---
title: Configuring SAML SSO with Salesforce and PingFederate
description: Enable Salesforce sign-on from a PingFederate URL (IdP-initiated sign-on) plus single logout (SLO).
component: configuration_guides
page_id: configuration_guides:salesforce:config_saml_salesforce_pf
canonical_url: https://docs.pingidentity.com/configuration_guides/salesforce/config_saml_salesforce_pf.html
revdate: February 10, 2022
section_ids:
  before-you-begin: Before you begin
  create-a-pingfederate-sp-connection-for-salesforce: Create a PingFederate SP connection for Salesforce
  add-the-pingfederate-idp-connection-to-salesforce: Add the PingFederate IDP Connection to Salesforce
  import-the-salesforce-certificate-into-pingfederate: Import the Salesforce certificate into PingFederate
  test-the-pingfederate-idp-initiated-sso-integration: Test the PingFederate IdP-initiated SSO integration
  configure-direct-salesforce-sign-on-using-pingfederate-sp-initiated-sign-on-plus-single-logout-slo: Configure direct Salesforce sign-on using PingFederate (SP-initiated sign-on) plus single logout (SLO)
  before-you-begin-2: Before you begin
  enable-pingfederate-authentication-in-salesforce: Enable PingFederate authentication in Salesforce
  test-the-pingfederate-sp-initiated-sso-integration: Test the PingFederate SP-initiated SSO integration
---

# Configuring SAML SSO with Salesforce and PingFederate

Enable Salesforce sign-on from a PingFederate URL (IdP-initiated sign-on) plus single logout (SLO).

## Before you begin

* Configure PingFederate to authenticate against an IdP or datastore containing the users requiring application access.

* Populate Salesforce with at least one user to test access.

* You must have administrative access to PingFederate and Salesforce.

## Create a PingFederate SP connection for Salesforce

1. Sign on to the PingFederate administrative console.

2. Create an SP connection for Salesforce in PingFederate:

   1. Configure using **Browser SSO** profile **SAML 2.0**.

   2. Set **Partner's Entity ID** to **Entity ID**.

      * Enable the following SAML Profiles:

      * **IDP-Initiated SSO**

      * **SP Initiated SSO**

      * **IDP-Initiated SLO**

      * **SP Initiated SLO**

   3. In **Assertion Creation → Authentication Source Mapping → Attribute Contract Fulfillment**, map the **SAML\_SUBJECT** to the attribute containing the Salesforce username.

   4. In **Protocol Settings → Assertion Consumer Service URL**, set **Binding** to **POST** and set **Endpoint URL** to **ACS URL**.

   5. In **Protocol Settings → SLO Service URLs**, set **Binding** to **POST** and set **Endpoint URL** to **SLO URL**.

   6. In **Protocol Settings → Allowable SAML Bindings**, enable **POST**.

   7. In **Credentials → Digital Signature Settings**, select the **PingFederate Signing Certificate**.

   8. In **Credentials → Signature Verification**, set **Trust Model** to **Unanchored**.

   9. In **Credentials → Signature Verification → Signature Verification Certificate**, select the **PingFederate Signing Certificate**.

      |   |                                                                                       |
      | - | ------------------------------------------------------------------------------------- |
      |   | This certificate is a placeholder and will be replaced with a Salesforce certificate. |

3. Export the metadata for the newly created Salesforce SP connection.

4. Export the signing certificate.

## Add the PingFederate IDP Connection to Salesforce

1. Sign on to your Salesforce domain as an administrator.

2. Click the **Gear** icon, then go to **Setup → Identity → Single Sign-On Settings**.

   ![Screen capture of the Salesforce Single Sign-On Settings.](_images/qxq1619216915118.png)

3. On the **Single Sign-On Settings** page, click **Edit**.

   ![Screen capture of the Salesforce Single Sign-On Settings with the Edit button highlighted in red.](_images/ood1619216957673.png)

4. Select the **SAML Enabled** check box to enable the use of SAML single sign-on. Click **Save**.

   ![Screen capture of the Salesforce Single Sign-On Settings with the SAML enabled checkbox and the Save button highlighted in red.](_images/kpc1619216998431.png)

5. Click **New From Metadata File**.

   ![Screen capture of the Salesforce SAML Single Sign-On Settings section with the New from Metadata File button highlighted in red.](_images/rji1619217026354.png)

6. Click **Choose File**, select the metadata that you downloaded from PingFederate, and click **Create**.

   ![Screen capture of the Salesforce SAML Single Sign-On Settings with the Choose File and the Create buttons highlighted in red.](_images/oje1619217061693.png)

   The summary screen opens.

7. In the **Identity Provider Certificate** section, click **Choose file** and select the signing certificate that you downloaded from PingFederate.

8. Clear the **Single Logout Enabled** check box if you don't require single logout.

   The summary page opens.

   ![Screen capture of the SAML Single Sign-On Settings with the Save button highlighted in red.](_images/rfg1619217108763.png)

9. Click **Save**.

10. On the summary page for the configuration that you saved in the previous step, click **Edit**.

    ![Screen capture of the SAML Single Sign-On Settings with the Edit button highlighted in red.](_images/ecr1619217157176.png)

11. Click the link on the **Request Signing Certificate** line.

    ![Screen capture of the Identity Provider Certificate, the Request Signing Certificate, and the Request Signature Method fields with the Request Signing Certificate field highlighted in red.](_images/bnn1619217208047.png)

12. Click **Download Certificate**.

    ![Screen capture of the Certificates section with the Download Certificate button highlighted in red.](_images/yxt1619217291556.png)

## Import the Salesforce certificate into PingFederate

1. Sign on to the PingFederate administrative console.

2. Open the Salesforce SP connection and click **Signature Verification Certificate**.

3. Delete the placeholder certificate and upload the certificate that you downloaded from Salesforce.

4. Save the configuration.

## Test the PingFederate IdP-initiated SSO integration

1. Go to the PingFederate SSO application endpoint for the Salesforce SP connection.

2. Complete PingFederate authentication.

   You're redirected to your Salesforce domain.

   ![Screen capture of the Salesforce doman home page.](_images/sep1619217350076.png)

## Configure direct Salesforce sign-on using PingFederate (SP-initiated sign-on) plus single logout (SLO)

### Before you begin

* You must first enable IdP-initiated sign-on.

### Enable PingFederate authentication in Salesforce

1. Sign on to your Salesforce domain as an administrator.

2. Click the **Gear** icon, then go to **Setup → Company Settings → My Domain**.

   ![Screen capture of the Salesforce Settings menu with the My Domain tab highlighted.](_images/huz1619218618296.png)

3. Make a note of your domain name, such as `https://your-company.my.salesforce.com`.

4. In the **Authentication Configuration** section, click **Edit**.

   ![Screen capture of the Salesforce Authentication Configuration page with the Edit button highlighted in red.](_images/zvc1619218660632.png)

5. In the **Authentication Service** list, select **YourPingFederate**. Click **Save**.

   ![Screen capture of the Salesforce Authentication Configuration page with the Save and YourPingFederate check box highlighted in red.](_images/abf1619218701705.png)

   |   |                                                                                              |
   | - | -------------------------------------------------------------------------------------------- |
   |   | The "YourPingFederate" entry was created as a result of the IdP-initiated login tasks above. |

   Configuration is complete.

Salesforce will now redirect to PingFederate for authentication of all new sessions.

You should also select the **Login Form** check box during the testing phase in case of authentication issues. Testers will be offered the option of the standard Salesforce login form or PingFederate authentication. After you've successfully tested authentication against PingFederate, you can clear the **Login Form** check box so that authentication automatically defaults to PingFederate.

### Test the PingFederate SP-initiated SSO integration

1. Go to your Salesforce domain.

   |   |                                                                                                                                                                                                                                                                                  |
   | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | If the **Login Form** check box is still selected, the Salesforce sign on screen still displays, and you're offered a choice of Salesforce sign on or PingFederate sign on, select **PingFederate**.If you've cleared the **Login Form** check box, you're not offered a choice. |

2. When you are redirected to PingFederate, enter your PingFederate username and password.

   After successful authentication, you're redirected back to Salesforce.

   ![Screen capture of the Salesforce home page.](_images/dra1619218741821.png)