Single Sign-On is an Authentication method we can use to access multiple application with one login. Now a days when we have multiple emails, Salesforce Account and other application accounts, its hard to remember multiple password. Single Sign-On (SSO) allow us to use one login to access multiple accounts. Most of the Service provider Supports SSO. We can also set a SSO chain so that we can first login into one application and using that we can login into another application.
Today we will check how we can implement Single Sign-On between two Salesforce orgs. Before we start the process lets check few terminology which we will use during this process.
Security Assertion Markup Language (SAML): SAML is an open standard authentication protocol that you can use to implement SSO in your Salesforce org. SAML allows identity providers and service providers to securely exchange user information, enabling user authentication between services.
Identity Provider: An identity provider acts as a trusted service that authenticates a user’s identity.
Service Provider: A service provider is the application a user wants to access, such as a Salesforce org or a third-party app like Workday.
Set Up Salesforce Identity Provider
From Setup, in the Quick Find box, enter Identity Provider, and select Identity Provider. Click Enable Identity Provider. You can select existing certificate or create a new certificate.
Now save the details and download the certificate and Metadata. As we will need them when we will setup the Service provider.
Set Up Salesforce Service Providers
Now in the second Salesforce org, we will setup as Service provider. From Setup, in the Quick Find box, enter Single Sign-On Settings, then select Single Sign-On Settings. Click Edit. To see SAML SSO settings, select SAML Enabled. Save the change. Now Click on New From Metadata File and select the file which we downloaded from Identity Provider. In the SAML Identity type select Assertion contains the Federation ID from the User object. Save this and copy Entity Id and Login URL. Here we will get two Login URLs one for Salesforce org and while other is for community.
Now go to My Domain and Edit the Authentication Configuration and Select the Identity Provider as Authentication Service. If you don’t want user to Login using Salesforce UI Login then uncheck the login form.
Integrate Service Providers as Connected Apps
Now we will connect Service provider with Identity Provider. So we will create a connected app in the identity provider. From Setup, in the Quick Find box, enter App, then select App Manager. Click New Connected App. Enter the connected App details. Under Web App settings, select Enable SAML. Enter the Entity ID from the service provider. ACS URL, Login URL for the org or site. And in Subject Type, select Federation ID. Save the settings. Now add the Profile/Permission set under manage section to which you want to give the SSO access.
Test and Demo
Now we have completed all configuration and Ready for Testing. Create a New user in both org or select existing user. Enter same Federation Id in both user. Federation Id is case sensitive so make sure you enter both exactly same. Now when you try to Login into Service provider org you will see an option to Login using Identity provider. Click that and follow the process and once successfully login you will be redirect and login into service provider org.
You can also check below demo video.
So using above simple steps we can connect two Salesforce orgs using Single Sign-On (SSO). In our next post we will use different application as identity provider. Let me know which application you want to use as Identity provider in comments. Happy Programming 🙂