Identity Cloud

Salesforce as SP (SAML)

While this use case was validated for accuracy, it can always be improved. To provide feedback, click thumb_up or thumb_down in the top right of this page (you must be logged into Backstage).


Estimated time to complete: 30 minutes.

In this use case, you configure SSO using SAML federated identities with Identity Cloud as the Identity provider (IDP) and Salesforce as the Service provider (SP).

Specifically, you configure Identity Cloud as the IDP for Salesforce using SAML. This allows a user from the Identity Cloud End User UI, to click the Salesforce application and be logged in to Salesforce with IDP-iniatied SSO.


After completing this use case, you will know how to do the following:

  • Configure a custom SAML application for SSO using app templates.

  • Configure Salesforce to be a remote SP.

  • Use the Identity Cloud End User UI application dashboard to federate to other application.


Before you start work on this use case, ensure you have these prerequisites:

  • A basic understanding of:

    • The Identity Cloud admin UI

    • SSO (Federation)

    • SAML

    • The Identity Cloud End User UI

    • Salesforce

  • Access to your development environment as an administrator.

  • A test Salesforce environment

  • The use case, Provision users to a target application (Salesforce), completed with a test user provisioned from Identity Cloud to Salesforce. Specifically, make sure the user’s mail attribute in ForgeRock matches the User. Username attribute in Salesforce.

  • A test user in Identity Cloud to serve as the application owner for the custom SAML (Salesforce) application.


This use case requires the use of third-party services. Use your environment specific details where necessary.

Task 1: Create custom SAML application

  1. In the Identity Cloud End User UI, go to Applications > add Custom Application.

  2. Select SAML and click Next.

  3. On the Application Details page, enter the following:

    Field Value


    Enter Salesforce SAML SSO.


    Enter ForgeRock serving as the IDP for SAML. End users can log into Salesforce from the Identity Cloud End User UI, when they are assigned to this application and have an account in Salesforce.


    Select a user to be the application owner.

  4. From the custom SAML application Salesforce SAML SSO, click the Sign On tab > Set up SSO.

  5. On the Set up Single Sign-On modal window, click download Download Metadata. The metadata to import into Salesforce displays in a new browser tab.

  6. Save this file as identity-cloud-idp-saml-metadata.xml. You will import this file into Salesforce later.

  7. Click Next.

  8. In a new browser tab, go to your Salesforce environment.

Task 2: Configure Salesforce to serve as SP

The next task is to prepare Salesforce to serve as an SP.

  1. Salesforce documents these steps; therefore, in Salesforce’s documentation, Create a SAML Single Sign-On Setting in Salesforce.

    In step 3 of the Salesforce documentation, import the XML file you saved in task 1 by selecting New from Metadata File in Salesforce. The XML file you upload in Salesforce sets the necessary configurations; therefore, you don’t need to complete the steps past step 3.

  2. After configuring SSO in Salesforce, download Salesforce’s SP metadata to import into Identity Cloud by clicking Download Metadata in Salesforce.

    Salesforce SP SSO settings

    The metadata file name looks similar to SAMLSP-00DDp000001yWwS.xml.

Task 3: Configure custom SAML application

Now that you have configured Salesforce, you must configure the custom SAML Salesforce application in Identity Cloud to include the information Salesforce requires in the SAML assertion.

  1. Go back to the Identity Cloud admin UI. You should be on the Set Up Single Sign-On modal window.

    Upload Salesforce SP metadata into Identity Cloud
  2. Click Browse and upload the SP metadata file you downloaded from Salesforce.

  3. Click Next. The application displays. By default, Identity Cloud maps the following assertion attributes:

    Name (SAML attribute) Value (attribute in Identity Cloud) Description



    Identity Cloud sends the property of mail (email) as the SAML attribute SSOID.



    Identity Cloud sends the property of mail (email) as the SAML attribute User.Email.



    Identity Cloud sends the static value of Standard.User as the SAML attribute User.ProfileID.



    Identity Cloud sends the property sn (last name) as the SAML attribute User.LastName.



    Identity Cloud sends the property of mail (email) as the SAML attribute User.Username.

    By default, the federation identifier is mail to the Salesforce attribute User.Username. Users can change their mail address in Identity Cloud and doing so breaks their SAML connection to Salesforce. Either make mail immutable in Identity Cloud, or set a different, immutable attribute as the federation identifier.

    Salesforce supports many SAML assertion formats. For example, you can configure SAML to have a user’s unique identifier in the NameID of the Subject block or in the AttributeStatement block. For more information, refer to Salesforce’s documentation Example SAML Assertions.

Check in

At this point, you:

Created a custom SAML application in Identity Cloud for SSO with Salesforce

Configured Salesforce by importing Identity Cloud’s IDP metadata and exporting Salesforce’s SP metadata file

Configured the custom SAML application in Identity Cloud by importing Salesforce’s SP metadata


Now that you created and configured a custom SAML application and configured Salesforce as the SP, validate the configurations by:

  • Adding a user to the application

  • Logging in as the end user to the Identity Cloud admin UI

  • Federating into Salesforce by clicking the Salesforce application


  1. From the Identity Cloud admin UI, go to Applications > Salesforce SAML SSO > Users & Roles tab.

  2. On the people Users tab, click add Add Member.

  3. Add the test user that exists in both Identity Cloud and Salesforce. The application now displays to the test user in the Identity Cloud End User UI.

    Add a user to the custom SAML Salesforce application
  4. In an incognito window, log into the Identity Cloud End User UI as the test user.

    The default login URL for end users is the Login journey. In the Identity Cloud admin UI:

    • Go to Journeys and click the Login journey.

    • In the Preview URL field, click copy (copy).

  5. From the Identity Cloud End User UI, click My Applications. The Salesforce SAML application displays.

  6. Click the application. Identity Cloud redirects you to Salesforce logged in.

    If you receive an error in Salesforce, refer to the Salesforce article Troubleshoot SAML Assertion Errors.

    This article discusses using Salesforce’s SAML validator by providing the SAML assertion Identity Cloud sends. One way to obtain the SAML assertion is to use the browser plugin SAML tracer.

Video of validation

The following video displays the expected validation as an end user using SSO from the Identity Cloud End User UI to log into Salesforce:

Explore further

Reference material

Reference Description

Register a custom SAML app

Instructions on setting up a custom SAML application for SSO.

Implement SSO and SLO

Detailed information on SAML SSO and single logout (SLO).

My applications

Learn about how end users can access applications for SSO in the Identity Cloud End User UI.

Configure Salesforce as a SAML SP

Learn how to configure Salesforce as a SAML service provider.

Copyright © 2010-2024 ForgeRock, all rights reserved.