Today we gonna talk about Salesforce Single Sign-On and Salesforce SAML.
At the beginning, I should explain a few definitions.
Single Sign-On (SSO)
It is a mechanism, that allows you to grant access to related products using only one set of credentials (login, password). e.g Google Account’s login and password guarantee access to Gmail, YouTube, Drive, etc .
Security Assertion Markup Language (SAML)
“is an XML-based protocol that uses security tokens containing assertions to pass information about a principal (usually an end user) between a SAML authority, named an Identity Provider, and a SAML consumer named a Service Provider”
Identity Provider (IdP)
“is a system entity that creates, maintains, and manages identity information for principals while providing authentication services to relying applications within a federation or distributed network”
Service Provider (SP)
“is a system entity that receives and accepts authentication assertions in conjunction with a single sign-on (SSO) profile of the Security Assertion Markup Language (SAML)” 
Why we should use SAML? 
– Not needed multiple authentication credentials (logins, passwords)
– Increase security (fewer opportunities for phishing attack)
– Increase application access
– Elimination administration timing cost by maintaining multiple credentials
– Better user experience (Click the link and that’s all!)
1. Set Custom Domain (IdP org and SP org)
Setup > My Domain
Register a New Domain. It can take some time.
2. Set up Identity Provider (IdP org)
- Setup > Identity Provider > Enable Security Provider
- Create a new Certificate or select the default one.
- Download Certificate for future use. Copy and save an Issuer URL.
3. Create a Connected App (IdP org)
- Setup > App Manager > New Connected App
- Set Connected App Name, Contact Email and check Enable SAML
– Start URL – Page to open after log in. You can use just SP environment main page URL.
– Entity Id – For Salesforce IdP always: https://saml.salesforce.com
– ASC URL – The assertion consumer service. The value is provided by SP, temporary I am using placeholder: https://www.google.com
– Subject Type – [Username, Federation ID, User ID, Custom Attribute, Persistent ID].
“Indicates whether the service provider (SP) requires the user’s name, a federation ID (an ID internal to the SP), a user ID (an ID external to the SP), the value of a custom field on the user or a persistent ID. Ask your SP which one they require.”.
In this tutorial as a SAML Identity Type, I used: Federation ID
– Name ID Format – urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
– Issuer – Issuer provided by Identity Provider (IdP – step 1)
- Click Manage button and add Profiles in the Profiles section, which should have access to Connected App. (I used System Administrator)
4. Configure Service Provider (SP org)
- Setup > Single Sign-On Settings > Edit > Check SAML Enabled
- SAML Single Sign-On Settings section > New
- Fulfill Name and API Name
– Issuer – Issuer is provided by Identity Provider (IdP). Copy and Paste it. (Step 1)
– Entity ID – For Salesforce – https://saml.salesforce.com
– Identity Provider Certificate – Certificate from Identity Provider (IdP). (Step 1)
– SAML Identity Type – I chose Federation ID. Basically, it up to you and your requirements.
– Identity Provider Login URL – URL is provided by our Connected App. (Setup > App Manager > My Specific App > Manage > SAML Login Information section > IdP-Initiated Login URL)
- After Save, you can find a Login URL in Endpoints section. Copy it and paste as ACS URL in your Connected App (IdP org). Replace the placeholder.
5. Enable new authorization method (SP org)
- Setup > My Domain > Authentication Configuration > Edit
- Enable Another Salesforce Org (This is the name of SAML Single Sign-On Setting)
6. Set Federation ID (IdP org, SP org)
- Go to Setup > Users > Select your user > Edit
- Find the Federation ID and set some ID (It is case sensitive). It need to be the same.
- Do it for IdP and SP environments.
- Log out for your SP environment.
- Now you should able to see new authorization method.
Was it helpful? Check out our other great articles here.