• Home
• App Integrations
• Single Sign-On Integrations
• Salesforce SSO

SSO Setup in Salesforce

---

Streamline the SSO setup in Salesforce with this comprehensive setup guide from miniOrange. Our Salesforce SSO configuration using SAML Single Sign-On (SSO) enables seamless login to various Salesforce channels and applications using a unified set of credentials.

By enabling SSO in Salesforce, users can securely access Salesforce with just one click, eliminating the need to re-enter their username and password. Simplify your Salesforce authentication process and enhance security with miniOrange's user-friendly SSO solution.

With miniOrange Salesforce SSO, you can:

• Enable your users to automatically log in to Salesforce.
• Maintain centralized and easy access control for all users through your Salesforce single sign-on setup.
• Connect easily with any external identity source like Microsoft Entra ID, Azure Active Directory, ADFS, Cognito, and more.

Salesforce also works as an IDP. With miniOrange Salesforce SSO solution, you can extend the single sign-on to downstream apps like WooCommerce, Shopify, WordPress, JIRA, and Confluence, and manage the full user lifecycle without extra Salesforce licenses.

Supported SSO Features

miniOrange-Salesforce SAML integration supports the following Salesforce SSO configuration features:

• SP Initiated SSO Login: Users can access their Salesforce account via a URL or bookmark. They will automatically be redirected to the miniOrange portal for login. Once they've signed on, they'll be automatically redirected and logged into Salesforce.
• IdP Initiated SSO Login: Users need to log in to the miniOrange first, and then click on the Salesforce icon on the applications dashboard to access Salesforce. (If you have set up any more Identity Sources, you will log in to that platform.)
• JIT Provisioning: Enables the automatic creation of user accounts in Salesforce when a person logs in for the first time via Desktop SSO, IDP, or Active Directory (AD) authentication.
• Single Logout: With this feature, you will be automatically logged out of all the Salesforce applications that are connected with the Identity Provider (IdP) when you log out of the Salesforce org or any other app.
• Mandate users to Login using SSO: Single Sign-On can make it mandatory for all Salesforce users to log in using SSO. This will prevent any person from logging in using any other source and bypassing the login system. No person will be able to have direct login, making it a streamlined and secure process.
• MFA and User Provisioning: Secure Salesforce logins with 29+ MFA methods while automatically creating, updating, or removing user accounts based on your identity provider data. Manage authentication and user lifecycle from one place.
• Any Salesforce Object Support: Authenticate users from Salesforce Contacts, Leads, Accounts, or Custom Objects as identity sources. This gives you the flexibility to use your existing Salesforce data to manage login without additional setup.
• Attribute and Role Mapping: Map Salesforce user fields to SAML or OpenID Connect attributes to assign roles and permissions in connected applications. This keeps access control consistent across every app your team uses.

Prerequisites

• The following Subscription plans are required for the mentioned authentication methods:
  1. Federated Authentication: All Editions
  2. Delegated Authentication Professional, Enterprise, Performance, Unlimited, Developer, and How you integrate Editions.
  3. Authentication Providers: Professional, Enterprise, Performance, Unlimited, and Developer Editions.
• Note - In order to do SP initiated SSO into Salesforce, you need to create a custom Domain. Check this link - Salesforce domain changes and follow the below steps:

• Salesforce Lightening
• Salesforce Classic

• Login to your Salesforce account.
• Click on the Setup icon in the top-right section of the Salesforce lightening dashboard page.



• Now in the search field, search for the My Domain Settings.
• Choose your domain name, check for availability and if available, proceed by saving the settings.



• Search for Company Information in the search bar.
• Copy the Organization Id. (This will be required later)



• Salesforce Metadata: After you have set up the SSO settings in Salesforce Admin Dashboard, you will get the Salesforce Metadata File. Click Download Metadata to download an XML file of your SAML configuration settings to send to your identity provider. The identity provider can then upload these configuration settings to connect to your Experience Cloud site.

• Login to your Salesforce account.
• Go to Setup in the top-right section of the Salesforce classic dashboard page.



• Now in the left pane, select Domain Management.
• Select My Domain.
• Choose your domain name, check for availability and if available, proceed by clicking the Register Domain button.



• Test your domain once it is ready, by clicking the link and then click Deploy to Users.
• Search for Company Information in the search bar.
• Copy Organization Id. (This will be required later)

Follow the step-by-step guide given below for Salesforce Single Sign-On (SSO)

1. Configure Salesforce in miniOrange

• Login into miniOrange Admin Console.
• Go to Apps and click on Add Application button.



• In Choose Application Type, select SAML/WS-FED from the All Apps dropdown.



• Search for Salesforce in the list, if you don't find Salesforce in the list then, search for custom and you can set up your application in Custom SAML App.

• In the Basic tab, enter the following details:
• Display Name: Salesforce
• SP Entity ID or Issuer: https://[yourdomain].my.salesforce.com/
• ACS URL: https://[yourdomain].my.salesforce.com/?so=[organization_id]
• Single Logout URL: https://[yourdomain].my.salesforce.com



• Click Next to go to the Advanced tab and enable the Sign Response option.



• Scroll down to AuthnContext Class Schema. You can select the value of your choice, the default is PasswordProtectedTransport.




Note: Salesforce prompts for MFA during SSO login. However, Salesforce trusts the following authentication methods:

• MobileTwoFactorContract
• PGP
• Smartcard
• TimeSyncToken

Selecting any of these in the dropdown will skip the MFA prompt on the Salesforce screen.



• Click Next. In the Attributes tab, click Add Attribute and enter the attribute names with their values as shown below.

  (Follow the steps here to find your Salesforce profileId.)




• Click Save.
• Your application is saved successfully. Now go to the Metadata tab.
• On the Metadata tab, choose one of the following options:
• If you want to use miniOrange as User-Store (i.e., your employee identities will be stored in miniOrange), download the metadata file under miniOrange as IdP.
• If you want to authenticate via an external Identity Provider (IdP) like Active Directory, Okta, OneLogin, Google, or Apple ID, download the metadata file under External source as IdP.



• Copy the SAML Login URL, SAML Logout URL, and IdP Entity ID or Issuer. Click Download Certificate to download the certificate (required in Step 2).

2. Configure SSO in Salesforce Admin Account

• Salesforce Lightening
• Salesforce Classic

• Log in to your Salesforce account as Account Admin.
• Click the gear icon, then navigate to Setup > Identity > Single Sign-On Settings.

• Log in to your Salesforce account as Account Admin.
• Navigate to Setup > Security Controls > Single Sign-On Settings.

• On the Single Sign-On Settings page, click on Edit.




• Check the SAML Enabled box to enable the use of SAML Single-Sign On, then click on Save.




• Click New to open SAML Single Sign-On Settings.




• Enter the following values in the respective fields.
1. Issuer : IDP Entity ID/Issuer in miniorange metadata
2. Entity ID : https://[yourdomain].my.salesforce.com
3. Identity Provider Certificate : Upload Certificate from miniOrange metadata
4. Request Signature method : RSA-SHA256
5. Assertion Decryption Certificate : Not encrypted
6. SAML Identity Type : Assertion contains the User's Salesforce username
7. SAML Identity Location : Identity is in the NameIdentifier element of the Subject statement
8. Service Provider Initiated Request Binding : HTTP Redirect
9. Identity Provider Login URL : SAML Login URL in miniOrange metadata
10. Custom Logout URL : https://[yourdomain].my.salesforce.com
• Click on Save.




• Copy your Login URL value.




• If you want to enable "Login with SSO" button on the Salesforce Lightning login page, you can follow the steps below :
  • login Salesforce as an Admin > Setup.
  • Navigate to "My Domain".
  • Go to Authentication Configuration > Edit.
  
  
  
  • Choose the IDP that you have configured > Save.
  • Relogin to your Salesforce, you should be able to see the option on the login page.

3. Test SSO Configuration

Test SSO login to your Salesforce account with miniOrange IdP:

Using SP Initiated Login

• Go to your Salesforce URL, here you will be either asked to enter the username or click on the SSO link which will redirect you to miniOrange IdP Sign On Page.



• Enter your miniOrange login credential and click on Login. You will be automatically logged in to your Salesforce account.

Using IDP Initiated Login

• Login to miniOrange IdP using your credentials.



• On the Dashboard, click on Salesforce application which you have added, to verify SSO configuration.





Not able to configure or test SSO?


Contact us or email us at idpsupport@xecurify.com and we'll help you setting it up in no time.

Troubleshooting

FAQs

External References

• Salesforce Integrations with miniOrange
  
• Guide For Salesforce Community Single Sign On (SSO)
• Enable 2FA/MFA on top of SSO for Salesforce
• Enable Provisioning for Salesforce