Describe the components of an identity management solution where Salesforce is accepting identity from a third party

My Domain

  • My Domain is sort of like creating your own empire within the Salesforce universe. It’s a Salesforce Identity feature that lets you personalize your Salesforce org by creating a subdomain (empire) within the Salesforce domain (universe).
  • Salesforce requires you to have a My Domain subdomain in place to:
    • Work in multiple Salesforce orgs in the same browser
    • Set up single sign-on (SSO) with external identity vendors
    • Set up authentication providers, such as Google and Facebook, so that your users can log in to your Salesforce org with their social account credentials
    • Use Lightning components in Lightning component tabs, Lightning page, the Lightning App Builder, or standalone apps

Single Sign-On

  • SSO has lots of advantages.
    • You spend less time managing passwords.
    • Your employees save time when they don’t have to manually log in to Salesforce. Did you know that users take 5–20 seconds to log in to an online application? Those seconds add up.
    • More people use Salesforce. Users can send out links to Salesforce records and reports, and their recipients can open them in a single click.
    • You can manage access to sensitive information from one place.
  • Salesforce supports following ways to use SSO
    • Federated Authentication
    • Delegated Authentication
    • Authentication Providers


  • Salesforce Identity uses the XML-based Security Assertion Markup Language (SAML) protocol for single sign-on into Salesforce from a corporate portal or identity provider.
  • With SAML, you can transfer user information between services, such as from Salesforce to Microsoft 365.
  • Identity provider sends SAML assertions to Salesforce using the SAML web Single Sign-on Browser POST profile.
  • Salesforce sends SAML responses to the identity provider login URL specified under Setup.
  • Salesforce receives the assertion, verifies it against Salesforce configuration, and, if the assertion is true, allows SSO.

Federation Id

  • When setting up SSO, you use a unique attribute to identify each user. This attribute is the link that associates the Salesforce user with the external identity provider. You can use a username, user ID, or a Federation ID. We’re going to use a Federation ID.
  • A Federation ID must be unique for each user in an org. That’s why the username is handy. But if the user belongs to multiple orgs, use the same Federation ID for the user in each org.
  • Setup —> Users —> Select any user and click edit next to the user record.
  • 34c734a00312a8e8b2962caafaf266b5_identity_sso_federation_id.webp

SSO settings in Salesforce (SERVICE PROVIDER).

  • On Salesforce side we configure SAML settings. SAML is a protocol that Salesforce Identity uses to implement SSO.
  • Get the Certificate from the Identity Provider. Example below
    • In a new browser window, go to
    • Click SAML Identity Provider & Tester.
    • Click Download the Identity Provider Certificate
  • Open Single Sign-On Settings and click Edit → Select SAML Enabled
  • In SAML Single Sign-On Settings, click New and enter the below values
    • Name: Any user defined name for example Axiom Test App
    • Issuer: Identity provider URL for example
    • Identity Provider Certificate: Choose and upload the file downloaded in earlier step
    • SAML Identity Type: Best to select Assertion contains the Federation ID from the User Object
    • Servide Provider Initiation Request Binding: Select HTTP Redirect
    • Entity Id: Enter My Domain name including https.
    • fa3434f9ff7529892f9284e8ce0ce20a_identity_sso_saml_sso_settings_before_save.webp

Salesforce settings in the SSO provider (Identity Provider).

  • Teach Identity provider about the Service Provider
  • Below are some important information that needs to flow back to Identity Provider. Using Axiom as an example below
    • SAML Version: 2.0
    • Username or Federation Id: example UserName or Federation Id
    • Issuer:
    • Recipient URL: Comes from Salesforce SAML Single Sign-On Settings page under Salesforce Login URL
    • Entity Id: From Salesforce Single Sign-On Settings page
    • 87922971ca2d7360d1e4c433950a01cb_identity_sso_axiom.webp

Make sure it all works.

  • Click Login at the Identity Provider End and if everything is set properly you will be redirected to Salesforce.
  • For example,
    • In the Axiom settings click Request SAML Response
    • Axiom generates SAML assertion in XML.
    • Click Login and you will be redirected to Salesforce if everything is set properly