Skip to main content

Salesforce (SP-initiated) Integration Guide

Use this guide to enable Service Provider (SP)-initiated Multi-Factor Authentication and Single Sign-on (SSO) access via SAML to Salesforce.

For SecureAuth IdP-initiated access, see the Salesforce (IdP-initiated) Integration Guide.


  • Salesforce account

  • Salesforce domain name URL (configuration steps below)

  • SecureAuth IdP version 9.1 or later, with a realm ready for the Salesforce integration

SecureAuth IdP configuration

  1. Log in to SecureAuth IdP and find the new realm to be used for the Salesforce integration.

  2. Go to the Data tab.

  3. In the Profile Fields section, set the following:


    Map the directory field that contains the Salesforce ID of the user to the SecureAuth IdP Property.

    For example, in the Email 2 Property, add Salesforce ID as the directory field.

  4. Save your changes.

  5. Go to the Post Authentication tab.

  6. In the Post Authentication section, set the following:

    Authenticated User Redirect

    Set to SAML 2.0 (SP Initiated) Assertion.

    Redirect To

    This field is auto-populated with an URL, which appends to the domain name and realm number in the address bar. For example, Authorized/SAML20SPInit.aspx.

    Upload a Page

    Optionally, you can upload a customized post authentication page.

  7. In the User ID Mapping section, set the following:

    User ID Mapping

    Set to the SecureAuth IdP Property that corresponds to the directory field that contains the Salesforce ID. For example, Email 2.

    Name ID Format

    Set to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified. (Default setting)

    Choose a different option if Salesforce requires it, to which the Service Provider (SP) will provide.

    Encode to Base64

    Set to False.

  8. In the SAML Assertion / WS Federation section, set the following:

    WSFedSAML Issuer

    Set to a unique name that will be shared with Salesforce.

    The value in WSFed/SAML Issuer must match exactly on both the SecureAuth IdP side and the Salesforce side.

    SAML Audience

    Set to .

    SP Start URL

    Provide the starting URL to enable SSO and to redirect users to access Salesforce.

    For example,

    SAML Offset Minutes

    Set the minutes to make up for time differences between devices.

    SAML Valid Hours

    Set the number of hours to limit how long the SAML assertion is valid.

  9. Scroll down to the end of the SAML Assertion / WS Federation section, and set the following:

    Signing Cert Serial Number

    Leave the default value, unless there is a third-party certificate being used for the SAML assertion.

    To use a third-party certificate, click the Select Certificate link and choose the appropriate certificate.


    If required, provide domain to download the Metadata File to send to Salesforce.

  10. Save your changes.

  11. Optionally, in the Forms Auth / SSO Token section, click the View and Configure FormsAuth keys/SSO token link to configure the token/cookie settings and configure this realm for SSO.



    To configure this realm for SSO, refer to SecureAuth IdP Single Sign-on Configuration


    To configure this realm for Windows Desktop SSO, refer to Windows desktop SSO configuration

Salesforce configuration

To configure the Salesforce domain

  1. Log in to the Salesforce Control Panel.

  2. Click Setup, expand Domain Management, and then click My Domain.

  3. Specify a unique Salesforce URL that is associated to the corporate account.

  4. Supply a subdomain name, which can be anything; but a subdomain name can be registered only once.

    It takes Salesforce about a day to process the subdomain request, but the URL might be testable within an hour.

To configure single sign-on in Salesforce

  1. After the domain configurations, click Setup, expand Security Controls, and click Single Sign-On Settings.

  2. Click New and set the following:


    Set the value to the same unique name value as provided to SecureAuth IdP in the SAML Assertion / WS Federation section.

    Identity Provider Certificate

    Click Choose File to choose the certificate used in SecureAuth IdP in the SAML Assertion / WS Federation section.

    SAML Identity Type

    Set to Assertion contains the User's Salesforce username.

    SAML Identity Location

    Set to Identity is in the NameIdentifier element of the Subject statement.

    Service Provider Initiated Request Binding

    Set to HTTP Redirect.

    If set to HTTP POST, then in the SecureAuth IdP, go to the Post Authentication tab, in the Post Authentication section, set the Authenticated User Redirect option to SAML 2.0 (SP Initiated by Post) Assertion.

    Identity Provider Login URL

    Set to the Fully Qualified Domain Name (FQDN) of the SecureAuth IdP appliance followed by the realm number of the Salesforce integration and secureauth.aspx.

    For example,

    Custom Logout URL

    Set the URL to where end users are redirected when logging out of Salesforce.

    Entity ID

    Set to

  3. Click User Interface, expand Sites and Domains, and click Domains.

  4. Select the Authentication Service created in SAML Single Sign-On Setting.

  5. Review the configuration, make any necessary edits, and then click Save.