Okta

How to Configure SAML 2.0 for Salesforce

This document contains instructions for configuring SAML 2.0 for Salesforce (see Configuring SAML below), as well as additional, useful information you may need about How to Configure SP-Initiated SAML between Salesforce and Okta, and How to Configure Delegated Authentication in Salesforce (optional).


Contents

Supported Features

The Okta/Salesforce SAML integration currently supports the following features:

For more information on the listed features, visit the Okta Glossary.


Configuring SAML

  1. CLICK HERE to log in to Salesforce with the same administrator username and password-token used for User Management settings in Okta.

  2. Either

    • Salesforce Classic: Navigate to Setup > Security Controls > Single Sign-On Settings:

      salesforce_new_a.png

    • Salesforce Lightening Experience: Click the gear icon, then navigate to Setup > Identity > Single Sign-On Settings :

      salesforce_new_cc.png

  3. On the Single Sign-On Settings page, click Edit:

    salesforce_new_1a.png

  4. Check the SAML Enabled box to enable the use of SAML Single-Sign On, then click Save:

    salesforce_new1.png

  5. Click New:

    salesforce_new_b.png

  6. Enter the following:

    Unless otherwise noted, leave the default values as-is.

    • Name: Enter a name of your choice.

    • SAML Version: Make sure this is set to 2.0. This should be enabled by default.

    • Issuer: Copy and paste the following:

      Sign into the Okta Admin dashboard to generate this value

    • Identity Provider Certificate: Download, then upload the following certificate into this field:

      Sign into the Okta Admin dashboard to generate this value

    • Identity Provider Login URL: Copy and paste the following:

      Sign into the Okta Admin dashboard to generate this value

      This URL will authenticate your users when they attempt to log in directly to Salesforce or click on a deep link in Salesforce and are not currently authenticated. This is required if you want to enable SP-Initiated SAML authentication.

    • Custom Logout URL: Optional. Copy and paste the following:

      Sign into the Okta Admin Dashboard to generate this variable.

    • API Name: Enter an API name of your choice.

    • Entity ID:

      • If you have a custom domain setup, use https://[customDomain].my.salesforce.com

      • If you do not have a custom domain setup, use https://saml.salesforce.com

    • Click Save.

    sf_new1.png

  7. Copy your Login URL value:

    salesforce_new_c.png

  8. In Okta, select the General tab for the Salesforce app, then click Edit.

    • If you are using a custom domain, then enter that value into the Custom Domain field, otherwise leave it blank.

    • Click Save:

    salesforce_new_bb.png
  9. Still in Okta, select the Sign On tab for the Salesforce app, then click Edit.

    • Scroll down to the ADVANCED SIGN-ON SETTINGS section, and enter the Login URL value you made a copy of in step 7 above into the corresponding field.

    salesforce_new_aa.png
  10. Done!


How to Configure SP-Initiated SAML between Salesforce and Okta

By completing the steps above, your users will be able to access SalesForce from a single click on the Okta User Dashboard. This process of logging into Salesforce or other cloud apps from Okta is known as IDP-Initiated SAML. However, if at any point your users navigate directly to Salesforce, or click any deep links that directs them to SalesForce first instead of Okta, they won’t be given the same single-sign on experience unless SP-Initiated SAML is also configured. This is an optional configuration. Use the steps below to set up SP-Initiated SAML.

Setting up My Domain in SalesForce

Use of SP-Initiated SAML requires your SalesForce instance to be setup with a customized domain name specific to your company. In Salesforce, these are referred to as My Domains. To add a My Domain:

  1. In Salesforce, click Setup.

  2. Click Domain Management to open the sub-menu.

  3. Click My Domain.

    salesforce_new2.png

  4. Provide a name for your org, check availability, then choose Register Domain.

  5. At this point your new org name in SalesForce (https://[orgname].my.salesforce.com) will be published to the internet and should become widely available for use within 12-24 hours. You can test this by trying to navigate to your new org name in a browser window.

Reconfiguring Single Sign-On Settings

While your new My Domain is being setup, you can make some configuration changes to your SalesForce and Okta single-sign on settings to use your new My Domain instead of the default values, as described here:

  1. In Salesforce, navigate back to Security Controls & Single Sign-On Settings.

  2. Locate the configuration you set up previously from the list on the page, then click Edit.

    salesforce_new3.png

  3. From here change the Entity ID field:

    • From: https://saml.salesforce.com.

    • To: https://[customDomain].my.salesforce.com, using the domain URL you just created.

  4. In Okta, select the General tab for the Salesforce.com SAML app, then click Edit:

    • Make sure that the Custom Domain field matches the name of the custom domain you have created.

      For example: If your domain is acme.my.salesforce.com, enter acme.

    • Click Save:

    Enter Custom Domain in Okta

  5. Still in Okta, select the Sign On tab for the Salesforce.com SAML app, then click Edit.

    • Make sure that the Login URL matches the login URL provided in SalesForce on the Single-Sign On Settings page.

    • Click Save.

    Enter Login URL in Okta

Choosing Okta as the Default Authentication Service

Once your My Domain is live, you’ll be able to specify Okta as the default preferred Authentication Service each time users navigate to your specific domain.

  1. In Salesforce, navigate back to Domain Management > My Domains.

  2. Under Authentication Configuration, click Edit.

  3. In the Authentication Service drop down menu, check the box next to the Okta instance you’ve set up in single-sign on settings.

  4. Click Save.

Verifying SP-Initiated SAML

With configuration now complete, you can easily verify that SP-Initiated SAML has been properly configured. Simply navigate to your Salesforce Domain URL and you should be redirected to the Okta sign-on page for your org. Authenticating into Okta with a user assigned to Salesforce should then provide you access to SalesForce.


How to Configure Delegated Authentication in Salesforce (optional)

Please note: Delegated authentication is an optional integration that can be used in addition to SAML 2.0.

Contact Salesforce to enable delegated authentication

Call Salesforce at 1-800-667-6389 and ask them to enable delegated authentication for your organization. You can also do this by opening a case in the Salesforce customer service application.

Once Salesforce enables delegated authentication you can proceed with the steps below.

Enter your Delegated Gateway URL

Go to the Single Sign-On Settings page located in the Setup > Security Controls section of Salesforce. Click the Edit button to display a form similar to the screenshot below.

  1. Copy and paste the URL below into the Delegated Gateway URL field:

    Sign into the Okta Admin dashboard to generate this value
  2. Click Save

sf3.png

Tryout delegated authentication single sign-on with a cloned user profile

We recommend creating a test user profile so you can experiment with this feature on a single user. If you feel comfortable with this feature then you can skip to the next section.

Enable delegated authentication single sign-on for a user profile

IMPORTANT: Enabling single sign-on for a user profile will affect every user who is assigned that user profile. If you want to experiment with a single user first, we recommend creating a cloned profile (see above) to test with.

Enable delegated authentication single sign-on for a Salesforce user

IMPORTANT: Do not enable delegated authentication for the Salesforce user used by Okta to connect to the Salesforce User Management APIs. The API user is specified in Okta on the Salesforce User Management tab.

Assign your single sign-on enabled Salesforce user to an Okta user


Test it out!

Assuming you logged in successfully, you can use these credentials for salesforce client application integrations like the Microsoft Outlook plugin and other APIs.


Done!

Your users are ready to single sign-on to Salesforce!


Notes

If you have selected Salesforce Portal User for User Profile & Type, the following SAML attributes are supported:


SP-initiated SSO

Navigate to your Salesforce Domain URL. You should see an option to login using your Identity Provider:

sf_new2.png