Salesforce SAML Authentication with Google

I recently attempted to authenticate to Salesforce via SAML provided by G Suite. I ran into a ton of issues so I thought I would write-up a post. Read on to learn more!

Note: All Salesforce steps were performed using the lightning UI

In Google

  • Go to Google Admin > Apps > SAML apps > Add
  • Enter Salesforce into the filter bar and select the Salesforce option

Note: Unless you want a custom icon in which case you should follow this post

  • Under Options 2, select Download next to IDP metadata, select Next
  • On Step 3, select Next
  • On Step 4, select Finish — we will adjust these parameters later

In Salesforce

  • Go to Setup > Company Settings > My Domains
  • Add your domain and verify it is working
  • Select the option to Deploy to Users

IMPORTANT: You MUST deploy to users or you will have issues with SAML-based authentication. Also note this change CANNOT be undone and will require users to use the new URL going forward

In Salesforce

  • Go to Setup > Identity > Single Sign-On Settings
  • Select Edit, select SAML Enabled, select Save
  • Under SAML Single Sign-On Settings you can select any option depending on what you have. I recommend New from Metadata File and uploading the Google file you downloaded in step 1

IMPORTANT: You MUST manually enter the Identity Provider Login URL (https://accounts.google.com/o/saml2/idp?idpid=<ID>). The Entity ID MUST match what you enter in Google: https://<domain>.my.salesforce.com/ (do NOT miss the trailing slash). Ensure the Service Provider Initiated Request Binding is set to HTTP Redirect.

  • After saving, make note of the Login URL under Endpoints. You will need to enter this as the ACS URL in Google.

In Salesforce

  • Go to Setup > Company Settings > My Domains
  • Select Edit under Authentication Configuration
  • Change the Authentication Service to whatever you called the Single Sign-On (defaults to “account”) and Save

In Google

  • Go to Google Admin > Apps > SAML apps > Salesforce
  • Expand Service Provider Details
  • For the ACS URL, enter the Login URL from Salesforce noted in step 3
  • For Entity ID and Start URL, update the subdomain to match the subdomain in the ACS URL
  • Select Save

In Salesforce

  • Go to Setup > Users > Users
  • For each user you wish to grant access, select New User
  • Ensure the email, username, and federation ID fields are all the same and all the Google email address for the user
  • Configure the other parameters as desired and Save

That’s it! You should now be able to either:

  1. Go to https://<domain>.my.salesforce.com and be redirected to authenticate via Google
  2. From the Google Apps launcher select Salesforce and get logged in

Unfortunately, I have been unable to get JIT provisioning to work. When I do, I will write another post.

© 2018, Steve Flanders. All rights reserved.

11 comments on “Salesforce SAML Authentication with Google

Benji says:

Hi Steve,

Thank you so much for this blog post!!

When I create a new user, where would I find the Federation ID to enter?

Thanks

Hey Benji — glad the post helped. For users, the email, username and federation ID should all be the same (note setting the federation ID does not appear to be a requirement).

Alex says:

Hey Steve,

Thanks so much for taking your time and writing this post! I spend way too much time trying to troubleshoot this.

You and me both!

Mark Jones says:

Hi, thanks for this, really useful! Much clearer than either the Salesforce or Google documentation.

I have nearly got this working, in that I can now log in via the Google App Launcher. However if is try and log in from {my domain}.my.salesforce.com then I get a 404 (not found) error from the URL it generates. I can’t figure out what’s wrong in the Salesforce single sign-on setup, any ideas?

Thanks,
Mark

Hey Mark — glad this post helped! Once I got it hooked up I never went to the URL directly (always used the app launcher). With that said, I just tried and it works for me — did you try incognito?

Mark Jones says:

Thanks Steve. Yes tried Incognito, no joy. I think Salesforce is just generating the wrong URL for the SAML call to GSuite, but then I also had a chat with GSuite support and they admitted that their SAML support is currently limited at best. Will live with the App Launcher! Cheers, Mark

Seth says:

Thanks, this helped me also. I was leaving the trailing /SO? with my SF Org ID in the ACS URL, but as soon as I trimmed it to our https://mydomain.my.salesforce.com it worked.

Also, not sure if it is needed, but I set the Name ID Format to “EMAIL” on the Google side, instead of leaving the default “UNSPECIFIED”.

Frank Le says:

Hi – were you able to get JIT provisioning to work between Google and Salesforce?

I was happy to get SAML working with Google 🙂

John Sadler says:

I wish we could 🙁

Nothing seems wrong in the setup.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top