Configuring SAML SSO with Salesforce and PingOne

Page created: 21 Apr 2021 |

Page updated: 10 Feb 2022

| 3 min read

Configuration User task Single Sign-on (SSO) Capability PingOne for Enterprise Product SAML Standards, specifications, and protocols

Enable Salesforce sign-on from the PingOne console (IdP-initiated sign on) plus single logout (SLO).

Link PingOne to an identity repository containing the users requiring application access.
Populate Salesforce with at least one user to test access.
You must have administrative access to PingOne and Salesforce.

Extract the PingOne metadata for the Salesforce application:
1. Sign on to PingOne for Enterprise and go to Applications > Application Catalog.
2. Search for Salesforce.
3. Expand the Salesforce entry and click the Setup icon.
4. Click Continue to Next Step until you're on the Group Access page.
  
  Note:
  You'll configure the application settings later through metadata.
5. Click Add for each user group that should have access to Salesforce.
6. Click Continue to Next Step.
7. Download the PingOne signing certificate and SAML metadata.
8. Click Finish.
Add the PingOne IdP Connection to Salesforce:
1. Sign on to your Salesforce domain as an administrator.
2. Click the Gear icon, then go to Setup > Identity > Single Sign-On Settings.
3. On the Single Sign-On Settings page, click Edit.
4. Select the SAML Enabled check box to enable the use of SAML SSO. Click Save.
5. Click New From Metadata File.
6. Click Choose File, select the SAML metadata file that you downloaded from PingOne, and click Create.
  
  The summary screen opens.
7. On the Identity Provider Certificate line, click Choose File and select the signing certificate that you downloaded from PingOne.
8. Set Service Provider Initiated Request Binding to HTTP POST.
9. Set Single Logout Request Binding to HTTP POST.
10. Clear the Single Logout Enabled check box if you don't require single logout.
  
  The summary screen will look like the following example.
11. Ignore the metadata file warnings and click Save.
12. Click Download Metadata to save the Salesforce metadata.
Import the Salesforce metadata into PingOne.
1. Sign on to PingOne for Enterprise and go to Applications > My Applications.
2. Expand the Salesforce entry and click Edit.
3. Click Continue to Next Step.
4. Click Select File and select the metadata file that you downloaded from Salesforce.
  
  The ACS URL, Entity ID, Single Logout Endpoint, and Primary Verification Certificate fields should now be populated.
5. Click Continue to Next Step on the remaining pages. Click Finish.
  
  Note:
  This step assumes that your usernames in Salesforce match the ones in PingOne. If this is not the case, then you must map the expected Salesforce username value on the third page.
Test the PingOne IdP-initiated SSO integration:
1. Go to your Ping desktop as a user with Salesforce access.
  
  Note:
  To find the Ping desktop URL in the Admin console, go to Setup > Dock > PingOne Dock URL.
2. Complete PingOne authentication.
  
  You're redirected to your Salesforce domain.

Configuring SAML SSO with Salesforce and PingOne - PingOne for Enterprise

Configuration Guides