function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
Jason WaltonJason Walton 

SAML and Salesforce

Hi All -

We are looking to implement SAML SSO for our Salesforce instance. From what I've gleaned, it's best practice to set up a custom domain when doing this (we are currently using the generic domain). We are also somewhat concerned about our API integrations once we go live and enforce SAML logins - how does this affect those logins and integrations?

If anyone can comment on some of these, I would be most appreciative. 
Best Answer chosen by Jason Walton
mjohnson-TICmjohnson-TIC
I've done SSO both before and after creating a custom domain. A custom domain is really only necessary if you plan on providing SSO to more than one Salesforce instance. Once activated and configured, users will be able to login using your SSO endpoint using their Active Directory credentials (or however you configure it), or the regular login.salesforce.com route. Existing API integrations will not be effected.

Once a custom domain is created, all old referenced domain urls will redirect to your custom domain. The only problem I ran into were direct references to Visualforce urls. The page would load but the action methods would be broken. Any direct url reference to Visualforce may need to be updated to point to the new custom domain address.

All Answers

Jason WaltonJason Walton
One more addtional question. If anyone who has gone down the custom domain/SAML route - did you have to change the URL used by your various partners for integrations to the new custom URL, or does the old URL still work?
mjohnson-TICmjohnson-TIC
I've done SSO both before and after creating a custom domain. A custom domain is really only necessary if you plan on providing SSO to more than one Salesforce instance. Once activated and configured, users will be able to login using your SSO endpoint using their Active Directory credentials (or however you configure it), or the regular login.salesforce.com route. Existing API integrations will not be effected.

Once a custom domain is created, all old referenced domain urls will redirect to your custom domain. The only problem I ran into were direct references to Visualforce urls. The page would load but the action methods would be broken. Any direct url reference to Visualforce may need to be updated to point to the new custom domain address.
This was selected as the best answer
Jason WaltonJason Walton
Hi -

Thanks for all the great info.

One more question if you coudl help - what happens with API users in SF? Obviously they cannot use SAML, so how are they authetnticated? These woudln't be integrations with SF vendors, but rather API users for our own scripts, etc. 

How does that work? 
mjohnson-TICmjohnson-TIC
Enabling single sign on does not effect your ability to login using your regular Salesforce credentials, it just offers a different route to authenticate through. Think of it just as another way to login.
Jason WaltonJason Walton
Is there a way to enforce SSO via SAML?