User Authentication and Single Sign-On in Salesforce

Part 28: User Authentication and Single Sign-On in Salesforce

Up to this point in the series, every user we have created logs in with a username and password directly in Salesforce. That works fine for a small org, but the moment your company has fifty, five hundred, or five thousand employees all using Salesforce alongside Slack, Google Workspace, Jira, and a handful of other SaaS tools, managing separate credentials for each application becomes a nightmare. Users forget passwords, IT spends half its life resetting them, and security suffers because people reuse the same weak password everywhere.

Single Sign-On (SSO) solves this problem. Instead of each application maintaining its own credentials, a central identity provider handles authentication and tells Salesforce “this user is who they say they are.” Combine SSO with Multi-Factor Authentication (MFA) and you have a security model that is both easier for users and harder for attackers.

In this post, we will cover the authentication landscape end to end: the protocols that make SSO possible, MFA requirements, how to integrate Okta with Salesforce step by step, how to bring SSO to Experience Cloud sites, and a full project walkthrough for setting up Ping Federate as your identity provider.

What Is Single Sign-On (SSO)

Single Sign-On is an authentication scheme that allows a user to log in once with a single set of credentials and then access multiple applications without being prompted to log in again. When you sign in to your company’s identity portal in the morning and then open Salesforce, Gmail, and Confluence without entering another password, that is SSO at work.

How SSO Works at a High Level

┌──────────┐          ┌───────────────────┐         ┌─────────────┐
│          │  1. User │                   │         │             │
│  User    │ ──────>  │  Service Provider │ ──2───> │  Identity   │
│ (Browser)│          │  (Salesforce)     │         │  Provider   │
│          │ <──5───  │                   │ <──4─── │  (Okta,     │
│          │  Access  │                   │  Token  │   Azure AD, │
│          │  Granted │                   │         │   Ping)     │
│          │          │                   │         │             │
└──────────┘          └───────────────────┘         └─────────────┘
                                                        │
                                                   3. User logs
                                                      in here

The user attempts to access Salesforce (the Service Provider or SP).
Salesforce redirects the user to the Identity Provider (IdP) — the central authentication server.
The user authenticates at the IdP (or is already authenticated from a previous session).
The IdP sends a signed token back to Salesforce confirming the user’s identity.
Salesforce grants access.

The user only ever enters credentials at the IdP. Salesforce never sees the password.

Key Terminology

Term	Definition
Identity Provider (IdP)	The authoritative source for user identity. It authenticates users and issues tokens. Examples: Okta, Azure AD, Ping Identity, Google Workspace.
Service Provider (SP)	The application that relies on the IdP for authentication. In our case, Salesforce.
Assertion	The message the IdP sends to the SP confirming who the user is and what attributes they have.
Federation	The trust relationship between an IdP and one or more SPs that allows SSO.
IdP-Initiated SSO	The user starts at the IdP portal, clicks a Salesforce tile, and is redirected into Salesforce already authenticated.
SP-Initiated SSO	The user goes to Salesforce first, Salesforce redirects to the IdP for authentication, and the IdP sends them back.

The Three Protocols: SAML, OAuth 2.0, and OpenID Connect

SSO is not a single protocol — it is a concept that can be implemented using several different protocols. The three you will encounter most often in the Salesforce ecosystem are SAML, OAuth 2.0, and OpenID Connect (OIDC).

SAML (Security Assertion Markup Language)

SAML is the oldest and most widely used protocol for enterprise SSO. It is an XML-based standard designed specifically for exchanging authentication and authorization data between an IdP and an SP.

How SAML Works:

┌─────────┐      ┌───────────────┐      ┌──────────┐
│ Browser │──1──>│  Salesforce   │      │   IdP    │
│         │      │  (SP)         │──2──>│ (Okta)   │
│         │<─────│               │      │          │
│         │  redirect to IdP     │      │          │
│         │──3─────────────────────────>│          │
│         │      │               │      │          │
│         │<─4── SAML Assertion ────────│          │
│         │──5──>│               │      │          │
│         │      │ Validates     │      │          │
│         │<─6── │ assertion     │      │          │
│         │      │ Grants access │      │          │
└─────────┘      └───────────────┘      └──────────┘

User navigates to Salesforce.
Salesforce generates a SAML AuthnRequest and redirects the browser to the IdP.
Browser follows the redirect to the IdP login page.
User authenticates. IdP generates a signed SAML Assertion (an XML document containing the user’s identity, attributes, and a digital signature).
Browser POSTs the assertion back to Salesforce’s Assertion Consumer Service (ACS) URL.
Salesforce validates the signature, maps the assertion’s subject to a Salesforce user, and creates a session.

SAML Key Concepts:

Concept	Description
SAML Assertion	XML document containing authentication statements, attribute statements, and authorization decision statements.
Entity ID	A unique identifier for each participant (SP and IdP) in the SAML exchange.
ACS URL	The Assertion Consumer Service URL — the Salesforce endpoint that receives the SAML assertion.
Issuer	The entity that created the assertion. For IdP-initiated SSO, this is the IdP’s entity ID.
Certificate	The X.509 certificate used by the IdP to sign assertions. Salesforce uses this to verify the signature.
NameID	The identifier in the assertion that Salesforce uses to match the assertion to a user (typically the Salesforce username or Federation ID).

When to use SAML: SAML is the standard choice for enterprise SSO into Salesforce. If your company uses Okta, Azure AD, ADFS, or Ping Identity for employee authentication, SAML is almost certainly what you will configure.

Section Note: SAML 2.0 is the current version. SAML 1.1 is deprecated and should not be used for new integrations. When someone says “SAML” in the Salesforce context, they mean SAML 2.0.

OAuth 2.0

OAuth 2.0 is an authorization framework, not an authentication protocol. It was designed to allow third-party applications to access a user’s resources without exposing the user’s password. However, it is frequently used alongside authentication protocols and is deeply embedded in the Salesforce platform.

OAuth 2.0 is about authorization, not authentication. When an external application needs to call Salesforce APIs on behalf of a user, OAuth 2.0 is the mechanism that grants that access.

Key OAuth 2.0 Concepts:

Concept	Description
Resource Owner	The user who owns the data (the Salesforce user).
Client	The external application requesting access.
Authorization Server	The server that issues tokens (Salesforce itself, in many scenarios).
Resource Server	The server hosting the protected resources (Salesforce APIs).
Access Token	A short-lived token that grants the client access to specific resources.
Refresh Token	A long-lived token that can be exchanged for a new access token.
Scopes	Define the level of access the client is requesting (e.g., `api`, `refresh_token`, `full`).
Connected App	The Salesforce object that represents an external application and its OAuth settings.

Common OAuth 2.0 Flows in Salesforce:

Flow	Use Case
Web Server Flow (Authorization Code)	Server-side web applications that can securely store a client secret.
User-Agent Flow (Implicit)	Browser-based or mobile apps that cannot securely store a client secret. Being deprecated in favor of Authorization Code with PKCE.
JWT Bearer Flow	Server-to-server integrations where no user interaction is needed.
Device Flow	Devices with limited input capabilities (IoT, CLI tools).
Refresh Token Flow	Obtaining a new access token using a previously issued refresh token.
Username-Password Flow	Legacy flow — sends credentials directly. Avoid in production.
SAML Bearer Assertion Flow	Exchange a SAML assertion for an OAuth access token.

When to use OAuth 2.0: Use OAuth when an external application needs API access to Salesforce data. OAuth does not replace SAML for user login — it complements it.

Section Note: Salesforce requires a Connected App for every OAuth integration. The Connected App defines the OAuth settings (callback URL, scopes, certificate) and can enforce IP restrictions, session policies, and MFA.

OpenID Connect (OIDC)

OpenID Connect is an authentication layer built on top of OAuth 2.0. While OAuth 2.0 answers “what is this application allowed to access?”, OIDC answers “who is this user?”

OIDC adds an ID Token (a JSON Web Token / JWT) to the OAuth flow. The ID token contains claims about the authenticated user — their name, email, unique identifier, and when they authenticated.

How OIDC Relates to SAML and OAuth:

┌─────────────────────────────────────────────────┐
│                   SSO Protocols                 │
│                                                 │
│  ┌────────────────┐  ┌───────────────────────┐  │
│  │    SAML 2.0    │  │     OAuth 2.0         │  │
│  │                │  │                       │  │
│  │ Authentication │  │   Authorization       │  │
│  │ + Authorization│  │                       │  │
│  │                │  │  ┌─────────────────┐  │  │
│  │  XML-based     │  │  │  OpenID Connect │  │  │
│  │  Enterprise    │  │  │                 │  │  │
│  │  focused       │  │  │ Authentication  │  │  │
│  │                │  │  │ layer on OAuth  │  │  │
│  │                │  │  │ JSON/JWT-based  │  │  │
│  └────────────────┘  │  └─────────────────┘  │  │
│                      └───────────────────────┘  │
└─────────────────────────────────────────────────┘

OIDC Key Concepts:

Concept	Description
ID Token	A JWT containing claims about the user (sub, name, email, iat, exp).
UserInfo Endpoint	An endpoint that returns claims about the authenticated user when presented with an access token.
Claims	Name-value pairs about the user (e.g., `sub`, `email`, `name`, `preferred_username`).
Discovery Document	A JSON document at `/.well-known/openid-configuration` that describes the OIDC provider’s endpoints and capabilities.

When to use OIDC: OIDC is increasingly popular for modern web and mobile applications. Salesforce supports OIDC both as a provider (Salesforce can act as an OIDC identity provider) and as a relying party (Salesforce can authenticate users via an external OIDC provider). It is the recommended protocol for Experience Cloud social login and for modern identity providers that prefer JSON over XML.

Section Note: In practice, many Salesforce SSO setups still use SAML because the enterprise identity providers (Okta, Azure AD, Ping) have mature SAML integrations. OIDC is becoming more common for Experience Cloud sites and mobile apps.

Protocol Comparison

Feature	SAML 2.0	OAuth 2.0	OpenID Connect
Primary purpose	Authentication + Authorization	Authorization	Authentication
Token format	XML assertion	Opaque access token or JWT	JWT (ID token)
Transport	HTTP POST / Redirect	HTTP headers (Bearer token)	HTTP headers (Bearer token)
Best for	Enterprise SSO	API access	Modern web/mobile auth
Salesforce support	Full (IdP and SP)	Full (Connected Apps)	Full (IdP and SP)
Complexity	Medium-High	Medium	Medium
User experience	Browser redirect	Background token exchange	Browser redirect
Maturity	Very mature (2005)	Mature (2012)	Mature (2014)

What Is Two-Factor Authentication (MFA)

Multi-Factor Authentication (MFA), sometimes called Two-Factor Authentication (2FA), requires users to verify their identity using two or more independent factors before gaining access. The factors fall into three categories:

Factor	Description	Examples
Something you know	A secret the user memorizes	Password, PIN, security question
Something you have	A physical device the user possesses	Mobile phone, security key, authenticator app
Something you are	A biometric characteristic	Fingerprint, facial recognition, iris scan

Standard login uses only the first factor (password). MFA adds a second factor — typically a time-based one-time password (TOTP) from an authenticator app or a push notification.

Salesforce’s MFA Requirement

As of February 1, 2022, Salesforce requires MFA for all users who log in directly to Salesforce products. This is not optional — it is a contractual obligation under the Salesforce Trust and Compliance documentation.

Important clarification: If your users authenticate through SSO, MFA at the IdP satisfies the Salesforce MFA requirement. You do not need to enable MFA within Salesforce itself if your IdP already enforces it.

MFA Methods Supported by Salesforce

Method	Description	Recommended?
Salesforce Authenticator	Salesforce’s own mobile app. Supports push notifications and location-based auto-verification.	Yes — it is the easiest for end users.
Third-party TOTP apps	Google Authenticator, Microsoft Authenticator, Authy, etc. Generate 6-digit codes that rotate every 30 seconds.	Yes — widely used and reliable.
Security keys (U2F/WebAuthn)	Physical hardware keys like YubiKey. Plug in via USB or tap via NFC.	Yes — the most secure option.
Built-in authenticators	TouchID, FaceID, Windows Hello — biometric verification built into the device.	Yes — convenient and secure.
SMS / Email codes	One-time codes sent via text or email.	No — Salesforce does NOT consider SMS or email as valid MFA methods due to known vulnerabilities (SIM swapping, email compromise).

How to Enable MFA in Salesforce

Step 1: Verify your users have an authenticator method registered.

Go to Setup > Identity > Multi-Factor Authentication and review the MFA settings.

Step 2: Assign the “Multi-Factor Authentication for User Interface Logins” permission.

You can do this via a permission set:

Go to Setup > Permission Sets.
Create a new permission set (or use an existing one).
Under System Permissions, enable Multi-Factor Authentication for User Interface Logins.
Assign the permission set to the appropriate users.

Alternatively, enable it on the profile directly.

Step 3: Communicate with your users.

Before enforcing MFA, give users time to register their authenticator. Send clear instructions with screenshots. Run a pilot with a small group first.

Step 4: Monitor adoption.

Use the Identity Verification History report and the Multi-Factor Authentication setup page to track which users have registered and which have not.

Section Note: The MFA requirement applies to direct Salesforce UI logins. API-only users (integrations) are exempt. If you use SSO, your IdP is responsible for enforcing MFA — but you must ensure MFA is actually turned on at the IdP. Salesforce auditors will check.

What Is Okta

Okta is a cloud-based identity and access management (IAM) platform. It is one of the most popular identity providers in the enterprise world and is used by thousands of organizations to manage SSO, MFA, lifecycle management, and API access across their application ecosystem.

Why Okta Is So Common with Salesforce

Cloud-native: Okta is a SaaS product, just like Salesforce. There are no on-premises servers to manage.
Pre-built integration: Okta has a first-party Salesforce integration in its catalog. Setup takes minutes, not days.
Universal Directory: Okta can sync users from Active Directory, LDAP, HR systems, and other sources into a single directory, then provision those users into Salesforce automatically.
Lifecycle management: When an employee is deactivated in Okta (e.g., on their last day), their Salesforce access is automatically revoked.
Adaptive MFA: Okta supports a wide range of MFA methods and can adapt requirements based on risk signals (location, device, behavior).

Okta Architecture Overview

┌─────────────────────────────────────────────────────────┐
│                        Okta                             │
│                                                         │
│  ┌──────────────────┐    ┌───────────────────────────┐  │
│  │ Universal        │    │ Application Integrations  │  │
│  │ Directory        │    │                           │  │
│  │                  │    │ ┌────────┐ ┌──────────┐   │  │
│  │  ┌────────────┐  │    │ │Salesforce│ │Google  │   │  │
│  │  │ AD / LDAP  │  │    │ │(SAML)  │ │Workspace │   │  │
│  │  │ Sync       │  │    │ └────────┘ └──────────┘   │  │
│  │  └────────────┘  │    │ ┌────────┐ ┌──────────┐   │  │
│  │  ┌────────────┐  │    │ │Slack   │ │Jira      │   │  │
│  │  │ HR System  │  │    │ │(SAML)  │ │(SAML)    │   │  │
│  │  │ Import     │  │    │ └────────┘ └──────────┘   │  │
│  │  └────────────┘  │    │                           │  │
│  └──────────────────┘    └───────────────────────────┘  │
│                                                         │
│  ┌─────────────────┐     ┌──────────────────────────┐   │
│  │ Authentication  │     │ Lifecycle Management     │   │
│  │ Policies        │     │                          │   │
│  │                 │     │ Auto-provision users     │   │
│  │ MFA, Adaptive   │     │ Auto-deactivate users    │   │
│  │ Policies, Risk  │     │ Attribute sync           │   │
│  └─────────────────┘     └──────────────────────────┘   │
└─────────────────────────────────────────────────────────┘

Okta Terminology

Term	Description
Okta Org	Your Okta tenant — the instance where your users, apps, and policies live.
Application Integration	The configuration in Okta that connects Okta to a specific SP (like Salesforce).
Universal Directory	Okta’s user store. Can import users from multiple sources.
Sign-On Policy	Rules that determine how users authenticate (password only, MFA required, etc.).
Provisioning	Automatic creation, update, and deactivation of user accounts in downstream apps.
SCIM	System for Cross-domain Identity Management — the protocol Okta uses for user provisioning.

How to Set Up Okta with Salesforce (Step-by-Step)

This section walks through a complete SAML-based SSO integration between Okta (as the IdP) and Salesforce (as the SP). We will also configure user provisioning so that user accounts are automatically synced.

Prerequisites

Before you begin, make sure you have:

An Okta developer or production account with admin access
A Salesforce org with System Administrator access
The My Domain feature enabled in Salesforce (it is enabled by default in all orgs since Winter ‘21, but verify at Setup > My Domain)
A list of users who should be included in the SSO rollout

Phase 1: Configure the Salesforce Application in Okta

Step 1: Add Salesforce from the Okta Application Catalog.

Log in to your Okta admin console.
Navigate to Applications > Applications.
Click Browse App Catalog.
Search for “Salesforce” and select Salesforce.com.
Click Add Integration.

Step 2: Configure General Settings.

Set the Application label (e.g., “Salesforce Production”).
For Custom Domain, enter your Salesforce My Domain URL (e.g., yourcompany.my.salesforce.com).
Leave the other settings at their defaults unless you have specific requirements.
Click Next.

Step 3: Configure Sign-On Options.

Select SAML 2.0 as the sign-on method.
Okta will display the SAML configuration details. You will need these later:
- Identity Provider Issuer — Okta’s entity ID
- Identity Provider Single Sign-On URL — The URL where Salesforce will redirect users
- X.509 Certificate — Download this certificate. You will upload it to Salesforce.
For Application username format, select Okta username or Email depending on how your Salesforce usernames are structured.
Click Done.

Step 4: Download the Okta SAML Metadata.

In the Salesforce application in Okta, go to the Sign On tab.
Click Identity Provider metadata to download the XML metadata file. This file contains the IdP entity ID, SSO URL, and certificate — everything Salesforce needs.

Phase 2: Configure SSO in Salesforce

Step 5: Upload the IdP Certificate.

In Salesforce, go to Setup > Security > Certificate and Key Management.
Actually, Salesforce will handle this during SSO configuration. Skip ahead to Step 6 — the certificate is uploaded as part of the SSO settings.

Step 6: Create a Single Sign-On Configuration.

Go to Setup > Identity > Single Sign-On Settings.
Click Edit and check SAML Enabled. Save.
Click New under SAML Single Sign-On Settings.
Fill in the following fields:

Field	Value
Name	Okta SSO
API Name	Okta_SSO
Issuer	Copy the Identity Provider Issuer from Okta (e.g., `http://www.okta.com/exk...`)
Entity ID	Your Salesforce My Domain URL (e.g., `https://yourcompany.my.salesforce.com`)
Identity Provider Certificate	Upload the X.509 certificate you downloaded from Okta
Request Signing Certificate	Leave as Default Certificate
SAML Identity Type	Select Assertion contains the Federation ID from the User object
SAML Identity Location	Select Identity is in the NameIdentifier element of the Subject statement
Service Provider Initiated Request Binding	HTTP POST
Identity Provider Login URL	Copy the Identity Provider Single Sign-On URL from Okta
Custom Logout URL	(Optional) Your Okta logout URL

Click Save.

Section Note: The SAML Identity Type setting is critical. If you choose “Federation ID,” you must ensure every Salesforce user has their Federation ID field populated with the value Okta sends in the assertion. If you choose “Salesforce Username,” the assertion must contain the exact Salesforce username. Mismatches here are the number one cause of SSO failures.

Step 7: Configure My Domain to Use SSO.

Go to Setup > My Domain.
Under Authentication Configuration, click Edit.
Check the box next to your new SSO configuration (“Okta SSO”).
Optionally, uncheck Login Form if you want to force all users through SSO (be careful — keep at least one System Admin able to log in directly for emergency access).
Click Save.

Phase 3: Configure User Provisioning (SCIM)

User provisioning automates the creation and deactivation of Salesforce user accounts from Okta.

Step 8: Enable the Salesforce API in Okta.

In Okta, go to the Salesforce application and click the Provisioning tab.
Click Configure API Integration.
Check Enable API Integration.
Click Authenticate with Salesforce. This will open a Salesforce login window — log in with your System Administrator credentials to authorize Okta.
Click Save.

Step 9: Configure Provisioning Settings.

Under Provisioning > To App, click Edit.
Enable the following:
- Create Users — Okta will create Salesforce users automatically.
- Update User Attributes — Changes in Okta (name, email, etc.) will sync to Salesforce.
- Deactivate Users — When a user is deactivated in Okta, their Salesforce account is deactivated.
Click Save.

Step 10: Map Attributes.

Still on the Provisioning tab, scroll to Attribute Mappings.
Map Okta attributes to Salesforce fields:

Okta Attribute	Salesforce Field	Notes
`user.email`	`Email`
`user.firstName`	`FirstName`
`user.lastName`	`LastName`
`user.email`	`Username`	If your Salesforce usernames are email addresses
`user.email`	`FederationIdentifier`	Must match the SAML assertion’s NameID
(hardcoded value)	`ProfileId`	Set to the Salesforce Profile ID for provisioned users
(hardcoded value)	`UserRoleId`	Set to the appropriate Role ID if needed

Click Save.

Phase 4: Test the Integration

Step 11: Assign a Test User in Okta.

In Okta, go to the Salesforce application and click the Assignments tab.
Assign a test user (or a test group) to the application.
If provisioning is enabled, Okta will create the user in Salesforce automatically. If not, make sure the user already exists in Salesforce with the correct Federation ID.

Step 12: Test SP-Initiated SSO.

Open an incognito browser window.
Navigate to your Salesforce My Domain login page.
You should see an SSO button (e.g., “Log in with Okta SSO”).
Click it. You should be redirected to Okta.
Log in at Okta (or if already logged in, you should be redirected back automatically).
Verify that you land in Salesforce with the correct user context.

Step 13: Test IdP-Initiated SSO.

Log in to Okta.
Click the Salesforce tile on your Okta dashboard.
Verify that you are redirected directly into Salesforce without a login prompt.

Step 14: Troubleshoot if Needed.

Common SSO issues and their solutions:

Problem	Likely Cause	Solution
”We can’t log you in” error	NameID mismatch — the value in the SAML assertion does not match any Salesforce user	Check that the Federation ID (or username) in Salesforce matches the assertion value exactly.
Redirect loop	My Domain authentication configuration issue	Ensure the SSO configuration is selected under My Domain. Clear browser cache and try again.
Certificate error	Expired or wrong certificate	Re-download the certificate from Okta and re-upload it in Salesforce.
User not provisioned	Provisioning not enabled or attribute mapping error	Check Okta provisioning logs for errors. Verify attribute mappings.
”Invalid status code in response”	The IdP returned an error status	Check the IdP logs for details. Often caused by an unsigned request when the IdP expects one.

Section Note: Always maintain at least one System Administrator account that can log in directly via username and password (not SSO). If your IdP goes down, this is your emergency access. Add this user’s IP to the Login IP Ranges on their profile to lock it down, and do NOT uncheck “Login Form” on My Domain for this admin.

How to Add SSO Authentication to Experience Cloud Sites

Experience Cloud sites need authentication too. Your customers, partners, or community members should be able to log in via SSO — whether through a corporate IdP, a social login provider (Google, Facebook, Apple), or a custom OIDC provider.

Authentication Options for Experience Cloud

Method	Use Case
Username and Password	Default. Users create credentials directly in Salesforce.
SAML SSO	Enterprise partners or customers who have their own IdP.
OpenID Connect	Modern web-based authentication with external providers.
Social Sign-On	Allow users to log in with Google, Facebook, Apple, LinkedIn, etc.
Custom Login Flows	Flows that run during the login process for additional verification or data capture.
Passwordless Login	Email or SMS verification without a password.

Step-by-Step: Adding SAML SSO to an Experience Cloud Site

Step 1: Create the SSO Configuration.

Follow the same steps we covered in the Okta section (Steps 5-6) to create a SAML Single Sign-On configuration. The key difference for Experience Cloud: the Entity ID and ACS URL will be different from your internal org.

The Entity ID for an Experience Cloud site follows this pattern:

https://yourcompany.my.site.com/communityname

The ACS URL is:

https://yourcompany.my.site.com/communityname/login

Make sure your IdP is configured to send assertions to the Experience Cloud ACS URL, not the internal Salesforce ACS URL.

Step 2: Configure the Auth Provider (for OIDC/Social Login).

If you are using OpenID Connect or social login instead of SAML:

Go to Setup > Identity > Auth. Providers.
Click New.
Select the provider type (e.g., OpenID Connect, Google, Facebook, Apple).
Fill in the configuration:

Field	Description
Name	Descriptive name for the provider
Consumer Key	The client ID from the external provider
Consumer Secret	The client secret from the external provider
Authorize Endpoint URL	The provider’s authorization endpoint
Token Endpoint URL	The provider’s token endpoint
User Info Endpoint URL	The provider’s user info endpoint
Default Scopes	The scopes to request (e.g., `openid email profile`)
Registration Handler	An Apex class that handles user creation/matching (required)

Click Save.

Step 3: Create a Registration Handler.

The Registration Handler is an Apex class that implements the Auth.RegistrationHandler interface. It tells Salesforce what to do when a user authenticates through the external provider:

If the user already exists, match them and log them in.
If the user is new, create a new Contact and User record.

Here is a simplified example:

public class ExperienceCloudRegistrationHandler implements Auth.RegistrationHandler {

    public User createUser(Id portalId, Auth.UserData data) {
        // Check if a user already exists with this email
        List<User> existingUsers = [
            SELECT Id FROM User
            WHERE Email = :data.email
            AND IsActive = true
            LIMIT 1
        ];

        if (!existingUsers.isEmpty()) {
            return existingUsers[0];
        }

        // Create a new Contact and Community User
        Account communityAccount = [
            SELECT Id FROM Account
            WHERE Name = 'Community Members'
            LIMIT 1
        ];

        Contact newContact = new Contact(
            AccountId = communityAccount.Id,
            FirstName = data.firstName,
            LastName = data.lastName,
            Email = data.email
        );
        insert newContact;

        Profile communityProfile = [
            SELECT Id FROM Profile
            WHERE Name = 'Customer Community User'
            LIMIT 1
        ];

        User newUser = new User(
            ContactId = newContact.Id,
            ProfileId = communityProfile.Id,
            FirstName = data.firstName,
            LastName = data.lastName,
            Email = data.email,
            Username = data.email + '.community',
            Alias = data.firstName.substring(0, 1) + data.lastName.substring(0, 4),
            EmailEncodingKey = 'UTF-8',
            LanguageLocaleKey = 'en_US',
            LocaleSidKey = 'en_US',
            TimeZoneSidKey = 'America/New_York'
        );
        insert newUser;

        return newUser;
    }

    public void updateUser(Id userId, Id portalId, Auth.UserData data) {
        User u = new User(Id = userId);
        u.FirstName = data.firstName;
        u.LastName = data.lastName;
        u.Email = data.email;
        update u;
    }
}

Step 4: Enable the Auth Provider on the Experience Cloud Site.

Go to Setup > Digital Experiences > All Sites.
Click Builder next to your site.
In Experience Builder, go to Settings (gear icon) > Authentication.
Under Login Page Configuration, you will see the available authentication options.
Enable the SSO configurations and Auth Providers you want to appear on the login page.
Arrange the order — the first option is the default.

Alternatively, configure this from Experience Workspace:

Go to Setup > Digital Experiences > All Sites.
Click Workspaces next to your site.
Navigate to Administration > Login & Registration.
Under Login Page Setup, enable the auth providers and SSO configurations you want.

Step 5: Customize the Login Page.

In Experience Builder, navigate to the Login page. You can customize:

The layout and branding of the login form
Which SSO buttons appear and their order
Whether self-registration is enabled
Custom login flow components (if you need additional logic during login)

Step 6: Configure Self-Registration (Optional).

If you want external users to create their own accounts:

In Experience Workspace > Administration > Login & Registration, enable self-registration.
Assign a default Profile and Account for self-registered users.
Optionally create a custom Apex registration handler for more control over the registration process.

Step 7: Test the Login Experience.

Open your Experience Cloud site URL in an incognito browser.
Verify that the login page shows the correct authentication options.
Test each login method:
- Direct username/password login
- SSO login (SAML or OIDC)
- Social login (if configured)
- Self-registration (if enabled)
Verify that users land on the correct page after login.
Verify that user records are created correctly for new external users.

Section Note: Experience Cloud login pages are highly customizable. You can replace the default login page with a fully custom LWR or Aura page. For enterprise portals, consider pre-populating the login page with the customer’s IdP so they do not have to choose — use URL parameters to auto-select the SSO method.

PROJECT: Set Up Ping Federate with Salesforce

Ping Identity (specifically Ping Federate) is another major enterprise identity provider. Many large organizations — particularly in financial services, healthcare, and government — use Ping Federate for centralized identity management. This project walks you through a complete Ping Federate SSO integration with Salesforce.

What Is Ping Federate

Ping Federate is the core product in the Ping Identity suite. Unlike Okta (which is fully cloud-based), Ping Federate is traditionally deployed on-premises or in a private cloud, although Ping now offers a cloud-hosted version called PingOne.

Ping Federate supports SAML 2.0, OAuth 2.0, OpenID Connect, WS-Federation, and WS-Trust. It is known for its deep configurability and its ability to integrate with complex enterprise identity stores (Active Directory, LDAP, custom databases).

Architecture Overview

┌───────────────────────────────────────────────────────┐
│                 Corporate Network                     │
│                                                       │
│  ┌──────────────┐     ┌────────────────────────┐      │
│  │ Active       │     │ Ping Federate          │      │
│  │ Directory    │────>│                        │      │
│  │              │     │ SAML 2.0 IdP           │      │
│  └──────────────┘     │                        │      │
│                       │ Endpoints:             │      │
│                       │  /idp/SSO.saml2        │      │
│                       │  /idp/SLO.saml2        │      │
│                       └───────────┬────────────┘      │
│                                   │                   │
└───────────────────────────────────┼───────────────────┘
                                    │ SAML Assertion
                                    │ (HTTPS)
                                    ▼
                          ┌──────────────────┐
                          │   Salesforce     │
                          │   (Service       │
                          │    Provider)     │
                          │                  │
                          │  ACS URL:        │
                          │  /login/saml     │
                          └──────────────────┘

Step-by-Step Setup

Phase 1: Gather Salesforce SP Metadata

Step 1: Get Salesforce SAML metadata.

In Salesforce, go to Setup > Identity > Single Sign-On Settings.
If you already have a SAML SSO config, click on it and note the metadata URL. Otherwise, note the following values (you will enter them in Ping Federate):
- Entity ID: https://yourcompany.my.salesforce.com
- ACS URL: https://yourcompany.my.salesforce.com/login/saml (or check the exact URL in your SSO settings)
- Logout URL: https://yourcompany.my.salesforce.com/secur/logout.jsp

Step 2: Download the Salesforce signing certificate (optional).

If you want Ping Federate to verify signed SAML requests from Salesforce:

Go to Setup > Security > Certificate and Key Management.
Download the default certificate or create a new one.

Phase 2: Configure Ping Federate

Step 3: Create an SP Connection in Ping Federate.

Log in to the Ping Federate admin console (typically at https://pingfederate.yourcompany.com:9999/pingfederate/app).
Navigate to SP Connections and click Create Connection.
On the Connection Type tab:
- Select Browser SSO Profiles and check SAML 2.0.
On the Connection Options tab:
- Check Browser SSO.
On the General Info tab:
- Partner’s Entity ID: https://yourcompany.my.salesforce.com
- Connection Name: Salesforce Production
- Base URL: https://yourcompany.my.salesforce.com
Click Configure Browser SSO.

Step 4: Configure Browser SSO.

Under SAML Profiles, enable:
- IdP-Initiated SSO
- SP-Initiated SSO
Click Configure Assertion Creation.

Step 5: Configure Assertion Creation.

Identity Mapping: Select Standard.
Attribute Contract: Add the attributes Salesforce needs:
- SAML_SUBJECT (the NameID — will be mapped to Federation ID or Username)
- Email
- FirstName
- LastName
Click Map New Adapter Instance to connect the assertion attributes to your identity source.

Step 6: Configure the Adapter Instance.

Select your authentication adapter (e.g., HTML Form Adapter backed by LDAP or Active Directory).
Map adapter attributes to assertion attributes:

Adapter Attribute	Assertion Attribute
`username` or `sAMAccountName`	`SAML_SUBJECT`
`mail`	`Email`
`givenName`	`FirstName`
`sn`	`LastName`

Configure the NameID Format as urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified or emailAddress, depending on what Salesforce expects.

Step 7: Configure Protocol Settings.

Assertion Consumer Service URL:
- Binding: POST
- URL: https://yourcompany.my.salesforce.com/login/saml
SLO (Single Logout) Service URL (optional):
- Binding: POST
- URL: https://yourcompany.my.salesforce.com/secur/logout.jsp
Allowable SAML Bindings: Select POST.
Signature Policy: Sign the assertion (required by Salesforce).

Step 8: Configure Credentials.

Select or create a Signing Certificate for Ping Federate. This is the certificate Salesforce will use to verify SAML assertions.
Export the certificate (you will upload it to Salesforce in the next phase).

Step 9: Activate the Connection.

Review all settings.
Set the connection status to Active.
Save.

Step 10: Export the Ping Federate Metadata.

Navigate to Server Settings > Server Settings > Protocol Metadata Export (or use the metadata URL: https://pingfederate.yourcompany.com:9031/pf/federation_metadata.ping?PartnerSpId=https://yourcompany.my.salesforce.com).
Download the metadata XML file.

Phase 3: Configure Salesforce

Step 11: Create the SSO Configuration in Salesforce.

Go to Setup > Identity > Single Sign-On Settings.
Click New under SAML Single Sign-On Settings.
You can either upload the Ping Federate metadata file directly (click New from Metadata File) or fill in the fields manually:

Field	Value
Name	Ping Federate SSO
Issuer	The Entity ID from Ping Federate metadata
Entity ID	`https://yourcompany.my.salesforce.com`
Identity Provider Certificate	Upload the Ping Federate signing certificate
SAML Identity Type	Assertion contains the Federation ID from the User object
SAML Identity Location	Identity is in the NameIdentifier element
Identity Provider Login URL	The SSO endpoint from Ping Federate (e.g., `https://pingfederate.yourcompany.com:9031/idp/SSO.saml2`)
Service Provider Initiated Request Binding	HTTP POST

Save.

Step 12: Update My Domain.

Go to Setup > My Domain > Authentication Configuration > Edit.
Enable the “Ping Federate SSO” configuration.
Save.

Step 13: Populate Federation IDs.

Every Salesforce user who will log in via Ping Federate SSO must have their Federation ID field populated. The Federation ID must match the value that Ping Federate sends in the SAML assertion’s NameID.

To set Federation IDs in bulk:

Export users via Data Loader or Reports.
Add the Federation ID column (typically the user’s AD username or email).
Import the updated records via Data Loader.

Alternatively, use the Salesforce API or a flow to auto-populate Federation IDs based on a known mapping.

Phase 4: Test and Validate

Step 14: Test SP-Initiated SSO.

Open an incognito browser.
Navigate to your Salesforce My Domain login page.
Click the Ping Federate SSO button.
Authenticate at the Ping Federate login page.
Verify that you are redirected back to Salesforce and logged in.

Step 15: Test IdP-Initiated SSO.

Navigate directly to the Ping Federate IdP-initiated SSO URL:

https://pingfederate.yourcompany.com:9031/idp/startSSO.ping?PartnerSpId=https://yourcompany.my.salesforce.com

Authenticate if prompted.
Verify that you land in Salesforce.

Step 16: Validate SAML Assertions.

Use a SAML debugging tool to inspect the assertions:

Salesforce SAML Assertion Validator: Go to Setup > Identity > Single Sign-On Settings and click SAML Assertion Validator. Paste a Base64-encoded assertion to validate it.
Browser extensions: SAML-tracer (Firefox) or SAML Chrome Panel let you capture and inspect assertions in real time.
Ping Federate Server Logs: Check server.log for SAML processing details.

Step 17: Roll Out to Users.

Start with a pilot group.
Communicate the change and provide instructions.
Monitor login failures using the Login History in Salesforce (Setup > Users > Login History) and Identity Verification History.
Gradually expand to all users.
Once stable, consider disabling password login on My Domain (but always keep an emergency admin account).

Troubleshooting Ping Federate SSO

Issue	Diagnostic Step	Resolution
”We can’t log you in”	Check Login History for the error detail. Usually a NameID mismatch.	Verify Federation ID matches the assertion’s NameID.
Certificate validation failure	Check the certificate expiration date.	Re-export and re-upload the Ping Federate certificate.
Assertion expired	Clock skew between Ping Federate and Salesforce.	Ensure NTP is configured on the Ping Federate server. Salesforce allows a 5-minute skew.
User not found	The Federation ID does not exist in Salesforce.	Create the user or populate their Federation ID. Enable Just-In-Time provisioning as an alternative.
Redirect loop	Multiple SSO configs conflicting.	Check My Domain authentication configuration. Disable conflicting SSO entries.
Signature validation error	Wrong certificate uploaded, or assertion unsigned.	Verify that Ping Federate is signing the assertion (not just the response) and that the correct certificate is in Salesforce.

Section Note: Ping Federate is more complex to set up than Okta because it is typically deployed on-premises and requires infrastructure management (load balancing, certificate renewal, high availability). However, it offers deeper customization and is often required in regulated industries where data cannot leave the corporate network. If your organization already has Ping Federate, the integration with Salesforce is straightforward once you understand the SAML exchange.

Best Practices for SSO and Authentication in Salesforce

Planning and Design

Choose your identity architecture early. Decide whether Salesforce will be an SP (most common), an IdP (Salesforce can act as an IdP for other apps), or both. Document the decision and the protocols involved.
Use Federation ID for user matching. Rather than matching on Salesforce username (which can change), use the Federation ID field. It is purpose-built for SSO and gives you a stable identifier.
Implement Just-In-Time (JIT) Provisioning where appropriate. JIT provisioning automatically creates or updates Salesforce user records based on SAML assertion attributes at login time. This reduces the need for a separate provisioning process, but requires that the assertion contains all necessary user attributes.
Plan for multiple IdPs. Large organizations often have separate IdPs for employees, contractors, and partners. Salesforce supports multiple SSO configurations — use them.

Security

Always enforce MFA at the IdP level. Since SSO centralizes authentication, the IdP is a single point of trust. MFA at the IdP protects all connected applications, including Salesforce.
Monitor Login History and Identity Verification History. These reports show who logged in, from where, and how. Set up alerts for unusual patterns (logins from unexpected IPs, failed attempts).
Maintain emergency access. Keep at least one System Administrator account with direct login capability. Protect it with IP restrictions and MFA. Document the emergency access procedure.
Rotate certificates proactively. IdP signing certificates expire. Set calendar reminders to rotate certificates well before expiration. A sudden certificate expiration means nobody can log in.

Experience Cloud Specific

Use Auth Providers for social login. For customer-facing Experience Cloud sites, social login (Google, Apple, Facebook) dramatically reduces friction. Combine it with a robust Registration Handler.
Customize the login page. The default login page works, but a branded login page with clear options builds trust and reduces support tickets.
Consider passwordless authentication. For Experience Cloud sites, passwordless login via email verification can be simpler than managing passwords for external users.

Operational

Test SSO in a sandbox first. Always configure and test SSO in a sandbox before touching production. Salesforce sandboxes can have their own My Domain and SSO configurations.
Document everything. SSO configurations involve multiple systems, certificates, URLs, and user mappings. Create a runbook that covers the complete setup, including emergency procedures.
Communicate changes to users. SSO changes affect how people log in. Announce changes in advance, provide clear instructions, and have support ready on rollout day.

Summary

Topic	Key Takeaway
SSO	Centralizes authentication at an Identity Provider. Users log in once and access Salesforce (and other apps) without re-entering credentials.
SAML 2.0	The standard protocol for enterprise SSO. XML-based. Salesforce supports it as both IdP and SP.
OAuth 2.0	An authorization framework for API access. Used with Connected Apps in Salesforce. Not for user login by itself.
OpenID Connect	An authentication layer on top of OAuth 2.0. JWT-based. Increasingly used for Experience Cloud and mobile.
MFA	Required for all Salesforce UI logins since Feb 2022. SSO with MFA at the IdP satisfies this requirement.
Okta	A leading cloud-based IdP with a first-party Salesforce integration. Supports SAML SSO and SCIM provisioning.
Ping Federate	An enterprise IdP commonly deployed on-premises. Supports SAML, OIDC, and deep customization.
Experience Cloud SSO	External users can authenticate via SAML, OIDC, social login, or custom auth providers. Requires a Registration Handler for new user creation.

What Is Next

In Part 29, we will dive into Org Security Settings in Salesforce — session settings, session management, password policies, event monitoring, transaction security policies, file security, platform encryption, field PII settings, and field audit trail. While SSO and MFA control who can get in, org security settings control what happens once they are inside. See you there.