CloudNextGen

Menu
Talk to Us
Talk to Us
Menu
Talk to Us
Menu

Integrating Salesforce SSO with Okta

In today’s interconnected enterprise landscape, Single Sign-On (SSO) is no longer a luxury—it’s a necessity. SSO provides users with a secure, one-click access point to all their critical business applications, drastically improving the user experience and strengthening the organization’s security posture.

This guide focuses on the powerful combination of Salesforce, the world’s leading Customer Relationship Management (CRM) platform, and Okta, a top-tier Identity Provider (IdP). By integrating the two using the SAML protocol, we centralize identity management and enable secure, frictionless access for all users.

Challenge

Before implementing a unified SSO solution using Okta and Salesforce, our internal teams faced significant friction, security risks, and high administrative overhead due to a fragmented login environment across our multiple Salesforce Orgs (e.g., Production, various Sandboxes, regional instances).

These were the core issues we were determined to resolve:

1. The Multi-Login User Tax (Friction and Lost Time)

The lack of a single sign-on experience created major friction for every user who needed to work across different Salesforce environments.

      1. Credential Overload: Users were forced to manage, memorize, and constantly input separate usernames and passwords for every single Salesforce Org they accessed.
      2. Context Switching Delay: Logging in and out of multiple Orgs throughout the day was a repetitive, time-consuming task. This “login tax” reduced productivity and created unnecessary frustration, particularly for administrators and power users who regularly toggle between environments.
      3. Inconsistent Password Policies: Manual password management led to varying security standards and frequent password reset requests, placing an unnecessary burden on our IT help desk.
2. The Provisioning and Deprovisioning Headache

Managing user identity manually across multiple, independent systems was slow, error-prone, and a major security concern.

      1. Slow Onboarding: When a new employee was hired, IT staff had to manually create an account for them in Okta and then manually create or activate an account in each relevant Salesforce Org. This significantly delayed new hire ramp-up time.
      2. The Critical Security Gap (Deactivation): The most severe risk was manual deprovisioning. When an employee left, ensuring their access was immediately revoked across every single Salesforce Org was a slow, manual process. Any missed Org created a severe security vulnerability, leaving sensitive customer data exposed.
      3. Data Drift: Keeping user attributes (like department or job title) consistent across the HR system (Okta) and all Salesforce Orgs was nearly impossible, leading to inconsistent reporting and broken internal processes.
3. High Administrative and Audit Costs

The complexity of the manual setup consumed valuable IT resources.

      1. Excessive Maintenance: Managing credentials, resetting passwords, and manually ensuring access compliance for hundreds of users across multiple independent Orgs was a high-volume, repetitive, and costly administrative task.
      2. Audit Complexity: Proving during security audits that access was uniform and that all terminated users were instantly deactivated across all systems was a difficult and time-intensive process.

Solution

The solution involves a systematic, multi-step configuration process leveraging SAML for SSO and API-based provisioning for user lifecycle management.

1. Okta Application Setup (SAML Configuration)

      1. Add Application: 
        1. Login to the Okta Admin portal and navigate to Applications
        2. Click on Add Application and select the Salesforce.com application, then choose SAML as the sign-in option.
      2. Configure Domain:
        Retrieve your custom domain URL from the Salesforce My Domain setup and paste it into the custom domain field in Okta.
      3. SAML setting:
        1. Select SAML2.0 as the sign-in option and enable single log-out.
        2. In the SAML section you will get the Instructions for Identity Provide information.

 

2. Salesforce SSO Settings

      1. Enable SAML:
        1. In Salesforce Setup, navigate to Single Sign-On Settings and enable SAML.
        2. Click New to create a new SAML Single Sign-On setting.
      2. Copy Credentials:
        Navigate to the View Setup Instructions for the Salesforce app in Okta to find the necessary details.
      3. Configure Salesforce:
        1. Provide a Name for the SAML setting (e.g., “Okta SAML”).
        2. Copy and paste the Issuer details from the Okta instruction page into Salesforce.
        3. Download the Identity Provider certificate file from Okta and Upload it from choose file button.
        4. Configure the Entity ID by copying your current My Domain URL and ensuring it begins with https://.
        5. Copy and paste the Login and Logout URL from Okta and save the setting.
      4. Upload to Okta (Optional but Recommended): 
        1. Download the Salesforce Metadata 
        2. Copy the certificate content from this file and place it inside below lines.
          —–BEGIN CERTIFICATE—–
                   XXXXXXXXXXXXX
          —–END CERTIFICATE—-

        3. Save this content as a .crt file (e.g., “Octacerti.crt”).
        4. Return to the Okta application, upload this certificate, and also upload the Salesforce Login and Logout URL.


3. Establishing Provisioning (Salesforce Connected App)

      1. Create Connected App / External Client App: 
        Go to the Salesforce App Manager and create a Connected App / External Client App.
      2. Configure OAuth: 
        Provide the necessary details for OAuth, ensuring the following are set:
        1. Callback URL: https://system-admin.okta.com/admin/app/generic/oauth20redirect
        2. Selected OAuth Scopes:
          Enable ->
          1. Manage user data via APIs (api)
          2. Perform requests at any time (refresh_token, offline_access).
        3. Policy & Keys:
          1. Confirm the policy for Permitted Users is set to All Users can authorize.
          2. After saving, request the Customer Key and Secret from the Connected App details.

4. Finalizing Provisioning in Okta

      1. Update Provisioning Details in Okta:
        Navigate back to the Salesforce application in Okta and go to the Provisioning section.
      2. Authenticate:
        1. Update the Provisioning API settings with the Customer Key and Secret obtained from the Salesforce Connected App.
        2. Click on Authenticate with Salesforce, mark Push Null Value, and save.
      3.  Assign Users:
        1. Assign the application to your Okta Users. 
        2. This final step ensures both SSO and automated user lifecycle management are fully operational.


          Note:           If You are using the Connected App, make sure to add it in Authentication service in your Domain.

 

Results

Upon successful integration and assigning the application to users in Okta, the organization achieves:

      1. Single-Click User Access: Users can navigate to their Okta dashboard and click the Salesforce application icon to be immediately logged in without needing a separate Salesforce password.
      2. Enhanced Security: Centralizing authentication through Okta allows for the enforcement of consistent, strong security policies, including Multi-Factor Authentication (MFA), across all connected applications.

Streamlined User Lifecycle Management:
   Automated provisioning ensures that new hires gain instant access and that access for departing employees is revoked immediately upon deactivation in Okta, improving operational efficiency and reducing security risk

Looking for a First-Class Business Consultant?
Contact us