Skip to main content

Salesforce application integration

This topic covers how to integrate the Salesforce application in the SecureAuth® Identity Platform to securely allow the right user access to Salesforce applications in your organization.

  1. On the left side of the Identity Platform page, click Application Manager.

  2. Click Add an Application.

    The application template library appears.

    Add an application
  3. From the list of application templates, search and select Salesforce.

  4. On the Applications Details page, set the following configurations.

    Application Name

    Name is prefilled by default. You can optionally change the application name.

    This displays in the Application Manger list and on the Application Settings page.

    Application Description

    This is an internal description not shown to end users at login.

    Upload logo

    Click Upload to add a logo for the SAML application.

    Override Company Display Name

    • Enable / ON – Change the default company name that is set in the Multi-Factor Methods > Authentication Apps settings.

      The company name entered in this field will display in mobile app notifications only for this application.

    • OFF – Do not override. Display the company name set globally in the Multi-Factor Methods > Authentication Apps settings.

  5. In the Authentication and Access section, set the following configurations.

    Authentication Policy

    Select the login authentication policy for this application.

    Data Stores

    Enter the data stores to to authenticate and allow user access for this application.

    Start typing to bring up a list of data store names. You can enter more than one data store.


    Use one of the following options:

    • Slider in the On position (enabled): Allow users from every group in your selected data stores access to this application.

    • Slider in the Off position (disabled): Enter the specific groups who are allowed access to this application.


    Admins typically set it to Allow every group in your selected data stores access to this application.

    Otherwise, you could add specific user groups for user testing until making the switch over to more or all groups.

    Realm Number

    Select the Realm Number to use for this application.

    SCIM Server

    To learn more about using a SCIM server, see SCIM provisioning overview.

  6. Click Continue.

    The Connection Settings page appears.

  7. In the Configure Connection section, set the following configuration.

    Connection Type

    Select one of the following:

    • SP Initiated (Redirect) – Starts the login process at the service provider / application, then redirects the user to the Identity Platform for authentication, and upon successful authentication, it finally asserts the user back to the application.

      The service provider's configuration or metadata will tell you what is used for the authentication request:

      • By Redirect – Use HTTP Redirect binding to send the AuthnRequest with the signature related to the request.

      • By Post – Use HTTP Post binding to send the AuthnRequest with the embedded signature.

    • IdP Initiated – Starts the login process at the Identity Platform, and upon successful authentication, asserts the user to the application.

  8. In the User ID Mapping section, set the following configuration.

    User ID Profile Field

    Select the profile field in your data store that contains the user IDs.

    SAML Audience

    Set the base domain of the application.

    For example,

  9. In the SAML Assertion section, set the following configurations.

    Salesforce Login URL

    Set the Salesforce login URL endpoint to and include the ID number from Salesforce.

    For example:


    You can find this setting in the Salesforce admin console under the Endpoints section of the Security Controls > Single Sign-On Settings.

    To use a custom domain in Salesforce, copy the full URL from Salesforce, including the ID, and paste it into this field.

    SAML Issuer

    A unique name that must match exactly on the Identity Platform side and the Salesforce side. This helps the Salesforce application identify the Identity Platform as the SAML issuer.

    SAML Valid Hours

    Indicate in hours and minutes, how long the SAML assertion is valid.

    The default setting is one hour, but for more sensitive application resources, the recommended value is between one to five minutes.

    Sign SAML Message

    Move the slider to enable or disable signing of the SAML message.

    IdP Signing Certificate

    Click Select Certificate, choose the IdP signing certificate to use, and then click Select to close the box.

    IdP Signing Certificate Serial Number

    When you select an IdP signing certificate, the serial number populates this field.

    Signing Algorithm

    The signing algorithm digitally signs the SAML assertion and response.

    Choose the signing algorithm – SHA1 or SHA2 (slightly stronger encryption hash and is not subject to the same vulnerabilities as SHA1).

    SAML Recipient URL

    The recipient URL of the SAML assertion.

    This is usually the assertion consumer service (ACS) URL from the service provider to let the application accept a SAML assertion from the Identity Provider.

  10. If more information from the directory needs to be sent in the assertion, in the SAML Attributes section, click Add SAML Attribute and set the following configurations.

    Attribute Name

    Provide the attribute name from the directory to which identifies the user to the application.

    For example, givenname

    Data Store Property

    Select the data store property which maps to this directory attribute.

    For example, First Name

    Namespace (1.1)

    Set the authorization URL to tell the application which attribute is being asserted.

  11. To add attributes with fixed values that apply to all users, in the Static Attributes section, click Add Static Attribute and set the following configurations.

    Static Attribute field

    Select the Global Aux ID to map the static attribute to. The options are Global Aux ID 1 to Global Aux ID 5.

    For example, select Global Aux ID 1.

    Attribute Name

    Set to the attribute name required by the Service Provider.

    For example, companyName.

    Static Attribute Value

    Set the value of the attribute. This value is fixed and applies to all users.

    For example, SecureAuth.

    Namespace (1.1)

    Set to the value required by the Service Provider.

  12. Click Add Application.

    After saving the application, the Information for Service Providers page appears.

  13. To complete the integration and establish a working connection with SecureAuth, provide the following information as required to the service provider.

    Login URL, Logout URL, IdP Issuer

    Click Copy to Clipboard to copy the Identity Platform realm information and paste it in the corresponding field on the service provider user interface, as required.

    IdP Signing Certificate

    Download the IdP Signing Certificate.

    Download Metadata

    To download the metadata file:

    1. Click Download Metadata.

    2. Enter the Domain name to the Identity Platform appliance URL or IP address.

      For example, or

      Metadata file download
    3. Click Download to get the configuration file.

    4. Upload the file to the service provider.

  14. Click Continue to Summary to review the application settings.

  15. Click Back to Application Manager to find the application added to the list.