Skip to content

Single Sign-On (SSO) to

By default, Salesforce suggests deployers implement IDP-initiated SSO. The initialization of IDP-initiated SSO is complex and requires a long hostname which includes the IDP's SSO link, as well as the SP's login URI. For this reason, we recommend SP-initiated SSO. This documentation presents a very simple SP-initiated SSO integration with Salesforce and Gluu Server. If necessary, IDP-initiated SSO is also possible. Further documentation is available at the site.


  • Log into with your administrative account.
  • Click on Setup in the right upper corner of the page.
  • You need to add a custom domain name for your site if you do not have any yet.
  • Go to Company Settings > My Domain
  • Add your custom domain or use Salesforce issued domain for testing purpose.
  • Wait for some time. will register this domain name for you. As an example we use here.


  • Register your Gluu Server information in
  • Go to Identity > Single Sign On Settings
  • Click New


  • Now you need to add the information of your Gluu Server here

    • Name: Anything, whichever is easier for you to recognize this setup, i.e. Gluu Server
    • API Name: Gluu Server.
    • Issuer: EntityID of your Gluu Server, i.e.
    • EntityID: Your custom domain name as chosen above, i.e.
    • Identity Provider Certificate: Grab your Gluu Server's "idp-signing" certificate. SAML certificate can be grabbed from your Gluu Sever's metadata or from /etc/certs location. Save the certificate and upload it.
    • Request Signing Certificate: Default certificate
    • Request Signature Method: RSA-SHA256
    • Assertion Decryption Certificate: Assertion not encrypted.
    • SAML Identity Type: Assertion contains user's username
    • SAML Identity Location: Identity is in an Attribute element
    • Attribute Name: Provide 'SAML2 URI' of your attribute. For our test case we are using the urn value of Gluu Server's Email attribute. How to check the information of your attribute is available here.
    • NameID Format: Leave this field empty.
    • Identity Provider Login URL:
    • Service Provider Initiated Request Binding: HTTP-Redirect
    • Here is how our example setup looks like: image
  • After confirmation you should get a page like below image

Prepare Gluu Server#

  • How to create SAML trust relationship is available here.
  • Grab metadata from the website. There is an option named Download Metadata.
  • Create Trust Relationship:
  • Display Name: Anything, whichever is easier for you to recognize this trust relationship.
  • Description: Anything, whichever is easier for you to recognize this trust relationship
  • Metadata Type: 'File'
  • Upload salesforce's metadata
  • Releases attributes: TransientID and Email
  • 'Add' this trust
  • Configure Specific Relying: It can be done from Gluu Server's GUI (named: oxTrust)
    • Select SAML2SSO
      • includeAttributeStatement: Enabled
      • assertionLifetime: keep the default one
      • assertionProxyCount: keep the default one
      • signResponses: conditional
      • signAssertions: never
      • signRequests: conditional
      • encryptAssertions: never
      • encryptNameIds: never
      • Save it
  • Update the trust relationship
  • Here is how it looks like in our example setup:

image * Relying party configuration: image

Test SSO#

  • Log in to setup
  • Create a sample user. You need to make sure that this user is also available in Gluu Server.
  • Click Identity > Single Sign On Settings
  • Enable Federated Single Sign-On Using SAML: image
  • Go to Company Settings > My Domain
  • Configure Authentication Configuration
  • Hit Edit
  • Select Gluu Server
  • Save it
  • Here is how the Authentication Configuration looks like: image


This is an SP-initiated SSO, so it needs to be initiated from

Salesforce Demo Video#

You can watch a video demo of this SSO Here