Salesforce is a cloud-based software platform designed to enhance customer relationship management (CRM) by connecting companies with their customers, facilitating better communication, and driving business success through innovative solutions and trusted partnerships.
Steps to configure SAML SSO for Salesforce
MFA configuration: Upon successful SSO configuration for the application, click
here to learn how to set up MFA, ensuring users complete multiple verification methods before accessing the Identity360 portal.
The following steps will help you enable SAML single sign-on (SSO) for Salesforce from ManageEngine Identity360.
Prerequisites
- The MFA and SSO license for Identity360 is required to enable SSO for enterprise applications. For more information, refer to pricing details.
- Log in to Identity360 as an Admin or Super Admin.
- Navigate to Applications > Application Integration > Create New Application, and select Salesforce from the applications displayed.
Note: You can also find Salesforce from the search bar located at the top.
- Under the General Settings tab, enter the Application Name and Description.
- Under the Choose Capabilities tab, choose SSO and click Continue.
General Settings of SSO configuration for Salesforce
- Under Integration Settings, navigate to the Single Sign On tab, select SAML from the Method drop-down and click Metadata Details.
- Download the metadata file to be uploaded during the configuration of Salesforce by clicking Download from the Metadata field.
- Download the SSO certificate by clicking Download from the Signing Certificate field.
Integration Settings of SSO configuration for Salesforce
Salesforce (service provider) configuration steps
- Login to Salesforce using admin's credentials and navigate to Setup.
Salesforce portal view
- Navigate to Identity tab -> Single Sign-On Settings -> click New from Metadata File.
Salesforce SSO setup
- Click Choose file in the Metadata File field and upload the metadata file downloaded in step 6(i) of prerequisites. Click Create.
Salesforce metadata configuration
- In the Identity Provider Certificate field, upload the Signing Certificate downloaded in step 6(ii) of prerequisites. Click Save.
Salesforce signing certificate configuration
- Copy the Login URL (ACS URL) and Entity ID which will be used during the configuration of Identity360.
Salesforce SAML SSO configuratio
- You need to enable Identity360 as an authentication method so that users can select Identity360 as an authentication type on the Salesforce login screen. Navigate to Company Settings -> My Domain -> Authentication Configuration.
- Click Edit. Select Identity360 and click Save.
Salesforce authentication configuration
Identity360 (identity provider) configuration steps
- Switch to Identity360's application configuration page.
- In the ACS URL field, paste the Login URL value copied in step 5 of Salesforce configuration.
- In the Entity ID field, paste the Entity ID value copied in step 5 of Salesforce configuration.
- Enter the Relay State parameter, if necessary.
Note: Relay State is an optional parameter used with a SAML message to remember where you were or direct you to a specific page after logging in.
- Click Save.
Integration Settings of SSO configuration for Salesforce
- To learn how to assign users to one or more applications, refer to this page.
Your users should now be able to sign in to Salesforce through the Identity360 portal.
Note: For Salesforce, both SP-initiated and IdP-initiated flows are supported.
Steps to configure OAuth/OpenID Connect-based SSO for Salesforce
MFA configuration: Upon successful SSO configuration for the application, click
here to learn how to set up MFA, ensuring users complete multiple verification methods before accessing the Identity360 portal.
The following steps will help you enable OAuth/OpenID Connect-based single sign-on (SSO) for Salesforce from ManageEngine Identity360.
Prerequisites
- The MFA and SSO license for Identity360 is required to enable SSO for enterprise applications. For more information, refer to pricing details.
- Log in to Identity360 as an Admin or Super Admin.
- Navigate to Applications > Application Integration > Create New Application, and select Salesforce from the applications displayed.
Note: You can also find Salesforce from the search bar located at the top.
- Under the General Settings tab, enter the Application Name and Description.
- Under the Choose Capabilities tab, choose SSO and click Continue.
General Settings of SSO configuration for Salesforce
- Under Integration Settings, navigate to the Single Sign On tab, select OAuth/OpenID Connect from the Method radio button. Click IdP Details and copy the highlighted field values in the screenshot below.
Integration Settings of SSO configuration for Salesforce
Salesforce (service provider) configuration steps
- Login to Salesforce using admin's credentials and navigate to Setup.
Salesforce portal view
- Search for Auth.Providers in the search box.
Search for Salesforce authentication providers
- Click New to add a new provider.
- Select the Provider Type as Open ID Connect.
Addition of authentication provider in Salesforce
- Enter the Name and URL Suffix as Identity360.
- Fill the following fields with the corresponding details copied in step 6 of the prerequisites from the Identity360 portal.
- Consumer Key: Client ID
- Consumer Secret: Client Secret
- Authorization Endpoint URL: Authorization Endpoint URL
- Token Endpoint URL: Token Endpoint URL
- User Info Endpoint URL: User Endpoint URL
- Token Issuer: Issuer
- Click Automatically create a registration handler template link under the Registration Handler field.
Note: Registration handler is a code snippet that matches service provider attributes with the corresponding identity provider attributes.
- Under the Execute Registration As field, add the Salesforce admin account.
- Click Save.
OAuth SSO configuration in Salesforce
- After saving, copy the Callback URL, which will be used later in Identity360 configuration.
Callback URL taken from Salesforce
- Click the link provided for Registration Handler.
Auto creation of registration handler in Salesforce
- Edit the Class Body tab and replace the existing code with the code given in below the screenshot.
global class Identity360OIDCHandler implements Auth.RegistrationHandler{ global User createUser(Id portalId, Auth.UserData data){ //The user is authorized, so create their Salesforce user User u = new User(); String username = data.email; List<User> userList = [Select Id, Name, Email, UserName From User Where ( UserName =: username) AND isActive = true ]; if(userList != null && userList.size() > 0) { u = userList.get(0); } return u; } global void updateUser(Id userId, Id portalId, Auth.UserData data){ User u = new User(id=userId); update(u); } }
Code snippet replacement in the Class Body tab of Salesforce
- You need to enable Identity360 as an authentication method so that users can select Identity360 as an authentication type on the Salesforce login screen. Navigate to Company Settings -> My Domain -> Authentication Configuration.
- Click Edit. Select Identity360 as the Authentication Service and click Save.
Salesforce authentication configuration
Identity360 (identity provider) configuration steps
- Switch to Identity360's application configuration page.
- In the Login Redirect URL field, paste the Callback URL copied from step 10 of salesforce configuration.
- Choose the Scope that as required from the drop-down.
Note: Scopes define the level of access that can be requested by the service provider to access a resource. Identity360 supports the following scopes:
- openid: Establishes that this is an OpenID Connect request.
- email: Requests the user's email attribute.
- profile: Requests the user's profile claims (FirstName and LastName).
- Click Save.
Integration Settings of SSO configuration for Salesforce
To learn how to assign users and groups to one or more applications, refer to this page.
Your users should now be able to sign in to Salesforce through the Identity360 portal.
Note: For Salesforce, SP-initiated flow is supported when SSO is enabled through OAuth.
Steps to enable MFA for Salesforce
Setting up MFA for Salesforce using Identity360 involves the following steps:
- Set up one or more authenticators for identity verification when users attempt to log in to Salesforce. Identity360 supports various authenticators, including FIDO2 passkeys, Google Authenticator, and email-based verification codes. Click here for steps to set up the different authenticators.
- Integrate Salesforce with Identity360 by configuring SSO using the steps listed here.
- Now, activate MFA for Salesforce by following the steps mentioned here.
How does MFA for applications work in Identity360?