Skip to main content

Salesforce SAML integration

Salesforce unites organizations marketing, sales, commerce, service, and IT teams from anywhere with Customer 360 — one integrated CRM platform that powers our entire suite of connected apps. With Customer 360, organizations can focus their employees on what’s important right now: stabilizing your business, reopening, and getting back to delivering exceptional customer experiences.

Acceptto integrates with Salesforce to provide better security through Arculix's Intelligent Multi-factor Authentication. Acceptto's intelligent MFA uses many different signals to improve security while reducing friction.

This document contains instructions for configuring SAML 2.0 for Salesforce to improve the security of users' logins into the Salesforce portal by using single sign-on.

Prerequisites

  • An Acceptto account with a configured Identity Provider and LDAP Agent.

    For more information, see the LDAP Agent deployment guide.

  • An organization identifier provided by Acceptto (organization slug).

  • A user with administrative privileges for the Salesforce portal.

Configure Salesforce as a SAML Service Provider

  1. Login to your Salesforce. Salesforce has two user interfaces: Classic and Lightning. In Salesforce Classic: Navigate to Setup > Security Controls > Single Sign-On Settings and in Salesforce Lightning, click the gear icon. Navigate to Setup > Identity > Single Sign-On Settings.

    salesforce_dashboard_sso.png

  2. On the Single Sign-On Settings page, click Edit to enable SAML on Salesforce.

    salesforce_edit_sso_settings.png

  3. Check the SAML Enabled box to enable the use of SAML Single-Sign On, then click Save.

    salesforce_enable_saml.png

  4. On the Single Sign-On Settings page, click New.

    salesforce_sso_settings.png

  5. Enter the following information on this page:

    Note: Download your SAML IdP X509 certificate. Go to https://sso.acceptto.com/[organization identifier]/saml/download/cert to download the cert.pem file containing your certificate.

    Download your SAML metadata file. Go to https://sso.acceptto.com/[organization identifier]/saml/download/metadata to download your metadata file.

    • Name: Enter a name of your choice.

    • SAML Version: Make sure this is set to 2.0. This should be enabled by default.

    • Issuer: Copy and paste the Acceptto SAML issuer (e.g.https://sso.acceptto.com/)

    • Identity Provider Certificate: upload an Acceptto certificate into this field. In the SAML Identity Type part, click on the Assertion containing the Federation ID from the User object item.

    • Identity Provider Login URL: Copy and paste the sign in URL from Acceptto metadata.

    • Custom Logout URL: Copy and paste this logout link from Acceptto metadata API Name: Enter an API name of your choice. Entity ID: Enter https://[customDomain].my.salesforce.com.

    salesforce_saml_sso_settings.png

  6. Click Save. Then you can see the following page. Copy the Login URL from this page.

    salesforce_login_url.png

Acceptto SAML Configuration as Identity Provider (IdP)

  1. Login to the Acceptto Dashboard with an administrative account and go to Applications.

  2. Create a new application by selecting Create New Application.

    Create new application

  3. In the New Application form, enter the following values under the General tab.

    • Name - The application name displayed in the admin panel and application portal and used for push notifications and audit logs. (e.g. Salesforce)

    • Type - Select "SAML Service Provider" from the options

    • Out of Band Methods - Select the allowed methods for approving MFA requests

    • Message for MFA Requests - Enter the user-facing message for Push, SMS, and email MFA requests (optional)

    salesforce_add_app.png

  4. Under the SAML Service Provider Configuration tab, enter the following values:

    • Issuer or Entity ID – Enter the Issuer/EntityID of your Salesforce instance. This value is available in the Trusted IdP section of your Salesforce tenant as SP Entity ID (see the next section).

    • Sign in URL - The URL used to login to your Salesforce (e.g. https://example.salesforce.com).

    • NameID Format - Select "Email address" from the dropdown menu.

    • Name Identifier - Select "Email" from the dropdown menu.

    • Assertion Consumer Service (ACS) URL - Enter the URL on the service provider where the identity provider will redirect to with its authentication response. It should end at access/idp (e.g. https://example.saleforce.com).

    salesforce_sp_settings.png

  5. Then, type the Single Logout URL, which is given in the Salesforce portal.

    salesforce_logout_url.png

  6. Click Save to create the Application.

Authentication Configuration in Salesforce Portal

  1. Navigate to setup in the Salesforce portal as an administrator. Go to My Domain.

    salesforce_mobile_quick_start.png

  2. Click Edit in the Authentication Configuration section.

    salesforce_auth_config.png

  3. Check the Example box which you have created in the previous step. Click Save.

    salesforce_auth_service.png

User Configuration in Salesforce Portal

  1. Navigate to the Users in the Setup page of Salesforce. Then click on Edit on the desired user.

    salesforce_users.png

  2. In the user profile page drop down menu and in the Single Sign-on part, copy the email address which is integrated with your Acceptto account, in the Federation ID box. Click Save.

    salesforce_sso_info.png

Test your application integration

  1. Open the Salesforce login URL through a browser and you can see the Acceptto login form. Click on that.

    salesforce_login.png

  2. You will be redirected to the Acceptto SSO page.

    SSO login

  3. After successful authentication, you’ll see the Acceptto MFA options. Select your desired method and pass the verification stage.

    acceptto_qr_login.png

  4. Finally you will be redirected to the Salesforce portal page passwordless and easily.

    salesforce_dashboard.png

Support

If you have questions or need assistance, contact SecureAuth Support.

Sales

Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.

Disclaimer

All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.

In this section: