ComponentPro UltimateSaml

Salesforce acting as IdP, SP-Initiated

Language Filter: AllSend comments on this topic to ComponentPro

This section contains an example of setting up Salesforce as an Identity Provider and then setting up our web application as a Service Provider. With the appropriate changes, the example applies equally to an MVC example identity and service providers.

Setting up Single Sign-on for Salesforce App

Generating a Domain Name and Enabling an Identity Provider

To prepare your Salesforce organization for this example, generate a domain name and enable Salesforce as an IdP.

  1. Log into Salesforce.
  2. Generate a domain name for your application
    • From Setup, click Domain Management > My Domain, enter a new subdomain name, and click Check Availability
    • click the Terms and Conditions checkbox, then click Register Domain
  3. Enable Salesforce as an IdP:
    • From Setup, click Security Controls > Identity Provider
    • Click Enable.
    • Click Download Certificate

Setting up domain

Defining a Service Provider

To define your web application acting as Service Provider and Salesforce can recognize it:

  1. Log into Salesforce
  2. From Setup, click Security Controls > Identity Provider, click on "Create Service Provider" or "Service Providers are now created via Connected Apps. Click here" link
  3. Save the self-generated certificate to your application's root folder for later SAML validation. In this example, we saved it as "Salesforce_SelfSignedCert.crt".
  4. Specify the name as ServiceProvider.
  5. In the Web App Settings section, check Enable SAML
  6. Specify the Entity ID as (or use your own ID, but remember to use the same entityId in web.config).
  7. Specify the Assertion Consumer Service (ACS) URL. If you host this web application on your local machine, you can use http://localhost:2423/AssertionService.aspx
      If you host the demo app on, the URL would be
  8. Select username as the subject type and select user profiles that have access to the SP.
  9. If SAML is enabled, you need to disable it (in Administer > Security Controls > Single Sign-On Settings) to have Salesforce act as the IdP.
     - Click on Save button to save changes
  10. From Setup, click Manage Apps > Connected Apps, and click on the newly created Service Provider. Click on Download Metadata to save the XML to your web application's folder. In this example we named it as "SAMLIdP-0sp28000000Kyks.xml".

Configuring your Service Provider

If the SAML Metadata XML is downloaded to your application's root folder, you may only need to specify that file name in the "metadatafilename" web.config file. If you don't want to use metadata XML file for SAML validation, set "usemetadata" to "false".

Running the Example

  1. Browse to the SP Default URL http://localhost:2423, you will then be redirected to the Login page.
  2. Click on Next at SP
  3. It will redirect you to Salesforce's login page. Use Salesforce credentials to log in.
  4. You will then see the SP Welcome page, meaning that you have logged in at the example SP with your Salesforce credentials and successfully completed a SAML SSO.

Troubleshooting Salesforce issues

Insufficient Privileges issue

  • You may get Insufficient Privileges error when browsing to the Salesforce Login URL, to solve this issue you need to add Profiles to the SP.
  • In Profiles section of Security Controls > Identity Provider, click on Manage Profiles, and check all the profiles that can access the SP.