[Federated Authentication] Integrating Salesforce with WSO2 Identity Server as SAML2 SSO IDP

In my previous blog post we went through how you can configure the SAML2 SSO web application with Identity Server. Users authenticate to Identity Server by proving username/password. These username/password must be authenticated with the enterprise user store that identity server has been deployed. Therefore only the user who are in the enterprise user store can access the web application.

Assume, you have a new requirement that web application must be accessed by the users from some other partner organization. Partner organization has their employee’s user accounts in salesforce SAAS applications. Users from partner organization who need to login to the web application must be authenticated with their user account in salesforce.com. How we are going to achieve this?

With Identity Server, you can configure multiple IDPs that users can be authenticated. In this use case, users from its own enterprise can be authenticated with enterprise user store. And users from partner organization, can be authenticated with salesforce.com.


Configure WSO2 Identity Server as a Service providers in salesforce.com

Step 1. Login to salesforce SAAS Application as an administrator.

You can easily create a free trial account in salesforce.com, If you are just wish to try out this.

Step 2. Go to Identity provider management UI.


Step 3. Download Identity provider certificate.   You need this certificate to import in to Identity Server.  As Identity Server needs to trust the SAML Assertion that is received by salesforce.com


Step 4. Download Identity provider metadata.   IDP meta data file needs to find out meta of the IDP such as IDP url, entity Id and so on..


Step 5. Register new service provider connected application for Identity Server.


Step 6. Enable SAML for Service provider.   You need to  configure Identity Server ACS url and other configurations.  ACS url would be https://{IP}:{Port}/commonauth


Step 7. Associate new application with the profiles that users are assigned.




Now you are done with salesforce  configurations.

Configure salesforce.com as an trusted IDP for Identity Server.

Step 1. Go to Identity providers management UI and Configure new Trust IDP


Step 2. Provide Trusted IDP details.   You need to configure an unique name for IDP and  upload the downloaded certificate file of the salesforce.com domain


Step 3. Configure SAML2 SSO Configuration for IDP.  Identity Server is used to communicate with salesforce.com using SAML2 SSO web browser profile. Therefore,  In SAML2 SSO configurations,  You need to configure the SAML2 SSO details of the salesforce.com.   These details can be retrieved from the download IDP metadata file.  You can configure the IDP url, IDP entity Id and Service Provider entity id. Also Service Provider entity id must be the same value that you have configured in salesforce.com while configuring the service provider.


Now you are done with configuring the Salesforce as trusted IDP

Step 4. Configure salesforce.com trusted IDP as an  authentication IDP for web application.


There are two way that you can configure the salesforce.com trusted IDP.  One way is,  just configure it as a federated authentication IDP for web application.  Then,  Only the users who can be authenticated via salesforce.com IDP,  can login to web application.


Or less, you can configure authentication steps.  Here we configure two steps…   One is  basic authentication that allows to authenticate users from enterprise user store. Other one is salesforce.com IDP.



Once you configure like this,  users who are accessing to web application would be promoted a IDP login page with both options.  Therefore users from salesforce.com and enterprise user store can login to web application….

Discuss this article on Stack Overflow


  1. I have tried to do the set up. When I access travelocity, I am getting redirected to IS and then to Salesforce. After authenticating at SF, I get redirected to IS and I am authenticated there, which is fine, but I am not sent back to Travelocity but instead I am redirected to the IS management interface. Is there s.th. missing in my configuration?

  2. Same is happening with what is happening with Jan. I am not sure if we have configured proper SSO url , it seems to be incomplete.

    Please suggest.

  3. Hi Jan/Sohan,

    Could you please make sure whether url that is configured in Salesforce is correct.. it must be “https://localhost:9443/commonauth” Also, please make sure the ACS url of the Travelocity web application.

  4. We are using Siteminder as an IDP and wanted to use store app hosted on WSo2 server as SP. We have been trying hard to get this working. So far no luck. Can some one guide us right steps to get this working

    1. Sorry. I do not have any experience in Siteminder (I guess it is not available for free). But; Your IDP is Siteminder and you are directly configure WSO2 APIM store application with it ? Or else, you are integrating with WSO2IS with Siteminder?

Leave a Reply

Your email address will not be published. Required fields are marked *