Configuring SAML SSO with Salesforce and PingFederate

Page created: 23 Apr 2021 |

Page updated: 10 Feb 2022

| 3 min read

Configuration User task Single Sign-on (SSO) Capability

Enable Salesforce sign on from a PingFederate URL (IdP-initiated sign on) plus single logout (SLO).

Configure PingFederate to authenticate against an IdP or datastore containing the users requiring application access.
Populate Salesforce with at least one user to test access.
You must have administrative access to PingFederate and Salesforce.

Create a PingFederate SP connection for Salesforce:
1. Sign on to the PingFederate administrative console.
2. Create an SP connection for Salesforce in PingFederate:
  - Configure using Browser SSO profile SAML 2.0.
  - Set Partner's Entity ID to Entity ID.
  - Enable the following SAML Profiles:
    - IDP-Initiated SSO
    - SP Initiated SSO
    - IDP-Initiated SLO
    - SP Initiated SLO
  - In Assertion Creation > Authentication Source Mapping > Attribute Contract Fulfillment, map the SAML_SUBJECT to the attribute containing the Salesforce username.
  - In Protocol Settings > Assertion Consumer Service URL, set Binding to POST and set Endpoint URL to ACS URL.
  - In Protocol Settings > SLO Service URLs, set Binding to POST and set Endpoint URL to SLO URL.
  - In Protocol Settings > Allowable SAML Bindings, enable POST.
  - In Credentials > Digital Signature Settings, select the PingFederate Signing Certificate.
  - In Credentials > Signature Verification, set Trust Model to Unanchored.
  - In Credentials > Signature Verification > Signature Verification Certificate, select the PingFederate Signing Certificate.
    Note:
    This certificate is a placeholder and will be replaced with a Salesforce certificate.
3. Export the metadata for the newly created Salesforce SP connection.
4. Export the signing certificate.
Add the PingFederate IDP Connection to Salesforce:
1. Sign on to your Salesforce domain as an administrator.
2. Click the Gear icon, then go to Setup > Identity > Single Sign-On Settings.
3. On the Single Sign-On Settings page, click Edit.
4. Select the SAML Enabled check box to enable the use of SAML single sign-on. Click Save.
5. Click New From Metadata File.
6. Click Choose File, select the metadata that you downloaded from PingFederate, and click Create.
  
  The summary screen opens.
7. In the Identity Provider Certificate section, click Choose file and select the signing certificate that you downloaded from PingFederate.
8. Clear the Single Logout Enabled check box if you don't require single logout.
  
  The summary page appears as shown in the following example.
  
  $Screen capture of the SAML Single Sign-On Settings with the Save button highlighted in red.$
9. Click Save.
10. On the summary page for the configuration that you saved in the previous step, click Edit.
11. Click the link on the Request Signing Certificate line.
12. Click Download Certificate.
Import the Salesforce certificate into PingFederate:
1. Sign on to the PingFederate administrative console.
2. Open the Salesforce SP connection and click Signature Verification Certificate.
3. Delete the placeholder certificate and upload the certificate that you downloaded from Salesforce.
4. Save the configuration.
Test the PingFederate IdP-initiated SSO integration:
1. Go to the PingFederate SSO application endpoint for the Salesforce SP connection.
2. Complete PingFederate authentication.
  
  You're redirected to your Salesforce domain.