Table of Contents
Enable and Deploy My Domain on your Salesforce Org
Configure G Suite for SSO
Configure SAML 2.0 in Salesforce
Give Access to Users in G Suite for Salesforce App
Enable and Deploy My Domain on your Salesforce Org
The Salesforce My Domain feature allows you to select a custom domain name for your application. A My Domain URL looks like https://customer.my.salesforce.com.
- In your Salesforce org, click Setup, then type Domain into the Quick Find box and choose Domains.
- Click Add a Domain and enter your custom domain in the Domain Name field.
Configure G Suite for SSO
- Log in to https://admin.google.com.
- Navigate to Apps > SAML Apps.
- Click the plus (+) icon to add the new application. A popup window will open; search for Salesforce.
- Select the application. A new window will open with Google IDP information.
- Download the IDP metadata file from Option 2 as shown above.
- Once Salesforce is configured, use this information in Step 4 of G Suite.
- In the Service Provider Details section, enter the following urls into the Entity ID, ACS URL, and Start URL fields:
- ACS URL: https://your-domain-name.my.salesforce.com?so={SF provided - domain specific id} will be equal to Login URL in SAML configuration page shown below.
- Entity ID: https://your-domain-name.my.salesforce.com will be same as domain URL for Salesforce.
- Start URL: https://your-domain-name.my.salesforce.com will be same as domain URL for Salesforce. Click Finish.
- ACS URL: https://your-domain-name.my.salesforce.com?so={SF provided - domain specific id} will be equal to Login URL in SAML configuration page shown below.
- Once the Application is set up, it will appear as shown below in Admin Panel > SAML APP.
- Click on the Salesforce Application to configure the SSO and Provisioning.
- Click Edit Service on the top right corner of the screen. You will see the option to toggle ON for everyone/OFF for everyone. Select ON. Then you have the option on the left side of the screen to configure the service based on OU structure if you have anything in G Suite. click Save.
- You will be returned to the default page. Click User Provisioning, then Set up user provisioning.
- In the Authorize window, click Authorize.
- Salesforce will open in the same tab. Log in to your Salesforce org. If you haven't logged in to your Salesforce administrator account before clicking Authorize, you're prompted to sign in. If you can't access your Salesforce application, click Re-authorize app to be prompted to sign in.
- In the Provide SCIM endpoint field, enter https://your-domain-name.my.salesforce.com/services/scim/v1 (change your-domain-name with your custom domain name).
- In the Map attributes box, next to the selected Cloud Directory attribute, use the dropdown menus to map to the corresponding Salesforce attributes.
- Select Entitlements in the Map attributes. then scroll down and select AutoProvSFAttribs > SFEntitlements. Then click Next.
- From the Set provisioning scope dialog box, add a group to restrict provisioning to members of groups you define. Click the underscore and begin typing your group name. A list of available groups will appear. Selecting one adds it and opens another selection option. Add more groups if necessary. To remove groups, click the Edit (pencil) icon. Once complete, click Finish.
Configure SAML 2.0 in Salesforce
- Log in to Salesforce with the same administrator username and password used for User Management settings in G Suite.
- From Setup, type Single Sign-On into the Quick Find box and select Single Sign-On Settings.
- Click Edit and check the SAML Enabled box to enable SAML Single Sign-On, then click Save.
- Next, in the list at the bottom of your page, select New from the Metadata File to add a new SAML SSO configuration.
- From here, upload the XML file you saved in G Suite. Click Create to configure the SAML settings in Salesforce. You'll be redirected to a page similar to what you see below. Save the login URL in the endpoints.
Give Users Access in G Suite for Salesforce App
- Log in to https://admin.google.com.
- Click Users, then click on the user you want to give Salesforce access to.
- Click the User Information tab. This will load a new page that allows you to edit user information. Scroll down to AutoProvSFAttribs and Click SFEntitlements, enter the Profile ID users will have when their login is created in Salesforce. (Log in to Salesforce as Admin. In quick search, find Profiles under Manager Users. Click on the desired profile and copy the 12-digit profile ID from the URL as shown below).
- Save the user settings and go to Home > Groups. Search the Group you added above during Provisioning and add the required user in that group. That user will be provisioned short, and you can see the logs if you navigate to SAML Apps, Salesforce and Provisioning. You will see the user Created, Suspended and Failure for the Provisioning.
Comments
Please sign in to leave a comment.