1. In the PingFederate administrator console, create a new SP connection:
    • For PingFederate 10.1 or later: go to Applications > Integration > SP Connections. Click Create Connection.
    • For PingFederate 10.0 or earlier: go to Identity Provider > SP Connections. Click Create Connection.
  2. Configure the basic connection details with the Salesforce quick connection template.
    1. On the Connection Template tab, select Use a template for this connection.
    2. From the Connection Template list, select Salesforce Provisioner.
    3. On the Metadata File row, upload the SAMLSP-xxxxxxxxxxxxxxx.xml file that you saved in Registering PingFederate as an SSO provider in Salesforce. Click Next.
    4. On the Connection Type tab select Browser SSO Profiles and Outbound Provisioning. Click Next.
    5. On the Connection Options tab, click Next.
    6. On the General Info tab, If you configured a custom entity ID in the Issuer field in Registering PingFederate as an SSO provider in Salesforce, enter the name in the Virtual Server IDs field, and then click Add.
    7. In the Connection Name field, enter a name of your choosing. Click Next.
  3. On the Browser SSO screen, configure browser SSO with the following details.

    For help, see Configuring IdP Browser SSO and Configure SSO token creation in the PingFederate documentation.

    If you want to integrate with Salesforce Communities, set your Salesforce Communities URL as the default for SSO.

    1. On the Browser SSO > Protocol Settings > Assertion Consumer Service URL tab, find your Salesforce Communities URL.
    2. In the Actions column, click Edit.
    3. In the Default column, select the check box. Click Update.
  4. On the Credentials screen, configure the digital signature settings with the following details.

    For help, see Configuring credentials in the PingFederate documentation.

    1. On the Digital Signature Settings screen, in the Signing Certificate list, select your certificate.
    2. Select Include the certificate in the signature <keyinfo> element. Click Done.
  5. On the Outbound Provisioning screen, configure provisioning with the following details.

    For help, see Configuring outbound provisioning in the PingFederate documentation.

    1. On the Target tab, in the Client ID field, enter the Consumer Key that you noted in Registering PingFederate as a connected app in Salesforce.
    2. In the Client Secret field, enter the Consumer Secret that you noted in Registering PingFederate as a connected app in Salesforce.
    3. In the OAuth Access Token field, enter the Access Token that you noted in Getting an API access token from Salesforce.
    4. In the OAuth Refresh Token field, enter the Refresh Token that you noted in Getting an API access token from Salesforce.
    5. If you want to provision to Salesforce Communities, select Enable Communities.
    6. Under Provisioning Options, customize the provisioning connector behavior. Click Next.
    7. On the Manage Channels > Attribute Mapping tab, at the bottom of the attribute list, click Refresh Fields to get fields and specifications from your Salesforce site. Complete the attribute mappings by referring to Supported attributes reference.
      For help, see Managing channels in the PingFederate documentation.
      CAUTION: If you are provisioning to Salesforce Communities, you must map attributes for any Salesforce fields that are required, including custom fields in users and contacts.
  6. On the Activation and Summary screen, above the Summary section, note the SSO Application Endpoint.
    Use this value for the Identity Provider Login URL of the provider that you configured in Registering PingFederate as an SSO provider in Salesforce.
  7. Turn on the connection, and then click Save.