To allow PingFederate to act as an identity provider and manage users in Salesforce, create a service provider (SP) connection.
In the PingFederate
administrator console, create a new SP connection:
- For PingFederate 10.1 or later: go to Create Connection. . Click
- For PingFederate 10.0 or earlier: go to Create Connection. . Click
Configure the basic connection details with the Salesforce
quick connection template.
- On the Connection Template tab, select Use a template for this connection.
- From the Connection Template list, select Salesforce Provisioner.
- On the Metadata File row, upload the SAMLSP-xxxxxxxxxxxxxxx.xml file that you saved in Registering PingFederate as an SSO provider in Salesforce. Click Next.
- On the Connection Type tab select Browser SSO Profiles and Outbound Provisioning. Click Next.
- On the Connection Options tab, click Next.
- On the General Info tab, If you configured a custom entity ID in the Issuer field in Registering PingFederate as an SSO provider in Salesforce, enter the name in the Virtual Server IDs field, and then click Add.
- In the Connection Name field, enter a name of your choosing. Click Next.
On the Browser SSO screen, configure browser SSO with the
If you want to integrate with Salesforce Communities, set your Salesforce Communities URL as the default for SSO.
- On the tab, find your Salesforce Communities URL.
- In the Actions column, click Edit.
- In the Default column, select the check box. Click Update.
On the Credentials screen, configure the digital signature
settings with the following details.
For help, see Configuring credentials in the PingFederate documentation.
- On the Digital Signature Settings screen, in the Signing Certificate list, select your certificate.
- Select Include the certificate in the signature <keyinfo> element. Click Done.
On the Outbound Provisioning screen, configure provisioning
with the following details.
For help, see Configuring outbound provisioning in the PingFederate documentation.
- On the Target tab, in the Client ID field, enter the Consumer Key that you noted in Registering PingFederate as a connected app in Salesforce.
- In the Client Secret field, enter the Consumer Secret that you noted in Registering PingFederate as a connected app in Salesforce.
- In the OAuth Access Token field, enter the Access Token that you noted in Getting an API access token from Salesforce.
- In the OAuth Refresh Token field, enter the Refresh Token that you noted in Getting an API access token from Salesforce.
- If you want to provision to Salesforce Communities, select Enable Communities.
- Under Provisioning Options, customize the provisioning connector behavior. Click Next.
On the Refresh Fields to get fields and specifications from
your Salesforce site. Complete the attribute mappings by
referring to Supported attributes reference.
tab, at the bottom of the attribute list, click
For help, see Managing channels in the PingFederate documentation.CAUTION: If you are provisioning to Salesforce Communities, you must map attributes for any Salesforce fields that are required, including custom fields in users and contacts.
On the Activation and Summary screen, above the
Summary section, note the SSO Application
Use this value for the Identity Provider Login URL of the provider that you configured in Registering PingFederate as an SSO provider in Salesforce.
- Turn on the connection, and then click Save.