Configuration Guides

Configuring SAML SSO with Salesforce and PingOne for Enterprise

Enable Salesforce sign-on from the PingOne for Enterprise console (IdP-initiated sign-on) plus single logout (SLO).

Before you begin

  • Link PingOne for Enterprise to an identity repository containing the users requiring application access.

  • Populate Salesforce with at least one user to test access.

  • You must have administrative access to PingOne for Enterprise and Salesforce.

Extract the PingOne for Enterprise metadata for Salesforce

  1. Sign on to PingOne for Enterprise and go to Applications → Application Catalog.

  2. Search for Salesforce.

    Screen capture of the PingOne for Enterprise Application Catalog with various Salesforce applications displayed.

  3. Expand the Salesforce entry and click the Setup icon.

  4. Click Continue to Next Step until you’re on the Group Access page.

    You’ll configure the application settings later through metadata.

  5. Click Add for each user group that should have access to Salesforce.

    Screen capture of the Group Access section with the Group search bar and the available Group Names displaying.

  6. Click Continue to Next Step.

  7. Download the PingOne for Enterprise signing certificate and SAML metadata.

  8. Click Finish.

    Screen capture of the Single Logout Response Endpoint section with the Signing Certificate and SAML Metadata Download buttons highlighted in red.

Add the PingOne for Enterprise IdP Connection to Salesforce

  1. Sign on to your Salesforce domain as an administrator.

  2. Click the Gear icon (), then go to Setup → Identity → Single Sign-On Settings.

    Screen capture of the Salesforce Single Sign-On Settings page.

  3. On the Single Sign-On Settings page, click Edit.

    Screen capture of the Salesforce Single Sign-On Settings Setup page with the Edit button highlighted in red.

  4. Select the SAML Enabled check box to enable the use of SAML SSO. Click Save.

    Screen capture of the Salesforce Signle Sign-On Settings page with the SAML Enabled check box and the Save button highlighted in red.

  5. Click New From Metadata File.

    Screen capture of the Samle Single Sign-On Settings page with the New from Metadata File button highlighted in red.

  6. Click Choose File, select the SAML metadata file that you downloaded from PingOne for Enterprise, and click Create.

    Screen capture of the SAML Single Sign-On Settings page with the Choose Metadata File and Create buttons highlighted in red.

    The summary screen opens.

  7. On the Identity Provider Certificate line, click Choose File and select the signing certificate that you downloaded from PingOne for Enterprise.

  8. Set Service Provider Initiated Request Binding to HTTP POST.

  9. Set Single Logout Request Binding to HTTP POST.

  10. Clear the Single Logout Enabled check box if you don’t require single logout.

    The summary screen will resemble the following:

    Screen capture of the SAML Single Sign-On Settings summary page with metadata file warnings highlighted in red.

  11. Ignore the metadata file warnings and click Save.

  12. Click Download Metadata to save the Salesforce metadata.

    Screen capture of the Endpoints section of the Salesforce metadata summary page with the Download Metadata button highlighted in red.

Import the Salesforce metadata into PingOne.

  1. Sign on to PingOne for Enterprise and go to Applications → My Applications.

  2. Expand the Salesforce entry and click Edit.

  3. Click Continue to Next Step.

  4. Click Select File and select the metadata file that you downloaded from Salesforce.

    Screen capture of the Upload Metadata field with the Select File button highlighted in red.

    The ACS URL, Entity ID, Single Logout Endpoint, and Primary Verification Certificate fields should now be populated.

    Screen capture of the populated Connection Configuration fields.

  5. Click Continue to Next Step on the remaining pages then click Finish.

    This step assumes that your usernames in Salesforce match the ones in PingOne for Enterprise. If this is not the case, then you must map the expected Salesforce username value on the third page.

Test the PingOne for Enterprise IdP-initiated SSO integration

  1. Go to your Ping desktop as a user with Salesforce access.

    To find the Ping desktop URL in the Admin console, go to Setup → Dock → PingOne Dock URL.

  2. Complete PingOne for Enterprise authentication.

    You’re redirected to your Salesforce domain.

    Screen capture of the Salesforce domain home page..

Configure direct Salesforce sign on using PingOne (SP-initiated login) plus SLO

Before you begin

  • You must first enable identity provider (IdP)-initiated sign-on.

Enable PingOne authentication in Salesforce

  1. Sign on to your Salesforce domain as an administrator.

  2. Click the Gear icon, then go to Setup → Company Settings → My Domain.

    Screen capture of the Salesforce Settings menu with the My Domain tab highlighted.

  3. Make a note of your domain name, for example, https://your-company.my.salesforce.com

  4. In the Authentication Configuration section, click Edit.

    Screen capture of the Salesforce Authentication Configuration page with the Edit button highlighted in red.

  5. In the Authentication Service list, select PingOne. Click Save.

    Screen capture of the Salesforce Authentication Configuration fields with the Save button and the Authentication Service pingone check box highlighted in red

    This entry was created as a result of the IdP-initiated sign-on task.

    Configuration is complete.

Salesforce will now redirect to PingOne for authentication of all new sessions. You should also select the Login Form check box during the testing phase in case of authentication issues.

Testers will be offered the option of the standard Salesforce login form or PingOne authentication.

After you’ve successfully tested authentication, you can clear the Login Form check box so that authentication automatically defaults to PingOne.

Test the PingOne SP-initiated SSO integration

  1. Go to your Salesforce domain.

    If the Login Form check box is still selected, the Salesforce sign-on screen still displays, and you’re offered a choice of Salesforce sign on or PingOne sign, select PingOne.

    If you’ve cleared the Login Form check box, you’re not offered a choice.

  2. When you are redirected to PingOne, enter your PingOne username and password.

    After successful authentication, you’re redirected back to Salesforce.

    Screen capture of the Salesforce domain home page.