Skip to content

Salesforce SAML Authentication with Google

I recently attempted to authenticate to Salesforce via SAML provided by G Suite. I ran into a ton of issues so I thought I would write-up a post. Read on to learn more!

Note: All Salesforce steps were performed using the lightning UI

In Google

  • Go to Google Admin > Apps > SAML apps > Add
  • Enter Salesforce into the filter bar and select the Salesforce option

Note: Unless you want a custom icon in which case you should follow this post

  • Under Options 2, select Download next to IDP metadata, select Next
  • On Step 3, select Next
  • On Step 4, select Finish — we will adjust these parameters later

In Salesforce

  • Go to Setup > Company Settings > My Domains
  • Add your domain and verify it is working
  • Select the option to Deploy to Users

IMPORTANT: You MUST deploy to users or you will have issues with SAML-based authentication. Also note this change CANNOT be undone and will require users to use the new URL going forward

In Salesforce

  • Go to Setup > Identity > Single Sign-On Settings
  • Select Edit, select SAML Enabled, select Save
  • Under SAML Single Sign-On Settings you can select any option depending on what you have. I recommend New from Metadata File and uploading the Google file you downloaded in step 1

IMPORTANT: You MUST manually enter the Identity Provider Login URL (https://accounts.google.com/o/saml2/idp?idpid=<ID>). The Entity ID MUST match what you enter in Google: https://<domain>.my.salesforce.com/ (do NOT miss the trailing slash). Ensure the Service Provider Initiated Request Binding is set to HTTP Redirect.

  • After saving, make note of the Login URL under Endpoints. You will need to enter this as the ACS URL in Google.

In Salesforce

  • Go to Setup > Company Settings > My Domains
  • Select Edit under Authentication Configuration
  • Change the Authentication Service to whatever you called the Single Sign-On (defaults to “account”) and Save

In Google

  • Go to Google Admin > Apps > SAML apps > Salesforce
  • Expand Service Provider Details
  • For the ACS URL, enter the Login URL from Salesforce noted in step 3
  • For Entity ID and Start URL, update the subdomain to match the subdomain in the ACS URL
  • Select Save

In Salesforce

  • Go to Setup > Users > Users
  • For each user you wish to grant access, select New User
  • Ensure the email, username, and federation ID fields are all the same and all the Google email address for the user
  • Configure the other parameters as desired and Save

That’s it! You should now be able to either:

  1. Go to https://<domain>.my.salesforce.com and be redirected to authenticate via Google
  2. From the Google Apps launcher select Salesforce and get logged in

Unfortunately, I have been unable to get JIT provisioning to work. When I do, I will write another post.

© 2018, Steve Flanders. All rights reserved.

Published inSystem Administration

8 Comments

  1. Benji Benji

    Hi Steve,

    Thank you so much for this blog post!!

    When I create a new user, where would I find the Federation ID to enter?

    Thanks

    • Hey Benji — glad the post helped. For users, the email, username and federation ID should all be the same (note setting the federation ID does not appear to be a requirement).

  2. Hey Steve,

    Thanks so much for taking your time and writing this post! I spend way too much time trying to troubleshoot this.

  3. Mark Jones Mark Jones

    Hi, thanks for this, really useful! Much clearer than either the Salesforce or Google documentation.

    I have nearly got this working, in that I can now log in via the Google App Launcher. However if is try and log in from {my domain}.my.salesforce.com then I get a 404 (not found) error from the URL it generates. I can’t figure out what’s wrong in the Salesforce single sign-on setup, any ideas?

    Thanks,
    Mark

    • Hey Mark — glad this post helped! Once I got it hooked up I never went to the URL directly (always used the app launcher). With that said, I just tried and it works for me — did you try incognito?

  4. Mark Jones Mark Jones

    Thanks Steve. Yes tried Incognito, no joy. I think Salesforce is just generating the wrong URL for the SAML call to GSuite, but then I also had a chat with GSuite support and they admitted that their SAML support is currently limited at best. Will live with the App Launcher! Cheers, Mark

  5. Seth Seth

    Thanks, this helped me also. I was leaving the trailing /SO? with my SF Org ID in the ACS URL, but as soon as I trimmed it to our https://mydomain.my.salesforce.com it worked.

    Also, not sure if it is needed, but I set the Name ID Format to “EMAIL” on the Google side, instead of leaving the default “UNSPECIFIED”.

Leave a Reply

Your email address will not be published. Required fields are marked *