--- title: Salesforce as SP (SAML) description: "Estimated time to complete: 30 minutes." component: pingoneaic page_id: pingoneaic:use-cases:use-case-sso-saml-salesforce-sp canonical_url: https://docs.pingidentity.com/pingoneaic/use-cases/use-case-sso-saml-salesforce-sp.html keywords: ["Implementation Guide", "Use Case", "SAML 2.0"] page_aliases: ["implementation:use-case-idc-as-idp-saml.adoc"] section_ids: idc-as-idp-saml-idc-as-idp-saml-description: Description idc-as-idp-saml-goals: Goals idc-as-idp-saml-prereqs: Prerequisites idc-as-idp-saml-tasks: Tasks idc-as-idp-saml-task-1: "Task 1: Create custom SAML application" idc-as-idp-saml-task-2: "Task 2: Configure Salesforce to serve as SP" idc-as-idp-saml-task-3: "Task 3: Configure custom SAML application" idc-as-idp-saml-validation: Validation idc-as-idp-saml-validation-steps: Steps idc-as-idp-saml-video-validation: Video of validation idc-as-idp-saml-explore-further: Explore further idc-as-idp-saml-reference-material: Reference material --- # Salesforce as SP (SAML) ## Description Estimated time to complete: 30 minutes *(tooltip: This assumes you have completed the prerequisites beforehand.)*. In this use case, you configure SSO using SAML federated identities *(tooltip: Identity federation provides a means for partner services to establish a shared user identifier in order to share user information across organizational boundaries.)* with Advanced Identity Cloud as the Identity provider (IDP) *(tooltip: An identity provider authenticates a user.)* and Salesforce as the Service provider (SP) *(tooltip: A service provider authorizes the authenticated user to access its resources based on the its own access policies.)*. Specifically, you configure Advanced Identity Cloud as the IDP for Salesforce using SAML. This allows a user from the hosted account pages to click the Salesforce application and be signed on to Salesforce with IDP-iniatied SSO *(tooltip: The IDP initiates the sign on to the SP. For example, the user is already signed on to the IDP, Advanced Identity Cloud, and clicks an application (SP, in this case, Salesforce) to access the application. The IDP sends a SAML assertion to the SP. The user is allowed access to the SP application.)*. ### Goals After completing this use case, you will know how to do the following: * Configure a custom SAML application for SSO using app templates. * Configure Salesforce to be a remote SP. * Use the application dashboard in the hosted account pages to federate to another application. ## Prerequisites Before you start work on this use case, ensure you have these prerequisites: * A basic understanding of: * The Advanced Identity Cloud admin console and hosted pages * SSO (Federation) * SAML * Salesforce * Access to your development environment as an administrator. * A test Salesforce environment * The use case, Provision users to a target application (Salesforce), completed with a test user provisioned from Advanced Identity Cloud to Salesforce. Specifically, make sure the user's `mail` attribute in Ping Identity matches the `User. Username` attribute in Salesforce. * A test user in Advanced Identity Cloud to serve as the application owner for the custom SAML (Salesforce) application. ## Tasks | | | | - | -------------------------------------------------------------------------------------------------------------- | | | This use case requires the use of third-party services. Use your environment specific details where necessary. | ### Task 1: Create custom SAML application 1. In the Advanced Identity Cloud admin console, go to Applications > [icon: add, set=material, size=inline] Custom Application. 2. Select SAML and click Next. 3. On the Application Details page, enter the following: | Field | Value | | ------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Name | Enter `Salesforce SAML SSO`. | | Description | Enter `Ping Identity serving as the IDP for SAML. End users can sign on to Salesforce from the hosted account pages, when they are assigned to this application and have an account in Salesforce.` | | Owners | Select a user to be the application owner. | | App Logo URI | | 4. From the custom SAML application Salesforce SAML SSO, click the Sign On tab > Set up SSO. 5. On the Set up Single Sign-On modal window, click [icon: download, set=material, size=inline] Download Metadata. The metadata to import into Salesforce displays in a new browser tab. 6. Save this file as identity-cloud-idp-saml-metadata.xml. You will import this file into Salesforce later. 7. Click Next. 8. In a new browser tab, go to your Salesforce environment. ### Task 2: Configure Salesforce to serve as SP The next task is to prepare Salesforce to serve as an SP. 1. Salesforce documents these steps; therefore, in Salesforce's documentation, [Create a SAML Single Sign-On Setting in Salesforce](https://help.salesforce.com/s/articleView?id=sf.sso_service_provider_configuration.htm\&type=5). | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | In step 3 of the Salesforce documentation, import the XML file you saved in task 1 by selecting New from Metadata File in Salesforce. The XML file you upload in Salesforce sets the necessary configurations; therefore, you don't need to complete the steps past step 3. | 2. After configuring SSO in Salesforce, download Salesforce's SP metadata to import into Advanced Identity Cloud by clicking Download Metadata in Salesforce. ![Salesforce SP SSO settings](_images/idc-as-idp-saml/use-case-idc-as-idp-saml-salesforce-sso-config.png) The metadata file name looks similar to `SAMLSP-00DDp000001yWwS.xml`. ### Task 3: Configure custom SAML application Now that you have configured Salesforce, you must configure the custom SAML Salesforce application in Advanced Identity Cloud to include the information Salesforce requires in the SAML assertion. 1. Go back to the Advanced Identity Cloud admin console. You should be on the Set Up Single Sign-On modal window. ![Upload Salesforce SP metadata into Advanced Identity Cloud](_images/idc-as-idp-saml/use-case-idc-as-idp-saml-upload-sp-metadata.png) 2. Click Browse and upload the SP metadata file you downloaded from Salesforce. 3. Click Next. The application displays. By default, Advanced Identity Cloud maps the following assertion attributes: | Name (SAML attribute) | Value (attribute in Advanced Identity Cloud) | Description | | --------------------- | -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `SSOID` | `mail` | Advanced Identity Cloud sends the property of `mail` (email) as the SAML attribute `SSOID`. | | `User.Email` | `mail` | Advanced Identity Cloud sends the property of `mail` (email) as the SAML attribute `User.Email`. | | `User.ProfileID` | `"Standard.User"` | Advanced Identity Cloud sends the static value of `Standard.User` as the SAML attribute `User.ProfileID`. | | `User.LastName` | `sn` | Advanced Identity Cloud sends the property `sn` (last name) as the SAML attribute `User.LastName`. | | `User.Username` | `mail` | Advanced Identity Cloud sends the property of `mail` (email) as the SAML attribute `User.Username`. By default, the federation identifier is mail to the Salesforce attribute User.Username. Users can change their mail address in Advanced Identity Cloud and doing so breaks their SAML connection to Salesforce. Either make mail immutable in Advanced Identity Cloud, or set a different, immutable attribute as the federation identifier. | | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Salesforce supports many SAML assertion formats. For example, you can configure SAML to have a user's unique identifier in the `NameID` of the `Subject` block or in the `AttributeStatement` block. Refer to Salesforce's documentation on [Example SAML Assertions](https://help.salesforce.com/s/articleView?id=sf.sso_saml_assertion_examples.htm). | Check in At this point, you: | | | | ------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [icon: check, set=fa][Created](#idc-as-idp-saml-task-1) a custom SAML application in Advanced Identity Cloud for SSO with Salesforce | [icon: check, set=fa][Configured](#idc-as-idp-saml-task-2) Salesforce by importing Advanced Identity Cloud's IDP metadata and exporting Salesforce's SP metadata file | | [icon: check, set=fa][Configured](#idc-as-idp-saml-task-3) the custom SAML application in Advanced Identity Cloud by importing Salesforce's SP metadata | | ## Validation Now that you created and configured a custom SAML application and configured Salesforce as the SP, validate the configurations by: * Adding a user to the application * Signing on as the end user to the Advanced Identity Cloud admin console * Federating into Salesforce by clicking the Salesforce application ### Steps 1. From the Advanced Identity Cloud admin console, go to Applications > Salesforce SAML SSO > Users & Roles tab. 2. On the [icon: people, set=material, size=inline] Users tab, click [icon: add, set=material, size=inline] Add Member. 3. Add the test user that exists in both Advanced Identity Cloud and Salesforce. ![Add a user to the custom SAML Salesforce application](_images/idc-as-idp-saml/use-case-idc-as-idp-saml-add-user-to-saml-app.png) The application now displays to the test user in the hosted account pages. 4. In an incognito window, log in to the hosted account pages as the test user. The default login URL for end users is the `Login` journey. In the Advanced Identity Cloud admin console: * Go to Journeys and click the `Login` journey. * In the Preview URL field, click [icon: copy, set=material, size=inline] (copy). 5. From the hosted account pages, click My Applications. The Salesforce SAML application displays. 6. Click the application. Advanced Identity Cloud redirects you to Salesforce signed on. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you receive an error in Salesforce, refer to the Salesforce article [Troubleshoot SAML Assertion Errors](https://help.salesforce.com/s/articleView?id=sf.sso_saml_validation.htm).This article discusses using Salesforce's SAML validator by providing the SAML assertion Advanced Identity Cloud sends. One way to obtain the SAML assertion is to use the browser plugin [SAML tracer](https://chrome.google.com/webstore/detail/saml-tracer/mpdajninpobndbfcldcmbpnnbhibjmch). | ### Video of validation The following video displays the expected validation as an end user using SSO from the hosted account pages to log in to Salesforce: **Video (Video)** <../use-cases/\_images/idc-as-idp-saml/mp4/use-case-idc-as-idp-saml-validation-video.mp4> ## Explore further ### Reference material | Reference | Description | | --------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | | [Register a custom SAML app](../app-management/register-a-custom-application.html#custom-saml-app-template-sso) | Instructions on setting up a custom SAML application for SSO. | | [Implement SSO and SLO](../am-saml2/saml2-sso-slo.html) | Detailed information on SAML SSO and single logout (SLO). | | [My applications](../end-user/hosted-pages-account.html#my-applications) | Learn how end users can access applications for SSO in the hosted account pages. | | [Configure Salesforce as a SAML SP](https://help.salesforce.com/s/articleView?id=sf.sso_saml.htm\&type=5) | Learn how to configure Salesforce as a SAML service provider. |