---
title: Federating PingOne and Salesforce
description: This configuration allows you to sign on to PingOne with a Salesforce account.
component: solution-guides
page_id: solution-guides:single_sign-on_use_cases:htg_federate_p1_salesforce
canonical_url: https://docs.pingidentity.com/solution-guides/single_sign-on_use_cases/htg_federate_p1_salesforce.html
revdate: July 18, 2022
page_aliases: ["single_sign-on_use_cases:htg_federate_p1_salesforce_enable_sf_idp.adoc", "single_sign-on_use_cases:htg_federate_p1_salesforce_create_idp_p1.adoc", "single_sign-on_use_cases:htg_federate_p1_salesforce_create_connected_app.adoc", "single_sign-on_use_cases:htg_federate_p1_salesforce_add_idp_authn_policy.adoc", "single_sign-on_use_cases:htg_federate_p1_salesforce_create_sf_perms.adoc", "single_sign-on_use_cases:htg_federate_p1_salesforce_assign_users_perms.adoc", "single_sign-on_use_cases:htg_federate_p1_salesforce_sf_signon.adoc"]
section_ids:
  before-you-begin: Before you begin
  enabling-the-salesforce-identity-provider: Enabling the Salesforce identity provider
  steps: Steps
  creating-an-identity-provider-in-pingone: Creating an identity provider in PingOne
  steps-2: Steps
  creating-a-connected-app-in-saleforce: Creating a connected app in Saleforce
  steps-3: Steps
  adding-the-idp-to-the-pingone-authentication-policy: Adding the IdP to the PingOne authentication policy
  steps-4: Steps
  creating-a-permission-set-in-salesforce: Creating a permission set in Salesforce
  steps-5: Steps
  assigning-users-to-the-permission-set: Assigning users to the permission set
  steps-6: Steps
  signing-on-with-your-salesforce-idp: Signing on with your Salesforce IdP
  steps-7: Steps
  result: Result
---

# Federating PingOne and Salesforce

This configuration allows you to sign on to PingOne with a Salesforce account.

## Before you begin

* Configure a domain in Salesforce. When the domain is registered, Salesforce sends you an email.

* Create at least one user in Salesforce.

## Enabling the Salesforce identity provider

### Steps

1. Sign on to the Salesforce developer console.

2. Go to **Identity → Identity Provider** and click **Enable Identity Provider**.

3. Click **Download Certificate**.

4. Click **Download Metadata**.

## Creating an identity provider in PingOne

### Steps

1. Sign on to the PingOne admin console.

2. Go to **Connections → External IDPs** and click**[icon: plus, set=fa] Add Provider**.

3. Click **SAML**.

4. On the **Create IDP Profile** tab, in the **Name** field, enter a name. Click **Continue**.

5. On the **Configure PingOne Connection** tab, record the entity ID value from the **PingOne (SP) Entity ID** field, and then click **Continue**.

6. On the **Configure IDP Connection** tab, select the **Import Metadata** button, and then click **Choose**.

7. Select the metadata file.

8. In the **SSO Binding** section, select the **HTTP POST** button.

9. In the **Verification Certificate** section, click **Choose** and import the verification certificate.

10. Click **Save and Continue**.

11. On the **Map Attributes** tab, map any additional attributes of your choice. Click **Save & Finish**.

    Consider adding an email address mapping.

12. Return to the **Identity Providers** list, and click the toggle to enable your IdP.

13. Click the **Pencil** ([icon: pencil, set=fa]) icon on your IdP, and then go to the **IDP Configuration** tab.

14. Record the value of the **ACS Endpoint** field.

## Creating a connected app in Saleforce

### Steps

1. In your Salesforce developer console, go to **Apps → App Manager** and click **New Connected App**.

2. In the **Basic Information** section, complete the required fields.

3. In the **Web App Settings** section, select the **Enable SAML** checkbox.

4. In the **Entity Id** field, enter the PingOne entity ID.

5. In the **ACS URL** field, enter the ACS endpoint.

6. From the **IdP Certificate** list, select the certificate that is used by your Salesforce IdP.

7. Save the connected app configuration.

## Adding the IdP to the PingOne authentication policy

### Steps

1. In the PingOne admin console, go to **Experiences → Authentication Policies**.

2. Click the **Pencil** ([icon: pencil, set=fa]) icon to edit a policy or click **[icon: plus, set=fa]Add Policy** to create a new one.

3. Select the **Enable registration** checkbox for the **Login** step.

4. From the **Population** list, select a population.

5. From the **Presented Identity Providers** list, select your IdP. Click **Save**.

   |   |                                                                      |
   | - | -------------------------------------------------------------------- |
   |   | You can add your IdP to as many authentication policies as you like. |

## Creating a permission set in Salesforce

### Steps

1. In your Salesforce developer console, go to **Users → Permission Sets**. Click **New**.

   ![A screen capture of the Permission Sets window in Salesforce, highlighting the New button with a red rectangle.](_images/osp1614196228639.png)

2. Complete the required fields. Click **Save**.

   |   |                                                                                              |
   | - | -------------------------------------------------------------------------------------------- |
   |   | Selecting **--None--** from the license list defaults to the license of the user signing on. |

3. From the **Permission Sets** list, select your new permission set.

4. From the **Apps** list, select **Assigned Connected Apps**.

5. Click **Edit** and select your PingOne app, and click the arrow to move it to the **Enabled Connected Apps** window. Click **Save**.

## Assigning users to the permission set

### Steps

1. From the **Permission Sets** list, select your new permission set.

2. Click **Manage Assignments**, and then click **Add Assignments**.

3. From the **All Users** list, select the checkboxes of the users you want to assign. Click **Assign**, and then click **Done**.

## Signing on with your Salesforce IdP

### Steps

* Go to your PingOne self-service URL and click the button to sign on with your Salesforce IdP.

  |   |                                                                                                                                                                                        |
  | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
  |   | You can find your self-service URL in the **Dashboard → Environment Properties** tab of PingOne.For example, https\://apps.pingone.com/91d9925b-2220-4933-948e-1a1e450b7af1/myaccount/ |

### Result

PingOne prompts you to create a new user.