Salesforce SAML Single Sign-On (SSO)

Salesforce offers both IdP-initiated SAML SSO (for SSO access through the CyberArk Identity User Portal) and SP-initiated SAML SSO (for SSO access directly through the Salesforce web application).

Salesforce SSO Requirements

Before you configure the Salesforce web application for SSO, you need the following:

  • A registered CyberArk Identity account and at least one CyberArk Identity Connector installed on a Windows computer (if you use only the CyberArk Identity directory as your identity store, you do not need to install the CyberArk Identity Connector).

  • A Salesforce account with administrator rights for your organization that provides SSO. The only types of Salesforce accounts that can be enabled for SSO are:

    • Group
    • Enterprise
    • Unlimited
    • Developer
    • Non-profit
    • Professional

    To verify your Salesforce account edition log click Setup near the top right of the Salesforce account page, then click Company Profile from the Navigation pane that runs down the left side of the page. The Company Profile page displays your account edition.

    For the Professional edition, your application must be certified for it to have provisioning API access. For details, see the Salesforce documentation, such as and
  • A signed certificate in both the Salesforce web application and the Admin Portal.

    You can either download one from the Admin Portal or use your organization’s trusted certificate. If you use your own certificate, upload the signing certificate and its private key in a .pfx or .p12 file to the application settings in the Admin Portal, and upload the public key certificate in a .cer or .pem file to the web application.

  • For SP-initiated SSO, you must create a custom domain before configuring the application in the Admin Portal.

    For details, see Create a custom domain in Salesforce.

Create a custom domain in Salesforce

In order to use SP-initiated SSO with Salesforce, you must have a custom domain.

For more information, see the following Salesforce information:

To register a domain in Salesforce

  1. Log in to your Salesforce account.
  2. Go to Setup (top right of page)> Domain Management > My Domain > Choose your company’s domain name.
  3. Enter a potential domain name and click Check Availability.
  4. If the domain is available, click the Terms and Conditions check box, and click Register domain.

    Your subdomain is now ready for testing.

  5. Click the Click here to login link to log in to your subdomain. To deploy the subdomain, you must be logged in.

    The login address now includes your newly created subdomain. For example:

  6. In the login screen for your subdomain, enter your normal Salesforce user name and password.
  7. Test the domain by clicking tabs and buttons to make sure the Salesforce functionality works as expected.
  8. When you’re finished testing the domain, deploy it to your users. While logged in to your subdomain, go to Setup, then Domain Management, then My Domain. Click Deploy to Users.
  9. Salesforce displays a warning message - once you create the domain, you can’t reverse it. All users will be pointed to the new domain after you deploy the domain. Click OK to continue.

    Salesforce deploys the domain for you and displays your current domain settings, such as the login policy, redirect policy, and domain name. For more information, consult the Salesforce documentation.

  10. If you’re going to use SP-initiated SSO, go to Domain Management > My Domain, and then click Edit under Authentication Configuration.

    Make sure that you’ve deployed your custom domain to users. Otherwise, the user authentication service settings are not available to you in Salesforce.
  11. In the Login Page Branding screen, in the Authentication Service section, select both options: Login Page and CyberArk.

    These authentication service options allow your users the option to log in by way of the user portal or by entering their Salesforce user name and password.

    Selecting the Login Page option provides you and all your users the option to log in using your Salesforce user name and password. If you do not select Login Page, only users who are in the Admin Portal and assigned to a role that you’ve assigned to Salesforce can access Salesforce. At this time, Salesforce does not yet provide a way to restrict the user name and password login to a subset of users.

    As a best practice, keep Login Page selected.

Add the Salesforce app in the Admin Portal

To add the Salesforce application in the Admin Portal

  1. In the Admin Portal, select Apps & Widgets > Web Apps, then click Add Web Apps.

  2. On the Search tab, enter the application name in the Search field and click the search icon.

  3. Next to the application name, click Add.

  4. In the Add Web App screen, click Yes to confirm.

  5. Click Close to exit the Application Catalog.

    The application opens to the Settings page.

Configure Salesforce SSO

The following steps are specific to the Salesforce application and are required in order to enable SSO for Salesforce. For information on optional configuration settings available in the Idaptive the Admin Portal, see Configure optional application settings.

To configure Salesforce for single sign-on

  1. In a new browser window, go to the Salesforce website and sign in with your administrator login.

    It is helpful to open the Salesforce web application and the Admin Portal Application Settings window simultaneously to copy and paste settings between the two browser windows.

  2. On the Salesforce website, navigate to Administration Setups, search for Single Sign-on Settings, and click Edit.
  3. Click Edit for Federated Single Sign-On Using SAML.
  4. Check the box for SAML Enabled.
  5. Click Save.
  6. Under Single Sign-On Settings, click New.

    The SAML Single Sign-On Setting Edit page displays.

    Use this page to configure the application for single sign-on from the user portal.

    Salesforce allows you to specify multiple identity providers for SSO.

    For additional information about configuring Salesforce for SSO, refer to the following:

  7. Configure the following settings (in the Salesforce web application and the Admin Portal Application Settings window).

    The red arrows in the table below indicate the direction of the copy and paste operation between the two windows. For instance, the first arrow in the table below indicates that you copy the content from the indicated field on the Salesforce website and paste it into the corresponding field in the CyberArk Identity the Admin Portal.

    Admin Portal >Trust



    Salesforce web application

    What you do

    Assertion Consumer Service URL

    Login URL

    On the Salesforce website go to Setup, click the SF account login name, and copy the Login URL and paste it into the Assertion Consumer Service URL in the Admin Portal >Trust.

    Note: If the login URL is not available, you may need to configure the IdP settings first.



    On the Salesforce website go to Setup, search for Single Sign-on Settings, click on Edit and enter this value under Issuer.

    The contents of this field must exactly match in the Admin Portal and on in the Salesforce website.

    Encrypt Assertion



    Select the check box to encrypt the assertion in the SAML response.

    If checked you must also provide an Encryption Certificate file.

    Identity Provider Login URL

    (SP-initiated only)

    Identity Provider Login URL

    For IdP-initiated only SSO, leave this field as is and do not copy it over to Salesforce.

    For SP-initiated SSO, copy this URL into the Identity Provider Login URL field in Salesforce.

    When specifying the URL, the URL must contain the appkey and customerID, such as the following:

    Note that appkey is case-sensitive.

    Custom Error URL

    Custom Error URL (Optional)

    The Error URL is a customized page that displays when a user encounters an error in Salesforce.

    If desired, copy this URL into the Custom Error URL field in Salesforce. This custom page in the user portal displays when users encounter an error in Salesforce.

    This item can be blank.

    Identity Provider Logout URL


    When a user logs out of Salesforce, if you want the user to be logged out of the user portal also, copy this URL into Salesforce directly.

    If you want to keep users logged into the user portal after they log out of Salesforce, leave this field as is.

    This item can be blank.

    Download Signing Certificate


    Identity Provider Certificate

    In the Admin Portal, click the link to download the Signing Certificate.

    On the Salesforce website go to Setup and search for Single Sign-on Settings.

    Click on Edit and upload the downloaded certificate in Identity Provider Certificate.

    Either use the standard certificate that you downloaded from the Admin Portal, or upload your own certificate (without the key).

    If you use your own certificate, upload it in the Application Settings page in the Admin Portal first. This can be done in Application Settings > Additional Options. See Specify the Application ID.

    After you upload the certificate on the Salesforce website, the certificate information appears in the Current Certificate area.

    If you replace the certificate, be sure to update Salesforce with the new certificate.

  8. Click Save.

    Clicking the Save button is optional at this point. You can move between pages while configuring your app in the Admin Portal and your changes are kept for you until you click Save.

  9. Complete the following on the Salesforce website:


    Required or optional

    What you do



    Set it to the name of your identity provider, such as CyberArk.

    API Name


    Set it to Idaptive.

    Entity ID


    If using a customized subdomain in Salesforce, set it to that domain. Otherwise, use

    Request Signature Method


    Leave set to default, RSA-SHA1

    Request Signing Certificate


    Select the certificate you want from the ones saved in your Certificate and Key Management settings.

    Assertion Decryption Certificate


    Set it to Assertion not encrypted. Encrypted assertions are not currently supported by the CyberArk Identity.

    SAML Identity Type


    Assertion contains User’s user name

    SAML Identity Location


    User ID is in the NameIdentifier element of the Subject statement

    Service Provider Initiated Request Binding

    Required for SP-initiated SSO

    Set it to HTTP Post.

    User Provisioning enabled


    Deselect this option. For details about configuring Salesforce for user provisioning, see Salesforce provisioning.


  10. Click Save.
  11. Click Save.
  12. (Optional) Configure Salesforce mobile apps for SSO. For details, see Configure Salesforce mobile applications for SSO.

Now that you have finished configuring the application settings in the Admin Portal and the Salesforce application, users are ready to launch the application from the CyberArk Identity User Portal.

Salesforce provisioning

This section covers how to configure the Salesforce SAML application in the Admin Portal to provision users from your source directory to Salesforce. This is accomplished with a custom plugin that is included in the Salesforce SAML application in the Admin Portal.

Requirements for Salesforce provisioning

Provisioning users to Salesforce requires the you to complete the following tasks first:

  • Configure and deploy the Salesforce SAML application in the Admin Portal.

    Refer to the CyberArk configuration document for Salesforce SAML Single Sign-On (SSO) for more information.

  • Add a custom domain in Salesforce.

    In order to use SP-initiated SSO with Salesforce, you need a custom domain. You created a custom domain as part of the prerequisites for configuring and deploying the Salesforce SAML application in the Admin Portal if you wanted to support SP-initiated SSO. Refer to Create a custom domain in Salesforce for more detail.

    For more information, see the following Salesforce information:

  • Create at least one connected app, so that you can create and retrieve the Consumer Key and Consumer Secret fields.

  • Make sure that your Salesforce and application support provisioning.

    For details, see Salesforce SAML Single Sign-On (SSO).

Provision users for Salesforce based on roles

You provision users to Salesforce by mapping the Admin Portal roles to existing or new accounts in Salesforce with the Salesforce profiles and roles that you specify. In addition, Salesforce provides you the additional ability to specify a user license.

When you change any role mappings, the CyberArk Identity synchronizes any user account or role mapping changes automatically.

Provision custom attributes

You can use the provisioning script to provision users with custom attributes. Custom attributes are defined in the Salesforce portal under App Setup > Customize > Users > Fields.

Modifying the provisioning script is for advanced users. Incorrect script modifications could have unexpected results.

Deprovision Salesforce users

There are two options for deprovisioned Salesforce user accounts: disable or freeze.

  • Disable user

    Selecting Disable user means that deprovisioned users can no longer log in to the Salesforce application and no longer retain the Salesforce license. The license is released and can be used by another user. In the Salesforce User detail page, the Active option is not selected.

  • Freeze user

    Selecting Freeze user means that deprovisioned users cannot log in to the application but users still retain the Salesforce user license. In the Salesforce User detail page, the Active option is selected and the Freeze button changes to Unfreeze.

Any changes to the user deprovisioning configuration generates a Directory synchronization report.

Configure Salesforce mobile applications for SSO

Salesforce provides mobile applications for both iOS and Android devices.