I recently attempted to authenticate to Salesforce via SAML provided by G Suite. I ran into a ton of issues so I thought I would write-up a post. Read on to learn more!
Note: All Salesforce steps were performed using the lightning UI
In Google
- Go to Google Admin > Apps > SAML apps > Add
- Enter Salesforce into the filter bar and select the Salesforce option
Note: Unless you want a custom icon in which case you should follow this post
- Under Options 2, select Download next to IDP metadata, select Next
- On Step 3, select Next
- On Step 4, select Finish — we will adjust these parameters later
In Salesforce
- Go to Setup > Company Settings > My Domains
- Add your domain and verify it is working
- Select the option to Deploy to Users
IMPORTANT: You MUST deploy to users or you will have issues with SAML-based authentication. Also note this change CANNOT be undone and will require users to use the new URL going forward
In Salesforce
- Go to Setup > Identity > Single Sign-On Settings
- Select Edit, select SAML Enabled, select Save
- Under SAML Single Sign-On Settings you can select any option depending on what you have. I recommend New from Metadata File and uploading the Google file you downloaded in step 1
IMPORTANT: You MUST manually enter the Identity Provider Login URL (https://accounts.google.com/o/saml2/idp?idpid=<ID>). The Entity ID MUST match what you enter in Google: https://<domain>.my.salesforce.com/ (do NOT miss the trailing slash). Ensure the Service Provider Initiated Request Binding is set to HTTP Redirect.
- After saving, make note of the Login URL under Endpoints. You will need to enter this as the ACS URL in Google.
In Salesforce
- Go to Setup > Company Settings > My Domains
- Select Edit under Authentication Configuration
- Change the Authentication Service to whatever you called the Single Sign-On (defaults to “account”) and Save
In Google
- Go to Google Admin > Apps > SAML apps > Salesforce
- Expand Service Provider Details
- For the ACS URL, enter the Login URL from Salesforce noted in step 3
- For Entity ID and Start URL, update the subdomain to match the subdomain in the ACS URL
- Select Save
In Salesforce
- Go to Setup > Users > Users
- For each user you wish to grant access, select New User
- Ensure the email, username, and federation ID fields are all the same and all the Google email address for the user
- Configure the other parameters as desired and Save
That’s it! You should now be able to either:
- Go to https://<domain>.my.salesforce.com and be redirected to authenticate via Google
- From the Google Apps launcher select Salesforce and get logged in
Unfortunately, I have been unable to get JIT provisioning to work. When I do, I will write another post.
© 2018, Steve Flanders. All rights reserved.
Hi Steve,
Thank you so much for this blog post!!
When I create a new user, where would I find the Federation ID to enter?
Thanks
Hey Benji — glad the post helped. For users, the email, username and federation ID should all be the same (note setting the federation ID does not appear to be a requirement).
Hey Steve,
Thanks so much for taking your time and writing this post! I spend way too much time trying to troubleshoot this.
You and me both!
Hi, thanks for this, really useful! Much clearer than either the Salesforce or Google documentation.
I have nearly got this working, in that I can now log in via the Google App Launcher. However if is try and log in from {my domain}.my.salesforce.com then I get a 404 (not found) error from the URL it generates. I can’t figure out what’s wrong in the Salesforce single sign-on setup, any ideas?
Thanks,
Mark
Hey Mark — glad this post helped! Once I got it hooked up I never went to the URL directly (always used the app launcher). With that said, I just tried and it works for me — did you try incognito?
Thanks Steve. Yes tried Incognito, no joy. I think Salesforce is just generating the wrong URL for the SAML call to GSuite, but then I also had a chat with GSuite support and they admitted that their SAML support is currently limited at best. Will live with the App Launcher! Cheers, Mark
Thanks, this helped me also. I was leaving the trailing /SO? with my SF Org ID in the ACS URL, but as soon as I trimmed it to our https://mydomain.my.salesforce.com it worked.
Also, not sure if it is needed, but I set the Name ID Format to “EMAIL” on the Google side, instead of leaving the default “UNSPECIFIED”.
Hi – were you able to get JIT provisioning to work between Google and Salesforce?
I was happy to get SAML working with Google 🙂
I wish we could 🙁
Nothing seems wrong in the setup.