Skip to content

Salesforce SAML Authentication with Google

I recently attempted to authenticate to Salesforce via SAML provided by G Suite. I ran into a ton of issues so I thought I would write-up a post. Read on to learn more!

Note: All Salesforce steps were performed using the lightning UI

In Google

  • Go to Google Admin > Apps > SAML apps > Add
  • Enter Salesforce into the filter bar and select the Salesforce option

Note: Unless you want a custom icon in which case you should follow this post

  • Under Options 2, select Download next to IDP metadata, select Next
  • On Step 3, select Next
  • On Step 4, select Finish — we will adjust these parameters later

In Salesforce

  • Go to Setup > Company Settings > My Domains
  • Add your domain and verify it is working
  • Select the option to Deploy to Users

IMPORTANT: You MUST deploy to users or you will have issues with SAML-based authentication. Also note this change CANNOT be undone and will require users to use the new URL going forward

In Salesforce

  • Go to Setup > Identity > Single Sign-On Settings
  • Select Edit, select SAML Enabled, select Save
  • Under SAML Single Sign-On Settings you can select any option depending on what you have. I recommend New from Metadata File and uploading the Google file you downloaded in step 1

IMPORTANT: You MUST manually enter the Identity Provider Login URL (https://accounts.google.com/o/saml2/idp?idpid=<ID>). The Entity ID MUST match what you enter in Google: https://<domain>.my.salesforce.com/ (do NOT miss the trailing slash). Ensure the Service Provider Initiated Request Binding is set to HTTP Redirect.

  • After saving, make note of the Login URL under Endpoints. You will need to enter this as the ACS URL in Google.

In Salesforce

  • Go to Setup > Company Settings > My Domains
  • Select Edit under Authentication Configuration
  • Change the Authentication Service to whatever you called the Single Sign-On (defaults to “account”) and Save

In Google

  • Go to Google Admin > Apps > SAML apps > Salesforce
  • Expand Service Provider Details
  • For the ACS URL, enter the Login URL from Salesforce noted in step 3
  • For Entity ID and Start URL, update the subdomain to match the subdomain in the ACS URL
  • Select Save

In Salesforce

  • Go to Setup > Users > Users
  • For each user you wish to grant access, select New User
  • Ensure the email, username, and federation ID fields are all the same and all the Google email address for the user
  • Configure the other parameters as desired and Save

That’s it! You should now be able to either:

  1. Go to https://<domain>.my.salesforce.com and be redirected to authenticate via Google
  2. From the Google Apps launcher select Salesforce and get logged in

Unfortunately, I have been unable to get JIT provisioning to work. When I do, I will write another post.

© 2018, Steve Flanders. All rights reserved.

Published inSystem Administration

2 Comments

  1. Benji Benji

    Hi Steve,

    Thank you so much for this blog post!!

    When I create a new user, where would I find the Federation ID to enter?

    Thanks

    • Hey Benji — glad the post helped. For users, the email, username and federation ID should all be the same (note setting the federation ID does not appear to be a requirement).

Leave a Reply

Your email address will not be published. Required fields are marked *