Articles

Okta + Salesforce: SAML SSO Integration Guide (2026)

April 18, 2026 4 min read

Salesforce can act as a Service Provider (SP) for Okta, enabling single sign-on (SSO) for your users.

Let’s see this in action. Imagine a user, Alice, who is already logged into Okta. She navigates to her Salesforce instance. Instead of seeing a Salesforce login page, she’s immediately redirected into her Salesforce account. This happens because Okta, acting as the Identity Provider (IdP), has already authenticated Alice. When Salesforce receives a SAML request from Alice’s browser, it sends it to Okta. Okta confirms Alice’s identity and sends back a SAML assertion. Salesforce validates this assertion and grants Alice access.

Here’s how to set it up.

1. Configure Okta as the Identity Provider (IdP)

  • Create a SAML Application in Okta:

    • Navigate to Applications > Applications in your Okta admin dashboard.
    • Click Browse App Catalog.
    • Search for "Salesforce" and select it.
    • Click Add Integration.
    • On the General Settings tab, give your application a name (e.g., "Salesforce SSO").
    • Under API Integration, ensure "Enable SAML" is checked.
    • Click Next.

  • Configure SAML Settings:

    • Single sign-on URL: This is your Salesforce login URL followed by /services/auth/saml/callback. For example, https://yourcompany.my.salesforce.com/services/auth/saml/callback.
    • Audience URI (SP Entity ID): This is https://yourcompany.my.salesforce.com.
    • Name ID format: Choose EmailAddress.
    • Application username: Choose Okta username.
    • Attribute Statements (Optional but Recommended):
      • Name: email
      • Name Format: URI
      • Value: user.email
      • Name: firstName
      • Name Format: URI
      • Value: user.firstName
      • Name: lastName
      • Name Format: URI
      • Value: user.lastName
    • Click Next, then Finish.

  • Download Okta Metadata:

    • On the Sign On tab of your Salesforce application in Okta, scroll down to SAML Signing Certificates.
    • Click Actions > View SAML setup.
    • Download the Identity Provider Metadata file. This XML file contains Okta’s public certificate and entity ID. You’ll need this for Salesforce.

2. Configure Salesforce as the Service Provider (SP)

  • Enable SAML:

    • In Salesforce Setup, search for "Single Sign-On" and select Single Sign-On Settings.
    • Check the SAML Enabled box.
    • Click New.

  • Configure SAML Settings in Salesforce:

    • Name: A descriptive name, e.g., "Okta SSO".
    • API Name: Auto-generated, e.g., Okta_SSO__c.
    • Issuer: This is your Okta Org URL. You can find it in your Okta SAML metadata file or on the Okta Sign-On page for the Salesforce app (look for https://yourcompany.okta.com).
    • Identity Provider Login URL: This is the Identity Provider Single Sign-On URL from your Okta SAML metadata.
    • Identity Provider Certificate: Upload the X.509 Certificate from your Okta SAML metadata.
    • SAML Identity Type: Choose Assertion contains the Subject confirmation method.
    • SAML Identity Location: Choose Identity is in the Subject statement.
    • Service Provider Initiated Request Binding: Choose HTTP-Redirect.
    • SAML Signature Method: Choose RSA-SHA256.
    • SAML Request Signature Method: Choose RSA-SHA256.
    • Custom Error URL: (Optional) A URL to redirect users to if an error occurs.
    • Enable for Identity Provider: Check this box if you want Salesforce to also act as an IdP for other SPs (less common in this scenario).
    • Click Save.

  • Set Default Identity Provider:

    • After saving, you’ll see your new SAML SSO configuration. Click Manage.
    • Under Default Identity Provider, select the Okta SSO configuration you just created.
    • Click Save.

3. Assign Users in Okta

  • In your Okta admin dashboard, go to your Salesforce application and click the Assignments tab.
  • Click Assign to People or Assign to Groups.
  • Select the users or groups who should have access to Salesforce via SSO.

4. Map Users in Salesforce

For SAML SSO to work, the username in Salesforce must match the NameID (which we configured as the user’s email address) sent by Okta.

  • Automatic Mapping: If you enabled attribute statements in Okta to send email, firstName, and lastName, and these match your Salesforce usernames (typically the user’s email address), Salesforce will automatically map them.
  • Manual Mapping: If usernames don’t match or you need more control, you can manually map them:
    • In Salesforce Setup, search for "Identity Provider" and select Identity Provider.
    • Under User Registration, you’ll find options to manage user provisioning and mapping.
    • Alternatively, you can manually update the Federation ID field on each user record in Salesforce to match the Okta username (email address).

5. Test the Integration

  • Log out of both Okta and Salesforce.
  • Access your Salesforce login URL (https://yourcompany.my.salesforce.com). You should be redirected to Okta.
  • Log in to Okta.
  • You should be automatically logged into Salesforce.

This setup leverages SAML 2.0, a widely adopted open standard for exchanging authentication and authorization data between parties, specifically between an Identity Provider (Okta) and a Service Provider (Salesforce). Okta asserts the user’s identity, and Salesforce trusts that assertion, allowing access without requiring separate credentials.

The next step is often configuring Just-In-Time (JIT) provisioning, which automatically creates Salesforce user accounts when a user logs in for the first time via SSO if they don’t already exist.

Want structured learning?

Take the full Okta course →