Single Sign on Between Two Salesforce Org

In this post we will talk about Single Sign on Between Two Salesforce Org. Single sign-on (SSO) is an authentication method that enables users to access multiple applications with one login and one set of credentials.

What is Single Sign-on in Salesforce?

Single sign-on is a process that allows network users to access all authorized network resources without having to log in separately to each resource. Single sign-on allows you to validate usernames and passwords against your corporate user database or other client application rather than having separate user passwords managed by Salesforce.

Different way to implement Single Sign-on in Salesforce

There are three mechanisms which can be used to achieve this in Salesforce.

  1. Delegated authentication
  2. Federated Authentication
    • SP-Initiated SAML
    • IDP-Initiated SAML
  3. OpenID Connect

Learn more about then in details in Salesforce Single Sign on Flows and Decision Guide for Single Sign-on in Salesforce.

Setup Single Sign on Between Two Salesforce Org

To setup Single sign on between two Salesforce Org we need to setup one Salesforce Org as Service provider and other one as Identify provider

  1. Identify provider (IDP) :- An identity provider is a trusted provider that lets you use single sign-on (SSO) to access other websites
  2. Service provider (SP):- A service provider is a website that hosts apps.

Step to setup Single sign-on between two Salesforce

Step to setup Single sign-on between two Salesforce org:-

  1. Enable My Domain in both Salesforce Orgs. (Both Org)
  2. Enable Identity providers ( IDP Org )
    • Download Certificate
    • Download Metadata
  3. Single Sign-On Setting (SP Org)
    • Enable SAML
    • SAML Sigle Sign on Setting and upload Metadata File.
    • Upload Identity Provider Certificate
  4. Create connected app (IDP Org)
  5. Update Authentication Configuration for my Domain in SP Org
  6. Test your configuration
    • Setup Users in both SP and IDP

In this Demo we will use SAML login flows using SSO in Salesforce.

#1. Enable My Domain in both Salesforce Orgs

By default my domain should be already activate in new Salesforce orgs. If not then enable it from “My Domain“.

#2. Enable Identity providers in IDP Org

Enable Identity providers and create Certificate. Login to your IDP org and Navigate to Identity provider. Setup-> Security Controls -> Identity Provider.

Then click on “Enable Identity providers” button. Then choose the certificate that uses when communicating with service providers.

Then click on save button.

2.1 Download Certificate

Download the certificate from “Download Certificate” button.

2.2 Download Metadata

Download the certificate from “Download Metadata” button.

#3. Single Sign-On Setting in SP Org

3.1. Enable SAML

Enable Single Sign on. Navigate to “Setup > Identity > Single Sign-On Settings” and check “SAML Enabled” option.

3.2. SAML Single Sign on Setting and upload Metadata File.

Now provide SAML Single Sign on Setting detail. You can use Metadata file from step 2.2 and upload here with “New from Metadata File” button.

Click on “New from Metadata File” and upload the Metadata file.

3.3. Upload Identity Provider Certificate and update setting

Update SAML Single Sign-On Settings and upload the Identity Provider Certificate (which we download from 2.1) and select the “Assertion contains the Federation ID from the User object“.

SAML Single Sign-On Settings

Make a note of Entity ID and Login URL from here. We will use same in IDP org Connected App

#4. Create connected app (IDP Org)

Now go back in your IDP org. And create one connected app with below step

  1. Create connected app, Setup -> App Manager -> New Connected App
  2. Now provide all required detail. Make sure on your connected App you need to perform below step
    1. Enable SAML
    2. Provide Entity Id (Use Entity ID from Step 3)
    3. ACS URL (Login URL from Step 3)
    4. Subject type should be Federation Id. 
    5. IDP Certificate as Identity Provider Label name
    6. Now once Connected app is ready. Click on Manage Button. Then Add the profile from related list.

#5. Update Authentication Configuration for my Domain in SP Org

Now go to SP org the navigate to My Domain (Setup -> My Domain). Then edit the Authentication configuration setting and select the IDP org in Authentication service.

#6. Test your configuration

Create a user in both org with same “Federation ID“.

6.1 Service Provider-Initiated SAML Flow Testing

go to your Service provider org and click one “Log in with IDP-org” button

It will take you to IDP org for validation. Your username and password.

6.2 IdP-Initiated Login URL

Copy the IdP-Initiated Login URL from Identity provider org. And open in different tab. It will take you to SP org.

SAML Flow in Salesforce Video

YouTube video

Single Sign-On Terminology

These terms apply to SSO enabled with SAML.

  • Security Assertion Markup Language (SAML) – Provides an open standard for XML-based confirmation of identity and transfer of identity attributes between an Identity Provider and Service Provider
  • Identity Provider (IDP) – An application with the capability to authenticate a user’s identity (i.e. allow the user to login), and confirm authentication and identity attributes to a Service Provider
  • Service Provider (SP) – An application which defers to an Identity Provider for authentication of a user, and allows this user access to protected resources or capabilities based on this authentication
  • SAML Assertion – The portion of the SAML Response which confirms identity attributes of the authenticated user.
  • SAML Request – The structured XML message sent by the Service Provider to an Identity Provider, identifying itself and requesting authentication of the user.
  • SAML Response – The XML message sent by the Identity Provider to the Service Provider identifying itself as the issuer, indicating the status of the authentication attempt, and including the SAML Assertion if this can be issued (typically signed with the Identity Provider’s certificate).

How to debug SSO Issue

You can use Salesforce Chrome Extension called “SAML-Tracer”. You can also use SAML Assertion Validator in Salesforce.

Amit Chaudhary
Amit Chaudhary

Amit Chaudhary is Salesforce Application & System Architect and working on Salesforce Platform since 2010. He is Salesforce MVP since 2017 and have 17 Salesforce Certificates.

He is a active blogger and founder of Apex Hours.

Articles: 466

Leave a Reply

Your email address will not be published. Required fields are marked *