Salesforce SSO with MojoAuth
Connect Salesforce to MojoAuth as your SAML 2.0 Identity Provider (IdP) so users can log in to Salesforce with "Log in with SSO" instead of a Salesforce username/password. Salesforce acts as the Service Provider (SP).
How it works
- SP-initiated: user starts at the Salesforce login page or My Domain URL.
- IdP-initiated: user starts from a MojoAuth launcher (or the Test SSO button) and lands directly in Salesforce.
- On first login, Salesforce can Just-in-Time (JIT) provision the user from attributes in the assertion — no manual user creation required.
Prerequisites
- A MojoAuth project (test or live) with Developers access to create Applications.
- Salesforce System Administrator access.
- My Domain enabled and deployed in the Salesforce org. SAML single sign-on settings live under My Domain, and SSO login pages will not work until My Domain is deployed to users.
- SAML-based SSO is available on Enterprise, Unlimited, Performance and Developer editions (and most orgs with My Domain enabled); check your edition if the Single Sign-On Settings page isn't visible under Identity.
Step 1 — Create the MojoAuth SAML connection
Create a connection
In the MojoAuth dashboard: Developers → Applications → New Application → SAML 2.0 SSO. Enter a connection name (e.g. Salesforce) and click Create connection. MojoAuth creates a draft connection and auto-issues its signing certificate.
See SAML SSO Connections for the full concept if you haven't created one before.
Copy the IdP values
The connection page shows the IdP values you'll paste into Salesforce:
| Value | URL |
|---|---|
| IdP metadata URL (Entity ID) | {BASE}/saml/{projectId}/sps/{spId}/metadata |
| IdP SSO URL (Identity Provider Login URL) | {BASE}/saml/{projectId}/sps/{spId}/sso |
| IdP SLO URL (logout) | {BASE}/saml/{projectId}/sps/{spId}/slo |
| IdP signing certificate | Download .crt button on the connection page |
Salesforce supports importing an IdP metadata file or URL directly — this is the fastest path and avoids typos in the Entity ID or SSO URL.
Step 2 — Configure Salesforce
Open Single Sign-On Settings
In Salesforce Setup, go to Quick Find → "Single Sign-On Settings" (under Identity). Click Edit, check SAML Enabled, and Save.
Add a SAML SSO configuration
Click New from Metadata File or New from Metadata URL under SAML Single Sign-On Settings.
- New from Metadata URL: paste the MojoAuth IdP metadata URL
(
{BASE}/saml/{projectId}/sps/{spId}/metadata) and click Parse. Salesforce populates the Issuer, Identity Provider Login URL, and certificate for you. - New from Metadata File: download the metadata XML from the MojoAuth connection page (or save the metadata URL's response) and upload it instead.
If you'd rather fill the form in by hand, click New and enter:
| Salesforce field | Value |
|---|---|
| Name | e.g. MojoAuth |
| Issuer | the MojoAuth IdP metadata URL — this is the IdP Entity ID |
| Identity Provider Login URL | {BASE}/saml/{projectId}/sps/{spId}/sso |
| Identity Provider Certificate | upload the .crt you downloaded from MojoAuth |
| Request Signing Certificate | leave as Salesforce's default (used only if you require signed AuthnRequests) |
| SAML Identity Type | Assertion contains the Federation ID from the User object (recommended) or Assertion contains the User's Salesforce username |
| Identity Provider Login URL / Custom Logout URL | optionally set to {BASE}/saml/{projectId}/sps/{spId}/slo for SLO |
| Service Provider Initiated Request Binding | HTTP Redirect (default is fine) |
If you choose "Assertion contains the Federation ID from the User object", every Salesforce user you expect to log in via SSO must have a Federation ID set on their User record (or be JIT-provisioned with one — see Step 4). Otherwise login fails with a "no user found" style error.
Save and note the SP values
After you save, Salesforce generates its own SP values further down the same page, under Salesforce Login URL / Salesforce ACS URL / Entity ID:
| Salesforce gives you | Typical value |
|---|---|
| Entity ID | https://<your-domain>.my.salesforce.com (or https://saml.salesforce.com for orgs without My Domain) |
| ACS URL (Assertion Consumer Service) | https://<your-domain>.my.salesforce.com/services/samlSSO... |
| Salesforce Login URL | the SP-initiated login link you can put on your own login page |
Step 3 — Give the SP details back to MojoAuth
Back on the MojoAuth connection page, complete the other half of the handshake:
- Import from metadata — Salesforce also exposes SP metadata; paste its URL or download/upload the XML, and MojoAuth fills in the SP Entity ID and ACS URL automatically. or
- Manual configuration — enter the SP Entity ID and ACS URL copied from Salesforce's Single Sign-On Settings page in Step 2, then click Save.
Set NameID format on the MojoAuth connection to match Salesforce's SAML Identity Type: use
unspecified (mapped to identifier) if you're using Federation ID, or emailAddress if
Salesforce is set to match by username/email.
Step 4 — Attribute mapping (with JIT provisioning)
Salesforce reads standard User.* attribute names from the assertion. If you want Salesforce to
auto-create/update users on first login, enable "Just-in-Time user provisioning" in the same SAML
configuration and add these attribute mappings on the MojoAuth connection:
saml_name | source | name_format |
|---|---|---|
User.Username | email | basic |
User.Email | email | basic |
User.FirstName | firstName | basic |
User.LastName | lastName | basic |
User.FederationIdentifier | identifier | basic |
User.ProfileId | a constant, e.g. 00eg5000005snnE | basic |
User.TimeZoneSidKey | a constant, e.g. America/Los_Angeles | basic |
User.LocaleSidKey | a constant, e.g. en_US | basic |
User.LanguageLocaleKey | a constant, e.g. en_US | basic |
User.ProfileId must be a valid, existing Salesforce Profile ID in that org (an 18-character
ID starting with 00e). Look it up under Setup → Profiles or via the Salesforce API — a wrong
or missing value will make JIT provisioning fail even though authentication succeeded.
Without JIT provisioning, every user must already exist in Salesforce with a Username (and Federation ID, if that's your chosen identity type) that matches what MojoAuth sends.
Step 5 — Test
- SP-initiated: open the Salesforce Login URL from Step 2, or your org's My Domain login page, and click the MojoAuth SSO button. You should be redirected to MojoAuth's hosted login, then back into Salesforce.
- IdP-initiated: click Test SSO on the MojoAuth connection page. This posts an unsolicited assertion straight to Salesforce's ACS URL and should land you in the Salesforce home page.
- Success looks like: no SAML error page, and the user lands in Salesforce as themselves (check Setup → Users to confirm the JIT-provisioned/matched user is correct).
Salesforce also has a built-in SAML Assertion Validator on the Single Sign-On Settings page — paste a captured assertion there to see field-by-field validation errors.
Troubleshooting
"Identity Provider's certificate has expired" / signature mismatch
The certificate uploaded to Salesforce doesn't match MojoAuth's current signing certificate. Re-download
the .crt from the MojoAuth connection page and re-upload it under Identity Provider Certificate
in the Single Sign-On Settings. If MojoAuth rotated its signing certificate, you must re-upload every
time it rotates.
"Audience validation failed" / entity ID mismatch
Salesforce compares the <Issuer> in the assertion to the Issuer field you configured. Make sure
the Issuer in Salesforce exactly matches the MojoAuth IdP metadata URL ({BASE}/saml/{projectId}/sps/{spId}/metadata) —
including scheme and no trailing slash differences.
"Unable to find a user for this assertion" / Federation ID not found
Your SAML Identity Type is set to Federation ID, but the assertion's User.FederationIdentifier
doesn't match any Salesforce user's Federation ID field. Either add attribute mapping
User.FederationIdentifier → identifier and enable JIT provisioning, or manually set the
Federation ID field on the target Salesforce User record to match the value MojoAuth sends.
"ACS URL mismatch" / SAML response destination invalid The ACS URL entered on the MojoAuth connection doesn't match the one Salesforce generated on its Single Sign-On Settings page. Re-copy the exact ACS URL from Salesforce (it's unique per org/My Domain) into the MojoAuth connection's SP configuration and save again.
JIT provisioning fails with "invalid Profile ID" or "insufficient access"
User.ProfileId is missing, malformed, or points to a Profile ID from the wrong org (e.g. copied from
a sandbox into production, or vice versa). Confirm the 18-character Profile ID in that specific org
under Setup → Profiles.
Redirect loop / user bounces back to Salesforce login My Domain isn't fully deployed, or users are hitting the standard login page instead of the SSO login link. Confirm My Domain is deployed org-wide and that users are using the Salesforce Login URL (or a My Domain login page with the SSO button visible).
Next steps
- SAML SSO Connections — connection concepts, attribute mapping, NameID formats, signing options.
- Managing Applications — edit, disable, or delete this connection.
- Integration Guides overview — more provider guides.