---
title: Adding Salesforce to Your PingOne for Enterprise Dock
description: Add the Salesforce application your PingOne for Enterprise Dock from the application catalog.
component: pingoneforenterprise
page_id: pingoneforenterprise:pingone_for_enterprise_app_catalog:p14eapps_salesforce
canonical_url: https://docs.pingidentity.com/pingoneforenterprise/pingone_for_enterprise_app_catalog/p14eapps_salesforce.html
revdate: October 4, 2023
section_ids:
  steps: Steps
  next-steps: Next steps
  salesforce-connection-configuration: Salesforce Connection Configuration
  steps-2: Steps
  choose-from: Choose from:
  choose-from-2: Choose from:
  next-steps-2: Next steps
  salesforce-provisioning: Salesforce Provisioning
  before-you-begin: Before you begin
  about-this-task: About this task
  steps-3: Steps
  choose-from-3: Choose from:
  example: Example:
  choose-from-4: Choose from:
  result: Result:
  next-steps-3: Next steps
  salesforce-attribute-mapping: Salesforce Attribute Mapping
  about-this-task-2: About this task
  steps-4: Steps
  choose-from-5: Choose from:
  next-steps-4: Next steps
  salesforce-customization: Salesforce Customization
  steps-5: Steps
  next-steps-5: Next steps
  salesforce-group-access: Salesforce Group Access
  about-this-task-3: About this task
  steps-6: Steps
  next-steps-6: Next steps
---

# Adding Salesforce to Your PingOne for Enterprise Dock

Add the Salesforce application your PingOne for Enterprise Dock from the application catalog.

## Steps

1. In the PingOne for Enterprise admin console, go to **Applications > Application Catalog**.

2. **Optional:** In the **Search** field, search for the application.

3. Click the **Salesforce** application line to expand it, and then and click **Setup**.

4. On the **SSO Instructions** tab, click **Download** to download the signing certificate.

5. In a separate tab or window, sign on to the Salesforce admin portal.

6. In Salesforce, go to **Setup > Administer > Security Controls > Single Sign-On Settings**.

7. Select the **SAML Enabled** checkbox.

8. In the **Name** field, enter a name for the connection to PingOne.

9. In the **Issuer** field, enter the **Issuer** value from PingOne.

10. On the **Identity Provider Certificate** line, click **Browse** to upload the signing certificate you downloaded in step 4.

11. From the **SAML Identity Type** list, select **Assertion contains User's salesforce.com username**.

12. From the **SAML Identity Location** list, select **Identity is in the NameIdentifier element of the Subject Statement**.

13. In the **API Name** field, enter a unique name for the API.

14. In the **Entity ID** field, enter `https://saml.salesforce.com`

    If you have a Salesforce.com My Domain URL, you can enter it into this field instead.

15. **Optional:** In the **Identity Provier Login URL**, enter `https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=<IdP ID>`, replacing *\<IdP ID>* with the **IdP ID** value from PingOne.

16. **Optional:** In the **Identity provider Logout URL** field, enter `https://sso.connect.pingidentity.com/sso/terminatesession.aspx?page=https://www.salesforce.com`.

17. **Optional:** In the **Custom Error URL**, enter a URL to redirect users to when an error occurs.

    If your identity bridge is AD Connect with IIS, you can enter `https://<AD Connect IIS Server URL>/ADconnect/error.aspx`.

18. Click **Save**.

    |   |                                                                                   |
    | - | --------------------------------------------------------------------------------- |
    |   | Keep the Salesforce tab open, as you will need values from it for the next steps. |

## Next steps

In PingOne for Enterprise, click **Continue to Next Step**.

## Salesforce Connection Configuration

### Steps

1. Import the metadata for Salesforce:

   #### Choose from:

   * Click **Select File** to upload the metadata file.

   * Click **Or use URL** to enter the URL of the metadata.

2. In the **ACS URL** field, enter the **Salesforce Login URL** value from Salesforce.

3. In the **Entity ID** field, enter the **Entity ID** value from Salesforce.

4. In the **Target Resource** field, enter a URL to redirect the user to after IdP-initiated single sign-on (SSO).

5. In the **Single Logout Endpoint** field, enter a URL for PingOne to send single logout (SLO) requests to.

6. In the **Single Logout Response Endpoint** field, enter a URL for PingOne to send SLO responses to.

7. To add a **Primary Verification Certificate**, click **Browse** to locate and upload a local certificate file used to verify SLO requests and responses coming from Salesforce.

8. To add a **Secondary Verification Certificate**, click **Browse** to locate and upload a local certificate used to verify SLO requests and responses if the primary certificate fails.

9. Select the **Force Re-authentication** checkbox to require your identity bridge to re-authenticate users with an active SSO session.

10. Select the **Encrypt Assertion** checkbox to encrypt outgoing SAML assertions.

11. On the **Signing** line:

    #### Choose from:

    * Click **Sign Assertion** to have PingOne sign outgoing SAML assertions. This is the default option.

    * Click **Sign Response** to have PingOne sign responses to incoming SAML assertions.

12. From the **Signing Algorithm** list, select an algorithm with which to sign SAML assertions.

13. Select the **Use Custom URL** checkbox to enter a customer URL to launch Salesforce from the dock.

14. Select the **Set Up Provisioning** checkbox to configure user provisioning to Salesforce.

### Next steps

Click **Continue to Next Step**.

## Salesforce Provisioning

### Before you begin

Ensure that popups are permitted in your browser.

### About this task

|   |                                                                                                                                |
| - | ------------------------------------------------------------------------------------------------------------------------------ |
|   | If you don't need to set up user provisioning, proceed to [Salesforce Attribute Mapping](p14eapps_salesforce_attributes.html). |

If you selected **Set Up Provisioning** on the **Connection configuration** tab:

### Steps

1. In PingOne, click **Continue to Next Step** to proceed to the **Application Configuration** tab.

2. Chose how Salesforce will deprovision:

   #### Choose from:

   * Select the **FREEZE\_USER\_FLAG** checkbox to freeze a deprovisioned user account.

   * Leave the checkbox clear to deactivate a deprovisioned user account.

3. In the **SUBDOMAIN** field, your Salesforce subdomain

   #### Example:

   If your Salesforce URL is `example.my.salesforce.com`, your subdomain is `example.my`.

4. From the **PERMISSION\_SET\_MANAGEMENT** list, select how to handle permission sets provisioned from PingOne to Salesforce:

   #### Choose from:

   * Select **Merge with permission sets in Salesforce** to add provisioned PingOne user permissions to existing permission sets in Salesforce.

   * Select **Overwrite permission sets in Salesforce** to overwrite permissions in Salesforce with the provisioned permissions from PingOne.

5. Click **Continue to Next Step**.

6. On the **Connection Configuration** tab, click **Activate**.

   #### Result:

   PingOne opens the Salesforce sign-on page in a pop-up window.

7. Sign on to Salesforce as an administrative user.

8. Click **Allow**.

### Next steps

In PingOne, click **Continue to Next Step**.

## Salesforce Attribute Mapping

### About this task

PingOne for Enterprise will automatically populate required SAML attributes.

For Salesforce, the required attribute is `SAML_SUBJECT`.

### Steps

1. To add an additional optional attribute, click **Add new attribute**.

2. In the **Application Attribute** field, enter the attribute name as it appears in the application.

3. In the **Identity Bridge Attribute or Literal Value** field, choose one of the following:

   #### Choose from:

   * To map to the application attribute: Enter or select a directory attribute.

   * To assign to the application attribute: Select **As Literal**, then enter a literal value.

4. To create advanced attribute mappings, click **Advanced**.

   Learn more in [Creating advanced attribute mappings](../pingone_for_enterprise/p14e_creating_advaced_attribute_mappings.html).

### Next steps

Click **Continue to Next Step**.

## Salesforce Customization

### Steps

* To change the application icon, click **Select image** and upload a local image file.

  The image file must be:

  * PNG, GIF, or JPG format

  * 312 x 52 pixels maximum

  * 2 MB maximum file size

    |   |                                                  |
    | - | ------------------------------------------------ |
    |   | Images are scaled to 64 x 64 pixels for display. |

* To change the name of the application displayed on the dock, in the **Name** field, enter a new name.

* To change the description of the application, in the **Description** field, enter the new description text.

* To change the category to which the application is assigned on the dock, in the **Category** list, select a category.

  Learn more in [Creating a custom application category](../pingone_for_enterprise/p14e_creating_custom_application_category.html).

### Next steps

Click **Continue to Next Step**.

## Salesforce Group Access

### About this task

The **Group Access** tab shows every user group that you have created.

Learn more in [Adding user groups](../pingone_for_enterprise/p14e_add_groups.html).

### Steps

* To add a group's access to the application, on the line for that group, click **Add**.

* To remove a group's access, on the line for that group, click **Remove**.

* When you're finished assigning groups, click **Continue to Next Step**.

### Next steps

On the **Review Setup** tab, review your configuration, and click **Finish** to add the application to your PingOne Dock.