> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.
> Describes how to Salesforce as SAML identity provider for use with Auth0.
# Configure Salesforce as SAML Identity Provider
Configure Salesforce as a SAML identity provider by completing the following steps:
1. Obtain Salesforce certificate and metadata.
2. Set up Auth0 as a service provider.
3. Configure the Salesforce identity provider (IdP).
4. Grant privileges to users in Salesforce.
5. Test the connection to the Salesforce IdP.
## Prerequisite
Register for a [Salesforce.com](http://salesforce.com) account. You must select one of the account types that include identity provider support.
## Obtain Salesforce certificate and metadata
1. Log in to your [Salesforce](http://salesforce.com) account.
2. Create your [Salesforce Domain](https://help.salesforce.com/apex/HTViewHelpDoc?id=domain_name_setup.htm\&language=en_US).
3. Log into your Salesforce domain `https://{yourDomain}.my.salesforce.com` and click on **Setup** on the top right.
4. In the Quick Find box, enter Single Sign-On Settings, then select **Single Sign-On Settings**, and then click **Edit**.
5. To view the SAML SSO settings, select **SAML Enabled**
6. Select the default certificate and click **Save**.
7. Click **Download Certificate** to download the identity provider certificate.
8. Click **Download Metadata** to download the identity provider metadata.
## Set up Auth0 as a service provider
Configure Auth0 as a service provider to communicate with the Salesforce identity provider for SSO.
1. Go to the [Dashboard > Authentication > Enterprise](https://manage.auth0.com/#/connections/enterprise) and click **SAML**.
2. Click **Create Connection**.
3. In the configuration window, enter the following information:
| Setting | Description |
| ------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Connection Name** | Name your connection. For example **SFIDP**. |
| **Email Domains** | Enter the email domain name that your users will be loggin in from. For example, if your users have an email domain of `abc-example.com`, enter that into this field. You can enter multiple domains. |
| **Sign In URL** | Open the metadata file you downloaded from Salesforce and locate the line that contains the `SingleSignOnService` binding. The value of the `location` attribute on this line is your Sign In URL. It will be something like: `https://{sf-account-name}.my.salesforce.com/idp/endpoint/HttpRedirect` where `{sf-account-name}` is your Salesforce domain name. |
| **Sign Out URL** | Enter the same URL you entered for Sign In URL. |
4. For the **Certificate**, you convert the certificate downloaded from Salesforce to .pem format with the following command:
`openssl x509 -in original.crt -out sfcert.pem -outform PEM`where `original.crt` is the filename of the downloaded .crt file.
1. Click **UPLOAD CERTIFICATE** and select the `.pem` file you just created. (`sfcert.pem` in the example above). You can ignore the rest of the fields for now.
2. Click **SAVE**.
3. Click **CONTINUE**. In the window that appears, SAML metadata for the Auth0 Service Provider will be displayed. Keep this window open since you will need to enter some of this information into Salesforce to finish the configuration.
You can access the metadata for an Auth0 SAML connection with this URL syntax: `https://{yourDomain}/samlp/metadata?connection={yourConnectionName}`.
## Configure Salesforce as an identity provider
Configure Salesforce with the metadata from Auth0 so it can receive and respond to SAML-based authentication requests from Auth0.
1. Open [**salesforce.com**](http://salesforce.com).
2. Go to **Setup** > **Manage Apps**. Click **Connected Apps**.
3. Create a new Connected App and fill out the following fields:
| Setting | Description |
| ------------------ | --------------------------------------------------- |
| **Entity ID** | `urn:auth0:YOUR_TENANT:YOUR_CONNECTION_NAME` |
| **ACS URL** | `https://{yourDomain}/login/callback` |
| **Subject Type** | `Persistent ID` |
| **Name ID Format** | Choose the one with `emailAddress` |
| **Issuer** | `https://{your-saleforce-domain}.my.salesforce.com` |
4. Click **Save** to complete the configuration.
## Grant privileges to users in Salesforce
1. Open [**salesforce.com**](http://salesforce.com) and click **Setup**.
2. Under **Manage Users**, click **Profiles**.
3. Scroll down to find the profile called **Standard User** (on page 2).
4. Click on **Edit** to edit the profile.
5. Scroll down to the **Connected App Access** section.
6. Check the box next to the name of your connected app to enable it for this profile.
7. Click **Save**.
8. Under **Manage Users**, click **Users**.
9. Click **Edit** to edit your test user and set the profile to **Standard User**.
To use a different Salesforce profile, enable the connected app for that profile and ensure that all users that login through the Salesforce Identity Provider have that profile.
## Test connection to Salesforce
1. Navigate to the [Authentication > Enterprise](https://manage.auth0.com/#/connections/enterprise) section of the Auth0 dashboard. Select the **SAMLP Identity Provider**.
2. Click the **Try** button for the SAML connection you created earlier. You should be redirected from Auth0 to the Salesforce login page.
3. Once you are at the **Salesforce login screen**, login with the credentials you provided when you created the Salesforce account.
1. If the SAML configuration works, your browser will be redirected back to an Auth0 page that says **"It works!!!"**. This page will display the contents of the SAML authentication assertion sent by the Salesforce IDP to Auth0.
2. If it didn't work, double check the steps above and consult the **troubleshooting** section below.
When troubleshooting SSO, it is often helpful to capture an HTTP trace of the interaction and save it in a HAR file. To learn more, read [Generate and Analyze HAR Files](https://support.auth0.com/center/s/article/generate-and-analyze-har-files-to-troubleshoot-auth0-issues).
Before sharing a HAR file with anyone (including Auth0), ensure that you remove or obfuscate all sensitive data, such as:
* Confidential user information
* Personal identifiable information (PII)
* Confidential application information
To learn more, read the following articles on [Auth0 Community](https://community.auth0.com):
* [Sanitizing HTTP Traces](https://community.auth0.com/t/sanitizing-http-traces/119488)
* [How to Sanitize an HTTP Trace File Automatically](https://community.auth0.com/t/how-to-sanitize-a-http-trace-file-automatically/120583)
* [How to Manually Redact Sensitive Information](https://community.auth0.com/t/how-to-manually-redact-sensitive-information/122554)
* [HAR File is Too Large to Upload to the Support Case](https://community.auth0.com/t/har-file-is-too-large-to-upload-to-the-support-case/122488)
Once you have an http trace tool, capture the login sequence from start to finish and analyze the trace for the sequence of GETs. You should see a redirect from your original site to the IDP, a post of credentials if you had to log in, and then a redirect back to the callback URL. The HAR file will also contain the SAML response.
Make sure that cookies and JavaScript are enabled for your browser.
Make sure that the user's profile in Salesforce has permission to login via the Salesforce IDP (See section 4 above).