Applications (as IdP)
Integration Guides
Salesforce

Salesforce SSO with MojoAuth

Connect Salesforce to MojoAuth as your SAML 2.0 Identity Provider (IdP) so users can log in to Salesforce with "Log in with SSO" instead of a Salesforce username/password. Salesforce acts as the Service Provider (SP).

How it works

  • SP-initiated: user starts at the Salesforce login page or My Domain URL.
  • IdP-initiated: user starts from a MojoAuth launcher (or the Test SSO button) and lands directly in Salesforce.
  • On first login, Salesforce can Just-in-Time (JIT) provision the user from attributes in the assertion — no manual user creation required.

Prerequisites

  • A MojoAuth project (test or live) with Developers access to create Applications.
  • Salesforce System Administrator access.
  • My Domain enabled and deployed in the Salesforce org. SAML single sign-on settings live under My Domain, and SSO login pages will not work until My Domain is deployed to users.
  • SAML-based SSO is available on Enterprise, Unlimited, Performance and Developer editions (and most orgs with My Domain enabled); check your edition if the Single Sign-On Settings page isn't visible under Identity.

Step 1 — Create the MojoAuth SAML connection

Create a connection

In the MojoAuth dashboard: Developers → Applications → New Application → SAML 2.0 SSO. Enter a connection name (e.g. Salesforce) and click Create connection. MojoAuth creates a draft connection and auto-issues its signing certificate.

See SAML SSO Connections for the full concept if you haven't created one before.

Copy the IdP values

The connection page shows the IdP values you'll paste into Salesforce:

ValueURL
IdP metadata URL (Entity ID){BASE}/saml/{projectId}/sps/{spId}/metadata
IdP SSO URL (Identity Provider Login URL){BASE}/saml/{projectId}/sps/{spId}/sso
IdP SLO URL (logout){BASE}/saml/{projectId}/sps/{spId}/slo
IdP signing certificateDownload .crt button on the connection page

Salesforce supports importing an IdP metadata file or URL directly — this is the fastest path and avoids typos in the Entity ID or SSO URL.

Step 2 — Configure Salesforce

Open Single Sign-On Settings

In Salesforce Setup, go to Quick Find → "Single Sign-On Settings" (under Identity). Click Edit, check SAML Enabled, and Save.

Add a SAML SSO configuration

Click New from Metadata File or New from Metadata URL under SAML Single Sign-On Settings.

  • New from Metadata URL: paste the MojoAuth IdP metadata URL ({BASE}/saml/{projectId}/sps/{spId}/metadata) and click Parse. Salesforce populates the Issuer, Identity Provider Login URL, and certificate for you.
  • New from Metadata File: download the metadata XML from the MojoAuth connection page (or save the metadata URL's response) and upload it instead.

If you'd rather fill the form in by hand, click New and enter:

Salesforce fieldValue
Namee.g. MojoAuth
Issuerthe MojoAuth IdP metadata URL — this is the IdP Entity ID
Identity Provider Login URL{BASE}/saml/{projectId}/sps/{spId}/sso
Identity Provider Certificateupload the .crt you downloaded from MojoAuth
Request Signing Certificateleave as Salesforce's default (used only if you require signed AuthnRequests)
SAML Identity TypeAssertion contains the Federation ID from the User object (recommended) or Assertion contains the User's Salesforce username
Identity Provider Login URL / Custom Logout URLoptionally set to {BASE}/saml/{projectId}/sps/{spId}/slo for SLO
Service Provider Initiated Request BindingHTTP Redirect (default is fine)
⚠️

If you choose "Assertion contains the Federation ID from the User object", every Salesforce user you expect to log in via SSO must have a Federation ID set on their User record (or be JIT-provisioned with one — see Step 4). Otherwise login fails with a "no user found" style error.

Save and note the SP values

After you save, Salesforce generates its own SP values further down the same page, under Salesforce Login URL / Salesforce ACS URL / Entity ID:

Salesforce gives youTypical value
Entity IDhttps://<your-domain>.my.salesforce.com (or https://saml.salesforce.com for orgs without My Domain)
ACS URL (Assertion Consumer Service)https://<your-domain>.my.salesforce.com/services/samlSSO...
Salesforce Login URLthe SP-initiated login link you can put on your own login page

Step 3 — Give the SP details back to MojoAuth

Back on the MojoAuth connection page, complete the other half of the handshake:

  • Import from metadata — Salesforce also exposes SP metadata; paste its URL or download/upload the XML, and MojoAuth fills in the SP Entity ID and ACS URL automatically. or
  • Manual configuration — enter the SP Entity ID and ACS URL copied from Salesforce's Single Sign-On Settings page in Step 2, then click Save.

Set NameID format on the MojoAuth connection to match Salesforce's SAML Identity Type: use unspecified (mapped to identifier) if you're using Federation ID, or emailAddress if Salesforce is set to match by username/email.

Step 4 — Attribute mapping (with JIT provisioning)

Salesforce reads standard User.* attribute names from the assertion. If you want Salesforce to auto-create/update users on first login, enable "Just-in-Time user provisioning" in the same SAML configuration and add these attribute mappings on the MojoAuth connection:

saml_namesourcename_format
User.Usernameemailbasic
User.Emailemailbasic
User.FirstNamefirstNamebasic
User.LastNamelastNamebasic
User.FederationIdentifieridentifierbasic
User.ProfileIda constant, e.g. 00eg5000005snnEbasic
User.TimeZoneSidKeya constant, e.g. America/Los_Angelesbasic
User.LocaleSidKeya constant, e.g. en_USbasic
User.LanguageLocaleKeya constant, e.g. en_USbasic
⚠️

User.ProfileId must be a valid, existing Salesforce Profile ID in that org (an 18-character ID starting with 00e). Look it up under Setup → Profiles or via the Salesforce API — a wrong or missing value will make JIT provisioning fail even though authentication succeeded.

Without JIT provisioning, every user must already exist in Salesforce with a Username (and Federation ID, if that's your chosen identity type) that matches what MojoAuth sends.

Step 5 — Test

  1. SP-initiated: open the Salesforce Login URL from Step 2, or your org's My Domain login page, and click the MojoAuth SSO button. You should be redirected to MojoAuth's hosted login, then back into Salesforce.
  2. IdP-initiated: click Test SSO on the MojoAuth connection page. This posts an unsolicited assertion straight to Salesforce's ACS URL and should land you in the Salesforce home page.
  3. Success looks like: no SAML error page, and the user lands in Salesforce as themselves (check Setup → Users to confirm the JIT-provisioned/matched user is correct).

Salesforce also has a built-in SAML Assertion Validator on the Single Sign-On Settings page — paste a captured assertion there to see field-by-field validation errors.

Troubleshooting

"Identity Provider's certificate has expired" / signature mismatch The certificate uploaded to Salesforce doesn't match MojoAuth's current signing certificate. Re-download the .crt from the MojoAuth connection page and re-upload it under Identity Provider Certificate in the Single Sign-On Settings. If MojoAuth rotated its signing certificate, you must re-upload every time it rotates.

"Audience validation failed" / entity ID mismatch Salesforce compares the <Issuer> in the assertion to the Issuer field you configured. Make sure the Issuer in Salesforce exactly matches the MojoAuth IdP metadata URL ({BASE}/saml/{projectId}/sps/{spId}/metadata) — including scheme and no trailing slash differences.

"Unable to find a user for this assertion" / Federation ID not found Your SAML Identity Type is set to Federation ID, but the assertion's User.FederationIdentifier doesn't match any Salesforce user's Federation ID field. Either add attribute mapping User.FederationIdentifieridentifier and enable JIT provisioning, or manually set the Federation ID field on the target Salesforce User record to match the value MojoAuth sends.

"ACS URL mismatch" / SAML response destination invalid The ACS URL entered on the MojoAuth connection doesn't match the one Salesforce generated on its Single Sign-On Settings page. Re-copy the exact ACS URL from Salesforce (it's unique per org/My Domain) into the MojoAuth connection's SP configuration and save again.

JIT provisioning fails with "invalid Profile ID" or "insufficient access" User.ProfileId is missing, malformed, or points to a Profile ID from the wrong org (e.g. copied from a sandbox into production, or vice versa). Confirm the 18-character Profile ID in that specific org under Setup → Profiles.

Redirect loop / user bounces back to Salesforce login My Domain isn't fully deployed, or users are hitting the standard login page instead of the SSO login link. Confirm My Domain is deployed org-wide and that users are using the Salesforce Login URL (or a My Domain login page with the SSO button visible).

Next steps