDP that you have configured > Save.
    • Relogin to your Salesforce, you should be able to see the option on the login page.

3. Test SSO Configuration

Test SSO login to your Salesforce account with miniOrange IdP:

    Using SP Initiated Login

    • Go to your Salesforce URL, here you will be either asked to enter the username or click on the SSO link which will redirect you to miniOrange IdP Sign On Page.
      • Salesforce Single Sign-On (SSO) login

    • Enter your miniOrange login credential and click on Login. You will be automatically logged in to your Salesforce account.

    Using IDP Initiated Login

    • Login to miniOrange IdP using your credentials.
      • Salesforce Single Sign-On (SSO)

    • On the Dashboard, click on Salesforce application which you have added, to verify SSO configuration.
      • Salesforce Single Sign-On (SSO) verify configuration


    Not able to configure or test SSO?


    Contact us or email us at idpsupport@xecurify.com and we'll help you setting it up in no time.



Troubleshooting

How to identify errors in SAML assertions sent by your IDP?

  • Use the SAML Assertion Validator to troubleshoot single sign-on (SSO) login problems and identify errors in SAML assertions sent by your identity provider. Click on this link know more about the error identification in SAML Assertions.

How can I trace and export the SAML tracer logs?

  • Install SAML Tracer on your preferred browser:

    For Firefox: Add SAML tracer Add-On from the Firefox marketplace.

    For Chrome / Edge or Chromium-based browsers: Install the SAML tracer extension from Chrome Webstore.

  • Steps to Capture logs:
    • Make sure the SAML Tracer window is opened before you start the SSO flow. (You can open it by clicking the SAML Tracer icon in your extensions list in the browser toolbar.)
    • Run the SSO flow to reproduce the issue. You will see SAML Tracer getting populated with all the URLs.
    • Hit Pause on SAML Tracer, once the issue is reproduced to avoid extra logs.
    • You will have something similar to the below pic in the SAML tracer.
      • Salesforce SSO reproduced issue

  • Steps to export logs:
    • To export logs, click the export option on the top of the SAML Tracer. (Refer to screenshot below).
      • Salesforce SSO tracer export option

    • You will be prompted with the Export SAML trace preferences window, select the None field, and then click on the Export option. (This option will allow keeping values in the original state which is required to further investigate the issue.)
      • Salesforce SSO preference window

    • Click Export. This will download a JSON file on your system.
    • Send the log file to the developer you are in touch with or at idpsupport@xecurify.com. Also, please attach an error screenshot. This would help us debug the issue.
    • If you are still not able to get the logs, feel free to let us know.

External References

Want To Schedule A Demo?

Request a Demo
  



Our Other Identity & Access Management Products

Single Sign-On

Seamless login for workforce and customer identity to cloud or on-premise apps

Learn more

Multi-factor Authentication

Secure access for identities with an additional layer of authentication

Learn more

Adaptive Authentication

Block or grant user access based on IP, Device, Time & Location

Learn more

Lifecycle Management

Manage & automate user provisioning and deprovisioning to apps

Learn More