This site requires JavaScript to be enabled
An updated version of this article is available

Salesforce SSO integrations using SAML

4314 views

11.0 - Last modified on 2026-02-11 Revised by Annie Zhang

10.0 - Last modified on 2026-01-30 Revised by Summer Scanlan

9.0 - Last modified on 2026-01-23 Revised by Annie Zhang

8.0 - Last modified on 2025-01-10 Revised by Jonathon Taylor

7.0 - Last modified on 2025-01-10 Revised by Jonathon Taylor

6.0 - Last modified on 2024-08-07 Revised by Jonathon Taylor

5.0 - Last modified on 2024-08-07 Revised by Jonathon Taylor

4.0 - Last modified on 2024-06-01 Revised by Jonathon Taylor

3.0 - Last modified on 2024-06-01 Revised by Jonathon Taylor

2.0 - Last modified on 2024-06-01 Revised by Jonathon Taylor

1.0 - Created on 2024-05-09 Authored by Jonathon Taylor

Background

Integrating Salesforce with single sign-on (SSO) is a somewhat complex, multi-step process using the SAML protocol.  You will need to establish a custom domain in Salesforce, generate a self-signed certificate, and request help from the CalNet team to establish a trusted relationshiph between your Salesforce org and the CalNet system.

Part 1 - Establish a custom “My Domain” in Salesforce

Create your own subdomain to better manage login and authentication for your Salesforce org. A subdomain is also a way to brand your org with your company or department name, for example: https://berkeley-department.my.salesforce.com.

The following steps assume you have administrator access to your Salesforce application or that you are working with a consultant who does. The process is subject to change, please consult the Official Salesforce Documentation for detailed steps.

  1. From Setup, enter "My Domain" in the Quick Find box, then select My Domain.

    Screenshot of the setup page with "My Domain" selected in the search box

  2. Select Edit next to My Domain Details.
  3. Enter the subdomain name you want to use within the sample URL. For example, if a company called Universal Containers uses the subdomain universalcontainers, the company’s login URL is https://universalcontainers.my.salesforce.com/. Your name can include up to 40 letters, numbers, and hyphens.

    Screenshot of the "My Domain" page

  4. Click Check Availability. If your name is already taken, choose a different one.
  5. Click Register Domain.
  6. You will receive an email when your domain name is ready for testing. It can take a few minutes.

Test your domain

  1. In the Salesforce email, click the link to log in to your new subdomain. Or you can return to My Domain from Setup, enter "My Domain" in the Quick Find box, then select My Domain. Now you’re at Step 3 of the wizard.
  2. Notice that the URL in the browser address bar shows your new subdomain.

At this point, you’re the only one in your org that has the subdomain URL. As you click through the UI, check that all the pages use the new subdomain.

If you’ve customized your org, such as modified buttons or added Visualforce pages, look for links that don’t redirect to the subdomain. Broken links can occur when URLs reference your instance name (such as na1.salesforce.com). For more information, enter “hard-coded references” in Salesforce Help.

Deploy your domain

After you’re sure that all links redirect to your subdomain, you can make the subdomain available to users.

  1. From Setup, enter "My Domain" in the Quick Find box, then select My Domain.
  2. Click Deploy to Users.


Part 2 - Generate a Self-Signed Certificate for Salesforce

Salesforce requires an outdated and deprecated certificate container format.   If you do not feel comfortable following these steps, please reach out to CalNet for help generating the certificate when you request your SSO integration.

Important:  The keystore file you will generate contains a sensitive private key.  Please treat the generated file as a secret, do not attach it to any tickets or correspondence.  After you upload the file into Salesforce be sure to delete the file from your workstation.

  1. Install Java so that you have the keytool application.
  2. Open a command line and run the following command, replacing the alias name with something that makes sense for your site.

    NOTE:  The -alias value may not contain dashes, spaces, or any other special characters.

    keytool -genkeypair -keyalg RSA -keysize 4096 -validity 3650 -alias mysalesforcesite -keystore keystore.jks -storetype jks

     

  3. You will be prompted for a keystore password, enter something memorable and store this in a safe place.
  4. When prompted for "first and last name" enter the alias you used for step 2.  For example: "mysalesforcesite" without dashes, spaces, or any other special character.

    Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  mysalesforcesite

     

  5. You can fill in the remaining questions using the examples provided below.  None of these are critical.

    What is the name of your organizational unit?
  [Unknown]:  IT
What is the name of your organization?
  [Unknown]:  University of California, Berkeley
What is the name of your City or Locality?
  [Unknown]:  Berkeley
What is the name of your State or Province?
  [Unknown]:  CA
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=mysalseforcesite, OU=IT, O="University of California, Berkeley", L=Berkeley, ST=CA, C=US correct?
  [no]:  yes

     

  6. Answer "yes" after validating the certificate name.
  7. When prompted for the "key password", just press <RETURN> without typing anything in.

    Enter key password for <mysalesforcesite>
        (RETURN if same as keystore password):

     

  8. Ignore the warning message.
  9. You now have a file named "keystore.jks".
  10. Log into your Salesforce Service Console.
  11. Within the Service Console, click on the gear icon at the top right and select Setup.



  12. Navigate to Settings > Security > Certificate and Key Management.

    Screenshot displaying the Settings menu, with Certificate and Key Management selected under Security

  13. Select Import from Keystore.

    screenshot with the "Import from Keystore button"

  14. On the import screen, select Browse and select the keystore.jks file you generated earlier.  Enter the password you used when generating the file and then click Save.

    screenshot with the section under "import from a keystore"

  15. You should now see your imported certificate.

    screenshot displaying the imported certificate
    (click to enlarge image)

Part 3 - Add Single-Sign Configuration to Salesforce

  1. Within the Service Console, click on the gear icon at the top right and select Setup.

    screenshot displaying the menu options clicking on the gear icon, with Setup selected

  2. Navigate to Settings > Security > Remote Site Settings.
  3. Select New Remote Site.
  4. Enter the following information:
    1. Remote Site Name: Production_IDP_Metadata_CalNet
    2. Remote Site URL:  https://mdq.incommon.org/entities/urn:mace:incommon:berkeley.edu
    3. Disable Protocol Security: uncheck
    4. Description: XML file with Cal Metadata for single sign on
    5. Active: Checked


      (click to enlarge image)

  5. Click Save.
  6. In the Quick Find box, type "Single Sign-On Settings" then select Single Sign-On Settings.

    screenshot displaying the Single Sign-On Settings page
    (click to enlarge image)

  7. Click New from Metadata URL.
  8. Enter "https://mdq.incommon.org/entities/urn:mace:incommon:berkeley.edu" without the quotes in the Metadata URL field.

    screenshot of the Single Sign-On Settings page with the URL from above typed into the Metadata URL field
    (click to enlarge image)

  9. Click Create.
  10. You will be redirected to the Single Sign-On Settings page.  Enter the following into the fields:

    Field Name Explanation Value
    Name can be anything CalNet SSO
    API Name based on Name, but no spaces CalNet_SSO
    Issuer leave as is (urn:mace:incommon:berkeley.edu)  
    Entity ID leave as is (unique to your site)  
    Request Signing Certificate use the certificate imported from Part 2 mysalesforcesite (or whatever you named it)
    Request Signature Method leave as is (RSA-SHA256)  
    Assertion Decryption Certificate leave as is (assertion not encrypted)  
    SAML Identity Type this is how CalNet provides the user identity (typically the UID) to Salesforce Assertion contains the Federation ID from the User object
    SAML Identity Location this is the field that contains the user identity Identity is in the NameIdentifier element of the Subject statement
    Service Provider Initiated Request Binding leave as is (HTTP Redirect)  
    Identity Provider Login URL leave as is (https://shib.berkeley.edu/idp/profile...)  
    Custom Logout URL how logout is handled https://shib.berkeley.edu/idp/logout
    Use Salesforce MFA for this SSO Provider leave as is (unchecked)  
    Single Logout Enabled leave as is (unchecked)  
    User Provisioning Enabled leave as is (unchecked)  

     

  11. The resulting settings should be similar to this:

    screenshot of the Single Sign-On Setting page with all required fields filled in
    (click to enlarge image)

  12. Click Save.  You will be redirected to a screen showing a summary of your settings.
  13. Select Download Metadata.  You will provide this file in your SSO Service Request to CalNet (see below).
  14. Return to the Single Sign-On Setting screen from the quick find box, you should now see something like the following:

    screenshot of the Single Sign-On Setting page
    (click to enlarge image)

  15. Click on Edit and then check the box next to SAML Enabled.

    screenshot of the Single Sign-On Settings page with SAML Enabled checked
    (click to enlarge image)

  16. Click Save.

 

Part 4 - Request SSO Integration from CalNet

  1. Open a service request with the CalNet team to create an SSO integration.
  2. When the service request form loads, select "New SSO integration" in the first drop down box.
  3. Fill out the remaining fields as best you can:
    Field Name Explanation Value
    Application or Service Name A friendly name for your site A friendly name for your site
    Application or Service Description Additional details Requesting SSO integration for Salesforce site and domain <url>
    Production URL The URL of your Salesforce custom domain The URL of your Salesforce custom domain
    What authentication protocol are you using Salesforce uses SAML SAML
    For SAML Integrations, please include Production/Test EntityID This is the unique identifier for your site for the SAML protocol The Entity ID from Part 3, step 10 (e.g. https://mysite.my.salesforce.com)
    What application and/or web server are you using Leave blank  
    Provide a link to any documentation provided by the vendor SalesForce documentation https://help.salesforce.com/s/articleView?id=sf.sso_about.htm&type=5
    Contact information
    		 Fill out as best you can Fill out as best you can
    Authorization preference
    		 Situation dependent Default or Custom
    What username attribute should be returned Typically UID is ideal UID
    Attribute return preference
    		 Situation dependent Leave as is if unsure
    Does your SAML integration require a NameID as part of the assertion Salesforce does require this Yes
    Determine what identifier the accounts on your server will use UID is ideal UID
    Provide the metadata from the server (SP) Paste the contents of the XML file you downloaded in Part 3, step 13.  Or, change the extension to .txt and upload it as an attachement to the service request SP Metadata for your Salesforce site

     

  4. Submit the request.
  5. After CalNet confirms that your metadata has been added, you can continue to Part 5.


Part 5 - Choose your Authentication Service (and optionally a logo)

  1. From Setup, enter "My Domain" in the Quick Find box, then select My Domain.

    screenshot of the Setup section, with "my domain" entered in the search field

  2. Select Edit next to My Domain Details.
  3. If the domain is newly registered, you may see “Your domain name is ready. Log in to test it out.” with a Log in button. If so, do click the button.
  4. Scroll down to the Authentication Configuration section, and click the Edit button. 
  5. Optionally, go and find/make a logo image to upload, one that’s sized to max 250 pixels width and 125 pixels height. If you have one, click the Choose File button and pick that file.
  6. Notice there are non-exclusive check-boxes under Authentication Service called:
    1. Login Page
    2. CalNet SSO (or whatever you named your SAML provider)
  7. Check the box next to CalNet SSO.
    1. You may decided to offer only CalNet SSO and de-selecting Login Page.  For now leave both active until you’re sure that the SSO integration is working.

      screenshot of the Authentication Configuration page with Login Page Type as "Standard" and boxes checked for "Login Form" and "CalNet SSO"
      (click to enlarge image)

  8. Click Save.


Part 6 - Add the UIDs for people who are allowed to log in

  1. From directory.berkeley.edu, go look up and record the UIDs and email addresses for the users who will be allowed to log into your Salesforce instance
  2. Logged into your Salesforce domain, go to Setup: Administration: Users: Users
  3. On the Users page in Salesforce, click Edit next to an existing user, or New User to start a user record from scratch; this will open the “User Edit” page
  4. The fields you’ll enter are:
    1. First Name
    2. Last Name
    3. Email
    4. User License (e.g. SalesForce)
    5. Profile (e.g. Standard User)
    6. Optionally check the box next to appropriate user type (e.g. Service Cloud User)
    7. Scroll down and paste the UID into the Federation ID field under Single Sign On Information.
    8. Normally uncheck the box next to Generate new password and notify user immediately if they will use CalNet instead of a new Login Page credential.
  5. Click Save.
  6. Repeat steps 3-5 for each user.


Part 7 - Make CalNet the Only Option

IMPORTANT:  Make sure you have a non-SSO administrator account in your Salesforce Org, or that you have set a password on your account that has a federation ID.  Even after you make SSO the only option, you will still be able to get into Salesforce bypassing SSO as described below.  This will allow you to fix your org if SSO breaks for any reason.

Making CalNet the only options makes the login process much easier for your users.  When they navigate to your customer domain they will be redirected to CalNet automatically.

NOTE:  If you need to bypass, enter the URL of your customer domain in a new browser window with a trailing "?login".  For example if your custom domain is https://ucb-example.my.salesforce.com you can bypass SSO using https://ucb-example.my.salesforce.com/?login.

  1. From Setup, enter "My Domain" in the Quick Find box, then select My Domain.
    screenshot of the Setup section, with "my domain" entered in the search field
  2. Select Edit next to My Domain Details.
  3. Under Authentication Configuration select Edit.
  4. Uncheck the box next to Login Form and then click Save.

    screenshot of the Authentication Configuration page with Login Page Type as "Standard" and box checked for "CalNet SSO"
    (click to enlarge image)

 

Revised by Summer Scanlan
Last modified 2 months ago