Configuring SAML SSO with Salesforce and PingFederate
Enable Salesforce sign-on from a PingFederate URL (IdP-initiated sign-on) plus single logout (SLO).
Before you begin
-
Configure PingFederate to authenticate against an IdP or datastore containing the users requiring application access.
-
Populate Salesforce with at least one user to test access.
-
You must have administrative access to PingFederate and Salesforce.
Create a PingFederate SP connection for Salesforce
-
Sign on to the PingFederate administrative console.
-
Create an SP connection for Salesforce in PingFederate:
-
Configure using Browser SSO profile SAML 2.0.
-
Set Partner’s Entity ID to Entity ID.
-
Enable the following SAML Profiles:
-
IDP-Initiated SSO
-
SP Initiated SSO
-
IDP-Initiated SLO
-
SP Initiated SLO
-
-
In Assertion Creation → Authentication Source Mapping → Attribute Contract Fulfillment, map the SAML_SUBJECT to the attribute containing the Salesforce username.
-
In Protocol Settings → Assertion Consumer Service URL, set Binding to POST and set Endpoint URL to ACS URL.
-
In Protocol Settings → SLO Service URLs, set Binding to POST and set Endpoint URL to SLO URL.
-
In Protocol Settings → Allowable SAML Bindings, enable POST.
-
In Credentials → Digital Signature Settings, select the PingFederate Signing Certificate.
-
In Credentials → Signature Verification, set Trust Model to Unanchored.
-
In Credentials → Signature Verification → Signature Verification Certificate, select the PingFederate Signing Certificate.
This certificate is a placeholder and will be replaced with a Salesforce certificate.
-
-
Export the metadata for the newly created Salesforce SP connection.
-
Export the signing certificate.
Add the PingFederate IDP Connection to Salesforce
-
Sign on to your Salesforce domain as an administrator.
-
Click the Gear icon, then go to Setup → Identity → Single Sign-On Settings.
-
On the Single Sign-On Settings page, click Edit.
-
Select the SAML Enabled check box to enable the use of SAML single sign-on. Click Save.
-
Click New From Metadata File.
-
Click Choose File, select the metadata that you downloaded from PingFederate, and click Create.
The summary screen opens.
-
In the Identity Provider Certificate section, click Choose file and select the signing certificate that you downloaded from PingFederate.
-
Clear the Single Logout Enabled check box if you don’t require single logout.
The summary page opens.
-
Click Save.
-
On the summary page for the configuration that you saved in the previous step, click Edit.
-
Click the link on the Request Signing Certificate line.
-
Click Download Certificate.
Import the Salesforce certificate into PingFederate
-
Sign on to the PingFederate administrative console.
-
Open the Salesforce SP connection and click Signature Verification Certificate.
-
Delete the placeholder certificate and upload the certificate that you downloaded from Salesforce.
-
Save the configuration.
Test the PingFederate IdP-initiated SSO integration
-
Go to the PingFederate SSO application endpoint for the Salesforce SP connection.
-
Complete PingFederate authentication.
You’re redirected to your Salesforce domain.
Configure direct Salesforce sign-on using PingFederate (SP-initiated sign-on) plus single logout (SLO)
Before you begin
-
You must first enable IdP-initiated sign-on.
Enable PingFederate authentication in Salesforce
-
Sign on to your Salesforce domain as an administrator.
-
Click the Gear icon, then go to Setup → Company Settings → My Domain.
-
Make a note of your domain name, such as
https://your-company.my.salesforce.com
. -
In the Authentication Configuration section, click Edit.
-
In the Authentication Service list, select YourPingFederate. Click Save.
The "YourPingFederate" entry was created as a result of the IdP-initiated login tasks above.
Configuration is complete.
Salesforce will now redirect to PingFederate for authentication of all new sessions.
You should also select the Login Form check box during the testing phase in case of authentication issues. Testers will be offered the option of the standard Salesforce login form or PingFederate authentication. After you’ve successfully tested authentication against PingFederate, you can clear the Login Form check box so that authentication automatically defaults to PingFederate.
Test the PingFederate SP-initiated SSO integration
-
Go to your Salesforce domain.
If the Login Form check box is still selected, the Salesforce sign on screen still displays, and you’re offered a choice of Salesforce sign on or PingFederate sign on, select PingFederate.
If you’ve cleared the Login Form check box, you’re not offered a choice.
-
When you are redirected to PingFederate, enter your PingFederate username and password.
After successful authentication, you’re redirected back to Salesforce.