Configuring SSO is a multi-step process: prepare My Domain, gather IdP metadata, create the SAML Settings record, configure the IdP side, test the flow, decide on login policy.
- Configure My Domain first
Setup, My Domain. Pick a custom subdomain. Wait for the deployment to complete (typically 24-48 hours). Without My Domain, SSO cannot be configured.
- Gather IdP metadata
From the IdP (Okta, Azure AD), download the SAML metadata XML or copy the entity ID, login URL, and signing certificate.
- Create the SAML Settings record
Setup, Single Sign-On Settings, New from Metadata File or New manual. Upload the IdP metadata or paste the values. Save.
- Configure the SP side on the IdP
Back on the IdP, configure Salesforce as a service provider. Use the Salesforce metadata (entity ID = your My Domain URL, ACS URL = the My Domain SAML endpoint).
- Configure attribute mapping and Federation ID
On the IdP side, configure SAML attributes to include the user's Federation ID (typically email). On the Salesforce side, populate the Federation ID field on each user.
- Test the SSO flow
Use SP-initiated flow: navigate to the My Domain login URL, click the SSO button, complete the IdP login, confirm landing in Salesforce.
- Enable Just-in-Time provisioning if needed
For auto-creation of new users, enable JIT in SSO Settings and configure the SAML attributes for User fields (Username, Email, Profile, etc.).
- Set the Login Policy
Setup, My Domain, Authentication Configuration. Decide whether to require SSO (SSO-only) or allow both. Start with both during rollout; transition to SSO-only after stabilization.
The configuration record per IdP, holding entity ID, login URL, certificate, and attribute mapping.
The user field that maps to the external identity assertion from the IdP.
Automatic user creation on first SSO login, populating User fields from SAML attributes.
The custom subdomain required for SSO. Prerequisite for the entire feature.
Org-level setting that allows password-only, SSO-only, or mixed-mode authentication.
The reverse mode where Salesforce acts as the IdP for other applications, less common than the SP role.
- My Domain must be configured before SSO. Without it, the SAML configuration cannot be created. Plan for the 24-48 hour My Domain deployment.
- Certificate rotation on the IdP side breaks SSO until the new certificate is uploaded in Salesforce. Track certificate expiration dates carefully; automate the renewal if possible.
- Federation ID mismatches between Salesforce users and IdP user identities cause login failures. Audit the mapping during rollout.
- SSO-only policy locks out all non-SSO logins, including admins. Keep a break-glass admin account that bypasses SSO for emergency access.
- JIT provisioning relies on correct SAML attribute configuration on the IdP. Missing or malformed attributes break user creation, leaving the user with no Salesforce account.