Configuring SSO between Salesforce and an Identity Provider has two sides: the IdP side and the Salesforce side. Both need certificates, identifiers, and attribute mappings configured to match. Use the IdP''s Salesforce integration template if available; build manually only if the template does not exist or the configuration requires customization.
- Decide between SAML and OpenID Connect
SAML for legacy enterprise IdPs that do not support OIDC. OIDC for new integrations with modern IdPs. Both work; OIDC is easier to debug and lighter to operate. Confirm with the IdP team which protocols they support.
- Designate the Federated ID field
Pick which field on the Salesforce User identifies the user to the IdP. Username, Federation Identifier, or a custom field. The IdP must assert the matching value in the SAML NameID or OIDC sub claim.
- Enable My Domain and configure SSO Settings
Salesforce SSO requires My Domain. Setup > My Domain > activate. Then Setup > Single Sign-On Settings > New. Upload the IdP certificate, enter the IdP entity ID, configure attribute mappings.
- Configure the Salesforce app on the IdP
On the IdP side (Okta, Entra, Ping), create a new Salesforce application. Most IdPs provide a template. Configure the ACS URL (Salesforce SAML endpoint), entity ID, and signing certificate.
- Configure attribute mappings
Map IdP user attributes to Salesforce user fields. Common mappings: email, first name, last name, role/profile. JIT provisioning needs more mappings; SCIM handles them through the SCIM API instead.
- Test SP-initiated SSO
Navigate to your Salesforce My Domain URL. The login screen should show the SSO button or auto-redirect to the IdP. Authenticate with IdP credentials. Confirm successful redirect back into Salesforce with the right user identity.
- Test IdP-initiated SSO
From the IdP user portal, click the Salesforce tile. Confirm the user lands in Salesforce with the right identity. If deep linking is configured, confirm the user lands on the intended page.
- Set up certificate expiration monitoring
Build alerts for upcoming certificate expirations on both sides. Salesforce sends warning emails 90, 60, and 30 days before expiration. The IdP typically has its own monitoring. Both sides need to rotate before the certificate expires or SSO breaks.
SAML for legacy enterprise IdPs. OIDC for modern integrations. Both supported by Salesforce as IdP and SP.
The Salesforce User field that identifies the user to the IdP. Username, Federation Identifier, or a custom field.
JIT creates users on first SSO login; SCIM proactively syncs user lifecycle from the IdP. Pick based on directory governance needs.
- Certificate expiration is the leading cause of SSO outages. Monitor expiration dates on both sides and rotate well before expiration.
- Salesforce requires My Domain for SSO. Without My Domain enabled, SSO configuration cannot be activated. Enable My Domain before starting the SSO setup.
- Attribute mapping mismatches produce cryptic errors. The IdP sends an attribute that Salesforce does not expect, or the case differs. Confirm the exact attribute names and values during initial testing.
- MFA enforcement moves to the IdP when SSO is configured. The IdP becomes responsible for MFA; Salesforce trusts the assertion. Configure the IdP MFA policy carefully because Salesforce trusts whatever the IdP asserts.
- JIT provisioning creates users on first SSO login. If the IdP misassigns profile or role attributes, new users land with wrong permissions. Audit JIT provisioning logs for unexpected user creation.