Use this guide to enable Service Provider (SP)-initiated Multi-Factor Authentication and Single Sign-on (SSO) access via SAML to Salesforce. 

For SecureAuth IdP-initiated access, see the Salesforce (IdP-initiated) Integration Guide


  • Salesforce account
  • Salesforce domain name URL (configuration steps below)
  • SecureAuth IdP version 9.0 or later, with a realm ready for the Salesforce integration

SecureAuth IdP configuration

  1. Log in to SecureAuth IdP and find the new realm to be used for the Salesforce integration. 
  2. Go to the Data tab. 
  3. In the Profile Fields section, set the following: 


    Map the directory field that contains the Salesforce ID of the user to the SecureAuth IdP Property. 

    For example, in the Email 2 Property, add Salesforce ID as the directory field.  

  4. Save your changes. 

  5. Go to the Post Authentication tab. 
  6. In the Post Authentication section, set the following: 

    Authenticated User RedirectSet to SAML 2.0 (SP Initiated) Assertion.
    Redirect To

    This field is auto-populated with an URL, which appends to the domain name and realm number in the address bar. For example, Authorized/SAML20SPInit.aspx. 

    Upload a PageOptionally, you can upload a customized post authentication page. 

  7. In the User ID Mapping section, set the following: 

    User ID Mapping

    Set to the SecureAuth IdP Property that corresponds to the directory field that contains the Salesforce ID. For example, Email 2.

    Name ID Format

    Set to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified. (Default setting)

    Choose a different option if Salesforce requires it, to which the Service Provider (SP) will provide. 

    Encode to Base64

    Set to False.

  8. In the SAML Assertion / WS Federation section, set the following: 

    WSFedSAML Issuer

    Set to a unique name that will be shared with Salesforce. 

    The value in WSFed/SAML Issuer must match exactly on both the SecureAuth IdP side and the Salesforce side. 

    SAML AudienceSet to
    SP Start URL

    Provide the starting URL to enable SSO and to redirect users to access Salesforce. 

    For example,

    SAML Offset MinutesSet the minutes to make up for time differences between devices. 
    SAML Valid Hours

    Set the number of hours to limit how long the SAML assertion is valid. 

  9. Scroll down to the end of the SAML Assertion / WS Federation section, and set the following: 

    Signing Cert Serial Number

    Leave the default value, unless there is a third-party certificate being used for the SAML assertion. 

    To use a third-party certificate, click the Select Certificate link and choose the appropriate certificate. 

    DomainIf required, provide domain to download the Metadata File to send to Salesforce. 

  10. Save your changes. 
  11. Optionally, in the Forms Auth / SSO Token section, click the View and Configure FormsAuth keys/SSO token link to configure the token/cookie settings and configure this realm for SSO. 

    To configure token/cookie settings for this realm, expand this panel and do the following...
    1. In the Forms Authentication section, set the following: 

      Require SSLIf the SSL is required to view the token, set to True

      Indicate whether SecureAuth IdP will deliver the token in a cookie to the user's browser or device:

      • UseCookies – Always deliver a cookie 
      • UseUri – Do not deliver a cookie, deliver the token in a query string 
      • AutoDetect –  Deliver a cookie if the user's settings allow it. 
      • UseDeviceProfile  – Deliver a cookie if the browser settings allow it, regardless of the user's settings
      Sliding ExpirationFor the cookie to remain valid as long as the user is interacting with the page, set to True
      TimeoutSet the length of time in minutes the cookie is valid. 

    2. In the Machine Key section, set the following: 

      ValidationIf the default value does not match your organization's requirements, choose another value. 
      DecryptionIf the default value does not match your organization's requirements, choose another value. 

    3. In the Authentication Cookies section, set the following: 


      Set one of the following values:

      • True - Expires after Timeout – Allow the cookie to be persistent 
      • False - Session Cookie – Allow the cookie to be valid as long as the session is open, and expires when the browser is closed or the session expires 

    4. Save your changes. 

    To configure this realm for SSO, see SecureAuth IdP Single Sign-on Configuration

    To configure this realm for Windows Desktop SSO, see Windows desktop SSO configuration

Salesforce configuration

To configure the Salesforce domain

  1. Log in to the Salesforce Control Panel. 
  2. Click Setup, expand Domain Management, and then click My Domain
  3. Specify a unique Salesforce URL that is associated to the corporate account. 
  4. Supply a subdomain name, which can be anything; but a subdomain name can be registered only once
    It takes Salesforce about a day to process the subdomain request, but the URL might be testable within an hour. 

To configure single sign-on in Salesforce

  1. After the domain configurations, click Setup, expand Security Controls, and click Single Sign-On Settings.
  2. Click New and set the following: 


    Set the value to the same unique name value as provided to SecureAuth IdP in the SAML Assertion / WS Federation section. 

    Identity Provider CertificateClick Choose File to choose the certificate used in SecureAuth IdP in the SAML Assertion / WS Federation section. 
    SAML Identity TypeSet to Assertion contains the User's Salesforce username
    SAML Identity LocationSet to Identity is in the NameIdentifier element of the Subject statement
    Service Provider Initiated Request Binding

    Set to HTTP Redirect

    If set to HTTP POST, then in the SecureAuth IdP, go to the Post Authentication tab, in the Post Authentication section, set the Authenticated User Redirect option to SAML 2.0 (SP Initiated by Post) Assertion.

    Identity Provider Login URL

    Set to the Fully Qualified Domain Name (FQDN) of the SecureAuth IdP appliance followed by the realm number of the Salesforce integration and secureauth.aspx.

    For example,

    Custom Logout URL

    Set the URL to where end users are redirected when logging out of Salesforce. 

    Entity IDSet to .

  3. Click User Interface, expand Sites and Domains, and click Domains
  4. Select the Authentication Service created in SAML Single Sign-On Setting

  5. Review the configuration, make any necessary edits, and then click Save