Hi
We will be integrating the OKTA SSO with Salesforce application for Single Sign On & MFA solution.
- Create your Salesforce free trail account. (You can also use your licensed version of Salesforce to Integrate. The steps are same.)
- Login to https://login.salesforce.com/?locale=au & Click on Try for Free Button. Fill out the form as per your details.
- You will receive the Activation Email to activate your account & reset the admin password. do as per steps mentioned in that Email.
- Now Click on the setup Icon on the Top Right corner (Near to your Profile).
- In the Setup configuration, Goto ---> Settings --->Single Sign On Settings (from the Left side navigation bar)
- In the Single Sign On Settings, Click on the Edit Button & Enable the SAML as SSO. You can optionally "Disable the direct login with Salesforce Credential" once the SSO is setup. Save the settings.
- To Add the SAML SSO click on the New button. Enter your OKTA ORG IDP details as shown below.
- Name: Enter a name of your choice.
SAML Version: Make sure this is set to 2.0. This should be enabled by default.
- Identity Provider Login URL: Login to your OKTA & get this value from the IDP Metadata.
- Entity ID: If you have purchased the custom domain, then Use, use https://[customDomain].my.salesforce.com
- If you do not have a custom domain setup, use https://saml.salesforce.com
- API Name: Enter an API name of your choice.
- Identity Provider Certificate: Get the IDP certificate from your OKTA Idp Metadata. Save it in a file locally & upload the File.
Note: The Custom Logout URL & Custom Error URL is optional, you can specify if you wish to customized.
Single Logout Enabled: Use this settings only if you wish to have SLO enabled.
The final settings should like like as shown below.
Note: Select the SAML Identity Type as "Assertion contains the Federation ID from User object" as shown above.
- If you wish to Enable the Provisioning also, select the checkbox as "User Provisioning Enabled" In the Just In Time Provisioning section.
- Finally Click the Save Button. It should save the SAML settings as shown below.
- After Saving the metadata, Click on the "Download Metadata" button & Save the Metadata file locally on computer.
- Now Login to your OKTA ORG & Click on Add Applications. Select Salesforce from the search Bar as shown below. Click on the Add Button on the Left hand side.
- If you are using Trial version of salesforce then, select the Instance Type as Production as shown below. Click Next Button.
- In the Sign On TAB, Go to Advance settings as select "Use Fed ID for SAML" to NO.
- Provide the Login URL of salesforce from the Salesforce Metadata file. It is actually the Assertion Consumer Service URL in Metadata.
- As we don't have any custom domain, then Click of Save/Done.
For the Multifactor Settings, Click on Add Rule as choose the option as per business requirements.
- Now go to the Assignment TAB & assign this application to People/Group as shown below.
- Since we have not Enabled the User Provisioning spo we have to create the User Profile in salesforce manually.
Note: OKTA doesn't support user provisioning with the Trial version but it does support provisioning with Licensed version. It is highly recommended to use User Provisioning with Licensed version.
- Go to your Salesforce account & click on the User TAB in the Administration section. Add the New User which you have assigned the application in OKTA as shown below.
Test your application. Thanks a lot !!!
