Salesforce can be setup as as Single Sign-On (SSO) Identity Provider (IdP).  Single Sign-On allows users to access all authorized network applications and resources without having to login into each network separately.  Part 1 of this blog focuses on how to configure Salesforce as an Identity Provider.  Part 2 will show how to implement Salesforce as a Service Provider (SP).

Single Sign-On Options Available in Salesforce: Identity Provider vs. Service Provider

Single Sign-On can be created either as an Identity Provider or as a Service Provider in Salesforce. Let’s define the two types of providers:

1. Identity Provider (IdP): A trusted online service or website that authenticates users to access other websites or services by means of security tokens.
2. Service Provider (SP): A website or service that accepts identity from from an identity provider  Salesforce as an Identity Provider to authenticate and authorize users

Setting Up Salesforce as an Identity Provider (IdP)

Salesforce uses the SAML 2.0 standard for single sign-on and generates SAML assertions when configured as an Identity Provider.

To setup Salesforce as an Identity Provider:

1. Set up a domain using My Domain, and deploy it to all users.
2. From Setup, search for ‘Identity Provider’, and then click Enable Identity Provider.
3. By default, a Salesforce identity provider uses a self-signed certificate generated automatically with the SHA-256 signature algorithm. If there is already a self-signed certificate, select that certificate to use when securely communicating with other services.

A CA-signed certificate can be used instead of self-signed certificate by following these steps.

1. Create and import a new CA-signed certificate.
2. From Setup, search Identity Provider, then select Identity Provider.
3. Click Edit, and then select the CA-signed certificate.
4. Click Save.

After enabling Salesforce as an identity provider, one or more service providers can be set up by creating connected apps (From Setup, enter Apps in the Quick Find box, then select Apps).

When users access applications or services set up as service providers (connected apps) from within Salesforce, the following steps are followed to authenticate the user:

1. Salesforce sends a SAML response to the service provider.
2. The service provider identifies the user and authenticates the certificate.
3. If the user is identified, they are logged in to the service provider.

Users can access applications directly from Salesforce after single sign-on IdP is setup eliminating the need to login to each application separately.  Applications can be added as tabs in a Salesforce Org, which provide a seamless access to users or to other application from within Salesforce.

To learn more about using Identity Providers in Salesforce see https://help.salesforce.com/articleView?id=identity_provider_about.htm&language=en&type=0.

Stay tuned for Part 2 of this blog: How to Setup Salesforce as Service Provider.