---
locale: "en"
updated_at: "2025-10-27T22:49:27.061Z"
canonical: "https://www.isdecisions.com/en/userlock/docs/guides/sso/configure-the-applications/salesforce"
---

# Configure Salesforce for UserLock Single Sign-On (SSO)

Configure SSO for Salesforce integration.

## Introduction

This guide explains how to integrate **Salesforce** with **UserLock Single Sign-On (SSO)** using the SAML 2.0 protocol. 

Once configured, Salesforce logins are authenticated by UserLock against Active Directory, enabling administrators to enforce UserLock [access policies](/userlock/docs/reference/core-concepts/access-policies) (MFA, time, machine, or location restrictions) on Salesforce sessions.

🚩 **Before starting:**

- You need a Salesforce administrator account with access to **Setup**.
- **UserLock SSO** must already be [installed and configured](/userlock/docs/guides/sso/install-configure-sso).

## Step 1. Configure Salesforce for Single Sign-On

Choose one of the two methods below:

- Using the UserLock SSO metadata file (recommended)
- Manual method

### Method A — Using the SSO metadata file (recommended)

1. In the **UserLock console**, go to ⚙ **Server settings ▸ Single Sign-On**.
2. Click **Download ▸ SAML certificate** and save the file.
3. In Salesforce, go to **Setup ▸ Identity ▸ Single Sign-On Settings**.
4. Click **Edit** on **Federated Single Sign-On Using SAML**, check **SAML Enabled**, and **Save**.
5. Next to **SAML Single Sign-On Settings**, click **New from Metadata File**.
  ![](https://a.storyblok.com/f/122374/605x323/fd97375221/salesforce_metadata.png)
6. Select and upload the metadata file you downloaded from UserLock, then click **Create**.
7. Salesforce will pre-fill the SSO form. Review and modify the following fields as needed:
  - **SAML Identity Type**: set to *Assertion contains the Federation ID from the User object*.
  - **Service Provider Initiated Request Binding**: *HTTP POST*.
  - **Single Logout Enabled**: **unchecked**.
  - **Name**: optional display name.
8. Click **Save**.

### Method B — Manual method

1. In Salesforce, go to **Setup → Identity → Single Sign-On Settings**.
2. Click **Edit** on **Federated Single Sign-On Using SAML**, check **SAML Enabled**, and **Save**.
3. Next to **SAML Single Sign-On Settings**, click **New**.
  ![](https://a.storyblok.com/f/122374/1145x914/5ce51a5b89/salesforce_manual.png)
4. Enter the values below:
  | Property | Value |
  | --- | --- |
  | **Name** | Preferred display name (e.g., UserLock SSO) |
  | **Issuer** | UserLock SSO address *(visible in UserLock console▸**** ****⚙ Server settings ▸**** ****Single Sign-On)* |
  | **Identity Provider Certificate** | 1. Go to *UserLock console▸* *Server Settings▸ Single Sign-On* 2. Click on *Download  ▸ SAML certificate*. 3. Upload the downoaded file |
  | **Request Signing Certificate** | Leave default (if not using signed authn requests) |
  | **Request Signature Method** | RSA-SHA256 |
  | **Assertion Decryption Certificate** | Leave default |
  | **SAML Identity Type** | "Assertion contains the Federation ID from the User object" |
  | **SAML Identity Location** | "Identity is in the Name Identifier element of the Subject statement" |
  | **Service Provider Initiated Request Binding** | HTTP POST |
  | **Identity Provider Login URL** | `https://<SSO address>/saml/sso` |
  | **Custom Logout URL** | `https://<SSO address>/connect/endsession` |
  | **Custom Error URL** | Leave empty |
  | **Single Logout Enabled** | <Unchecked> |
  | **API Name** | Accept default |
  | **Entity ID** | `https://saml.salesforce.com` |
  | **User Provisioning Enabled** | <Unchecked> |
5. Click **Save**.

## Step 2. Configure Salesforce users

For each user that will use SSO, set their Salesforce user **Federation ID** to match the corresponding Active Directory **ImmutableID** (or the attribute you use to map accounts):

1. In Salesforce, go to **Administration ▸ Users ▸ Users**.
2. Click **Edit** on the user record.
3. In the **Single Sign-On Information** section, set **Federation ID** to the AD user’s ImmutableID (or the chosen mapping attribute).
4. Click **Save**.

![](https://a.storyblok.com/f/122374/963x790/6a8ef6e1f9/salesforce_users.png)

## Step 3. Enable SSO for the domain

Activate SSO for your Salesforce domain:

1. In Salesforce Setup, go to **Company Settings ▸ My Domain**.
2. Next to **Authentication Configuration**, click **Edit**.
3. Check the box corresponding to **UserLock SSO**.
4. Click **Save**.

![](https://a.storyblok.com/f/122374/730x490/684a22b240/salesforce_authentication.png)

## Step 4. Enable Salesforce in UserLock SSO

Configure the Salesforce profile in UserLock:

1. In Salesforce, go to **Setup ▸  Security ▸ Certificate and Key Management**.
2. Under **Certificates**, click on the **last certificate** in the list *(SelfSignedCert_... .crt)*, then **download it**.
3. In the **UserLock console**, go to  ⚙ **Server settings ▸ Single Sign-On**.
4. Click the **Salesforce** row.
5. Fill in the fields with values from your Salesforce configuration:
  | Settings | Values |
  | --- | --- |
  | Domaine d'application | `https://<yourInstance>.my.salesforce.com`  *(your Salesforce instance domain)* |
  | Issuer | ClientId / Entity ID of the Salesforce service provider (as configured in Salesforce) |
  | Certificate | Open the downloaded certificate with a text editor and copy the content (including `-----BEGIN CERTIFICATE-----` / `-----END CERTIFICATE-----`) |

![](https://a.storyblok.com/f/122374/571x844/e60e10d919/salesforces_settings.PNG)

## Troubleshooting

For common issues, see [Troubleshooting SSO](/userlock/docs/support/troubleshooting/sso-issues).
If the problem persists, please contact [IS Decisions Support](/support).

### Handling SSO unavailability  

If SSO is temporarily unavailable and admins need to sign in using standard credentials:

1. Go to [https://MyDomain.my.salesforce.com?login](https://MyDomain.my.salesforce.com?login)
2. Sign in with an administrator account
3. Revert back to a standard Log-In sessions while SSO is unavailable.
