This topic describes how to use the SAML protocol to implement single sign-on for Salesforce in the IDaaS console.


Salesforce is a customer relationship management (CRM) software service provider based in San Francisco, USA. It was founded in 1999 and provides a customer relationship management platform for on-demand applications. Salesforce supports single sign-on with the SAML protocol.


  1. Log on to the IDaaS console as an IT administrator. For more information, see Logon in Administrator Guide.
  2. In the left-side navigation pane, choose Applications > Add Application. Find the Salesforce application and click Add Application in the Actions column.
  3. Find an existing SigningKey. You can add a SigningKey first if there are no existing SigningKeys. Click Export in the Actions column. Export a .cer certificate locally.
  4. Log on to Salesforce as an administrator. Click Settings in the upper-right corner.
  5. In the left-side navigation pane, choose Identity > Single Sign-On Settings. Find SAML Single Sign-On Settings and click New.
  6. Go to the SAML Single Sign-On Settings page.
    • Name: the name of the SAML single sign-on configuration. You can enter a name as needed.
    • Issuer: Note that this value must be the same as that of IDaaS IdentityId in IDaaS.
    • Entity ID: Set it to
    • Identity Provider Certificate: Select the certificate file exported from IDaaS.
    • Request Signing Certificate: Use the default value.
    • Request Signature Method: Set it to RSA-SHA1.
    • Assertion Decryption Certificate: Select Assertion unencrypted.
    • SAML Identity Type: Select Assertion contains User's Salesforce username.
    • SAML Identity Location: Select Identity is in the NameIdentifier element of the Subject statement.
    • Leave Identity Provider Login URL, Customer Logout URL, and Custom Error URL empty. Click Save.
  7. After you configure the SAML settings, the SAML details will be displayed with the name that you specified. You must the value of Salesforce Login URL for later use.

    Note: You also can click the SAML name to view the value of Salesforce Login URL on the preceding page.

  8. Find Single Sign-On Settings and click Edit.
  9. Select the SAML Enabled check box and click Save.
  10. Return to the Add Application (Salesforce) page of the IDaaS console. Find the target SingingKey and click Select in the Actions column to configure the SAML parameters.
    • Set IDaaS IdentityId to the value of Issue specified in Salesforce.
    • Set SP ACS URL(SSO Location) to the Salesforce logon URL.
      Note The URL format is<Your organization ID>. If you are not sure about your organization ID in Salesforce, go to the Company Profile > Company Information page of Salesforce.
  11. Enable and authorize the application.
  12. Add an application account and log on to Salesforce in a single sign-on manner.

    If all the preceding steps are successful, you have logged on to Salesforce in a single sign-on manner.