Single Sign-On (SSO) allows users to access multiple applications with one set of credentials. They don’t need to remember the userid / password for each application separately. It’s like having a magic key that automatically opens all the other doors once you enter through one door.
To set up SSO, you need to designate one system that will authenticate the user and all other systems will trust that one system and allow users to log in. The system that authenticates users is called “Identity Provider” or IdP and all the other systems that trust IdP are called “Service Provider” or SP.
Salesforce provides different options to configure Single Sign-On. This includes:
- Federated Authentication using SAML
- Delegated Authentication
- OpenID Connect
For the purpose of this blog post, we will limit our discussion to Federated Authentication using SAML. In Federated Authentication, there are two main concepts in SSO that you need to be aware of.
- The concept of IdP/SP
- The concept of IdP initiated login and SP initiated login.
Let’s see what they mean.
- IdP/SP: IdP stands for Identity Provider and SP stands for Service Provider. When logging on, IdP is the system that authenticates user by validating the username and password and then subsequently all other applications trust IdP and allow user to access the application if the IdP asserts that the user is a valid user. In such cases, IdP is the system that stores user’s login name and password. You can configure different systems as IdP, for example Microsoft Active Directory, Oracle Internet Directory, Google, Salesforce etc.
- IdP initiated Login and SP initiated Login: When a user needs to access the application, he/she can initiate the access in two different ways. User can log on to IdP and then from there, click on links to access other systems (i.e. SP). This is called IdP initiated login. Or otherwise, the user can go directly to an SP application to access the application. In this case, SP will redirect the user to IdP login page where user will provide his or her username and password, IdP will authenticate the user and pass the control back to SP asserting whether user is authenticated or not. SP will then allow user to access the application
With Salesforce, you can configure Salesforce both ways – as an IdP or as a SP. There are different possible combinations in setting up SSO with Salesforce.
In this blog post, we will learn how to configure Single Sign-On in Salesforce with Google. A lot of organizations today use Google Workspace for Email, Productivity and Collaboration. And since Email is an indispensable tool in today’s world, users will login to their email account than any other application.
So, it will make sense to piggyback on user’s login to their Google Account for Email and allow them to login to Salesforce also through their Google account.
Though SSO may sound complex, it won’t take you more than 15-20 minutes to set this up from scratch. Here is what we will be covering in this guide (all in under 15-20 minutes 🙂)
- Configure Google as IdP (Identity Provider)
- Configure Salesforce as SP (Service Provider)
- Enable Option to Login through SSO
- Specify the Federation ID for the User
- Test Single Sign On
- Troubleshoot SSO Issues
References & Useful URLs
- Google Help Article – Set up SSO via SAML for Salesforce
7 thoughts on “Step By Step Guide to Setting Up SSO in Salesforce with Google”
For SAML SSO we need google workspace. For personal SSO one can use Social Sign on Auth providers to setup gmail SSO . Cheers!
Good point TJ. I do plan to come up with another step-by-step guide on that as well. 🙂
What about the MFA requirements? Will SSO via Google suffice?
Hi Danica, the MFA will need to be set up on Google only. Almost all the Identity Providers (IdP) support different forms of MFA. From Salesforce side, we are relying on the IdP to authenticate the user so IdP will need to take care of MFA as well.
Following these instructions and on slide 26, Google is not an authentication service option. I only show; Login Forms, accounts, Gmail integration with Inbox, Lightning for Gmail, and LiveMessageSetup.
Nevermind, please delete. I didn’t wait long enough for the SSO Settings to take effect.