--- title: Creating a connection description: To allow PingFederate to act as an identity provider and manage users in Salesforce, create a service provider (SP) connection: component: salesforce page_id: salesforce:salesforce_provisioner:pf_salesforce_connector_creating_a_connection canonical_url: https://docs.pingidentity.com/integrations/salesforce/salesforce_provisioner/pf_salesforce_connector_creating_a_connection.html revdate: July 5, 2024 section_ids: steps: Steps --- # Creating a connection To allow PingFederate to act as an identity provider and manage users in Salesforce, create a service provider (SP) connection: ## Steps 1. In the PingFederate administrator console, create a new SP connection: **Choose from:** * For PingFederate 10.1 or later: Go to **Applications > Integration > SP Connections**. Click **Create Connection**. * For PingFederate 10.0 or earlier: Go to **Identity Provider > SP Connections**. Click **Create Connection**. 2. Configure the basic connection details with the Salesforce quick connection template: 1. On the **Connection Template** tab, select **Use a template for this connection**. 2. In the **Connection Template** list, select **Salesforce Provisioner**. 3. On the **Metadata File** row, upload the SAMLSP-xxxxxxxxxxxxxxx.xml file that you saved in [Registering PingFederate as an SSO provider in Salesforce](pf_salesforce_connector_registering_pf_as_an_sso_provider_in_salesforce.html). Click **Next**. 4. On the **Connection Type** tab, select **Browser SSO Profiles** and **Outbound Provisioning**. Click **Next**. 5. On the **Connection Options** tab, click **Next**. 6. On the **General Info** tab, if you configured a custom entity ID in the **Issuer** field in [Registering PingFederate as an SSO provider in Salesforce](pf_salesforce_connector_registering_pf_as_an_sso_provider_in_salesforce.html), enter the name in the **Virtual Server IDs** field and then click **Add**. 7. In the **Connection Name** field, enter a name that you choose. Click **Next**. 3. On the **Browser SSO** page, configure browser SSO with the following details. You can find more information in [Configuring IdP Browser SSO](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_spconnectionconfigtasklet_spbrowserssostate.html) and [Configuring SSO token creation](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_spbrowserssotasklet_assertioncreationstate.html) in the PingFederate documentation. If you want to integrate with Salesforce Communities, set your Salesforce Communities URL as the default for SSO: 1. On the **Browser SSO > Protocol Settings > Assertion Consumer Service URL** tab, find your Salesforce Communities URL. 2. In the **Actions** column, click **Edit**. 3. In the **Default** column, select the checkbox. Click **Update**. 4. On the **Credentials** page, configure the digital signature settings with the following details: 1. On the **Digital Signature Settings** page, in the **Signing Certificate** list, select your certificate. 2. Select **Include the certificate in the signature \ element**. Click **Done**. Learn more about [Configuring credentials](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_spconnectionconfigtasklet_credentialsstate.html) in the PingFederate documentation. 5. On the **Outbound Provisioning** page, configure provisioning with the following details: Learn more about [Configuring outbound provisioning](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_spconnectionconfigtasklet_saasprovisioningstate.html) in the PingFederate documentation. 1. On the **Target** tab, in the **Client ID** field, enter the **Consumer Key** that you noted in [Registering PingFederate as a connected app in Salesforce](pf_salesforce_connector_registering_pf_as_a_connected_app_in_salesforce.html). 2. In the **Client Secret** field, enter the **Consumer Secret** that you noted in [Registering PingFederate as a connected app in Salesforce](pf_salesforce_connector_registering_pf_as_a_connected_app_in_salesforce.html). 3. In the **OAuth Access Token** field, enter the **Access Token** that you noted in [Getting an API access token from Salesforce](pf_salesforce_connector_getting_an_api_access_token_from_salesforce.html). 4. In the **OAuth Refresh Token** field, enter the **Refresh Token** that you noted in [Getting an API access token from Salesforce](pf_salesforce_connector_getting_an_api_access_token_from_salesforce.html). 5. If you want to provision to Salesforce Communities, select **Enable Communities**. 6. Under **Provisioning Options**, customize the provisioning connector behavior. Click **Next**. Learn more about [Provisioning options reference](pf_salesforce_connector_provisioning_options_reference.html). 7. On the **Manage Channels > Attribute Mapping** tab, at the bottom of the attribute list, click **Refresh Fields** to get fields and specifications from your Salesforce site. Complete the attribute mappings by referring to [Supported attributes reference](pf_salesforce_connector_supported_attributes_reference.html). You can learn more in [Managing channels](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_saasmanagementtasklet_saasmanagementstate.html) in the PingFederate documentation. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you're provisioning to Salesforce Communities, you must map attributes for any Salesforce fields that are required, including custom fields in users and contacts. | 6. On the **Activation and Summary** page, above the **Summary** section, note the **SSO Application Endpoint**. Use this value for the **Identity Provider Login URL** of the provider that you configured in [Registering PingFederate as an SSO provider in Salesforce](pf_salesforce_connector_registering_pf_as_an_sso_provider_in_salesforce.html). 7. Turn on the connection and then click **Save**.