Salesforce - SSO configuration
This documentation has been tested and approved by Kelvin Zero's team
This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Salesforce using MPAS. SSO simplifies user authentication by allowing access to multiple applications with a single set of credentials. This integration enhances security and improves user experience across your organization.
To set up Multi-Pass with Salesforce, ensure you meet the following requirements:
- Salesforce admin rights
- MPAS Admin rights
- Make sure that all users intended to use SSO in Salesforce are registered in your IdP and have the necessary permissions to access Salesforce.
Important: Custom elements in URLs (like realm names) are case sensitive. Make sure to match the exact casing from your environment.
Salesforce - SSO configuration
This guide is based on the Salesforce Developer Environment. Your production dashboard layout may differ slightly, but the steps and configuration remain consistent.
Step 1 - Enable SAML SSO in Salesforce
- On your Salesforce dashboard, click the ⚙️ gear icon (top-right corner) and select Setup.
- In the left navigation bar, scroll down to Settings
- Click Identity, then click Single Sign-On Settings.
- Under SAML Single Sign-On Settings, click New from Metadata File.
- Upload the metadata file you’ll generate in MPAS (instructions below).
- Click Create.
You will now be redirected to a configuration page. Ensure the following options are toggled ON:
| Setting | Status |
|---|---|
| Assertion contains the user's Salesforce username | Enabled |
| Identity is in the NameIdentifier element of the Subject statement | Enabled |
| HTTP POST | Enabled |
| Use Salesforce MFA for this SSO Provider | Enabled |
| Single Logout Enabled | Enabled |
| Use selected request signature method for Single Logout | Enabled |
| Single Logout Request Binding | HTTP POST |
Step 2 - Import the Metadata into Multi-Pass
- Open Multi-Pass Dashboard
- Select your tenant and go to the Advanced Console.
- In the left sidebar, click Clients, then Import Client.
- Upload the Salesforce metadata file.
- Complete the following fields:
| Field | Value |
|---|---|
| Name | Salesforce |
| Description | Your choice |
| Always Display in UI | ON |
Step 3 - Finalize Configuration in MPAS
Now make sure that the next fields are completed
- General Settings
| Field | Value |
|---|---|
| Home URL | https://ca.auth.kzero.com/realms/<TENANT_NAME>/protocol/saml/clients/<APP_NAME> |
| Valid Redirect URIs | Automatically filled or matches the Salesforce Login URL |
| Valid Post Logout URIs | Automatically filled or matches the Salesforce Logout URL |
| IDP-Initiated SSO URL Name | <APP_NAME> |
- SAML Capabilities
| Setting | Value |
|---|---|
| Name ID Format | email |
- Signature and Encryption
| Setting | Value |
|---|---|
| Sign Documents | ON |
| Sign Assertions | ON |
- Click Save, then go to the Keys tab and make sure:
| Field | Value |
|---|---|
| Signing Keys Configuration | OFF |
| Encryption Keys Configuration | OFF |
- Switch to the Advanced tab and verify the following fields (automatically filled):
| Field | Value |
|---|---|
| Assertion Consumer Service POST Binding URL | From metadata or login URL |
| Logout Service POST Binding URL | From metadata or logout URL |
| Logout Service Redirect Binding URL | From metadata or logout URL |
Retrieving MPAS Metadata
- To obtain the SAML metadata from Multi-Pass:
- In the Advanced Console, click Realm Settings (bottom-left).
- Scroll down to SAML 2.0 Identity Provider Metadata.
- A popup will open:
- Either copy the metadata URL to paste in Salesforce.
- Or right-click the page and save it as a .xml file.
Step4 - Finalize SSO Setup in Salesforce
- Go back to the Single Sign-On Settings in Salesforce.
- Click Edit and toggle SAML Enabled → Save.
- To assign SSO to your domain:
- In the left menu, go to Settings → Company Settings → My Domain.
- Scroll down to Authentication Configuration.
- Click Edit.
- Select the SSO you created (based on the name).
- Customize the login button label (optional).
- Click Save.
Your Salesforce account is now configured for secure, passwordless login using Multi-Pass as a SAML Identity Provider.
Related Articles
SAML SSO Integration Guide
This guide provides an overview of how to configure SAML Single Sign-On (SSO) between Multi-Pass and a third-party Service Provider (SP). Multi-Pass acts as the Identity Provider (IdP) in this federation model. Multi-Pass is working on SCIM support ...Rocket.chat - SSO configuration
This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Rocket.chat using MPAS. SSO simplifies user authentication by allowing access to multiple ...HaloPSA - SSO configuration
This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for HaloPSA using MPAS. SSO simplifies user authentication by allowing access to multiple ...Wrike - SSO configuration
This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Wrike using MPAS. SSO simplifies user authentication by allowing access to multiple ...Grammarly - SSO configuration
Please note that this application has not been formally tested by Kelvin Zero Inc. It is provided solely as a reference guide. If you encounter any issues, kindly submit a ticket directly through the support desk. This documentation provides a ...