Salesforce can be configured as Identity Provider (IdP) using Salesforce Identity, or as Service Provider (SP).
Identity Provider is a trusted service that enables users to access other websites and services without logging in again.
Service Provider is a website or service that hosts apps and accepts identity from an identity provider.
Flow below show when user accessing Salesforce and authenticated by IdP, Salesforce is SP in this scenario.
Another flow when user accessing IdP and will be redirect to Salesforce as SP.
This blog would discuss on setup Salesforce as Service Provider and initiate SSO process:
1. User make a request to Salesforce
2. User is redirected to IdP with SAML Request
3. User authenticates & return with a SAML Response
4. Salesforce process the Response, create a session for user and return to requested resource
User open a specific my domain https://customername.my.salesforce.com, without need to enter username and password, user will be auto redirect to access Salesforce.
1. Enable My Domain in Salesforce
Refer to this documentation My Domain to create a custom domain name.
2. Enable Single Sign-On in Salesforce
Navigate to Setup | Security Controls | Single Sign-On Settings
Click Edit button "SAML Enabled"
3. SAML Single Sign-On Settings in Salesforce
In the same page as above, click New button in "SAML Single Sign-On Settings".
You need to get "Identity Provider Certificate" and upload the cert file - the authentication certificate issued by your Identity Provider.
- Identity Provider Certificate: upload cert file provided by IdP
- Entity ID: specify Salesforce base domain (https://saml.salesforce.com) or the custom domain.
- SAML version: only version 2.0 support for now
- Login URL: this would be Salesforce Login URL stated in SSO setting endpoints, example: https://johanyu.my.salesforce.com?so=00D90000000H7oz
- Entity ID: as defined in step 3 above
- Start Page URL: if you would like your users redirect to a specific page after login
- Configuring SAML Settings for Single Sign-On
- Add Identity Providers on a Login Page
- Salesforce Identity How-To Series video
- Implementing Salesforce federated single sign-on