Prerequisite:

If you haven't done so already, please create an SSO Reset Frequency Rule.

To complete this configuration your organization must have an active paid subscription with Salesforce.

Retrieve the URLs and public certificate from Evo

1. From the left nav menu, select My Company. Alternatively, select Customers and and choose a customer from the list.
2. Select Applications from the left nav menu.
3. Click the Salesforce card.
4. Open your favorite text editor. One at a time, click the copy button at the end of each field. Paste the copied detail into the text editor.
   1. Sign In URL.
   2. Sign Out URL.
   3. Metadata URL.
5. Click Download metadata file.
6. Download Public Certificate file.

Configure Salesforce for SSO

To complete these steps, you must be an administrator of your Salesforce portal, and appropriate sites.

Ensure your users are provisioned in Evo, with exact the same email address as their Salesforce account.

Recommend using Salesforce Classic rather than Salesforce Lightning.

Create a Federation ID

When setting up SSO, you use a unique attribute to identify each user. This attribute is the link that associates the Salesforce user with the third-party identity provider. You can use a username, user ID, or a Federation ID. We’re going to use a Federation ID. We will use an example user for these steps.

1. Log into your Salesforce Account.
2. From Setup, enter Users in the Quick Find box, then select Users.
3. Find your user and click Edit (or create a new one).
4. Under Single Sign-On Information, enter the Federation ID.
   

TIP: A Federation ID must be unique for each user in an org. That’s why the username is handy. But if the user belongs to multiple orgs, use the same Federation ID for the user in each org. In this example, we will use sia@jedeye-tech.com. For your user, however, please use a Federation ID that you can map to your user. An example would be the e-mail that user would use to sign-in to Evo Security.

Set up your SSO Provider in Salesforce

Your service provider needs to know about your identity provider and vice versa. In this step, you’re on the Salesforce side providing information about the identity provider, in this case, Evo Security. In the next step, you give Evo Security information about Salesforce. You’re going to work in both your Salesforce Dev org and the Evo Security app. Keep them open in separate browser windows so that you can copy and paste between the two.

1. In Salesforce, from Setup, enter Single in the Quick Find box, and then select Single Sign-On Settings.
2. Click Edit.
3. Select SAML Enabled.
4. Click Save.
5. Click New from Metadata File.
6. Choose the Metadata file you just downloaded and click Create.

You should now be taken to a page that looks like this (except with your personal metadata from the XML file):

There are a few things we need to change here to configure it properly.

1. Make sure the Name field matches the API Name field (underscores are fine in place of spaces).
2. The Entity ID must match the Issuer ID. If they do not, copy the Issuer ID into the Entity ID field.
3. You can also check the Metadata URL that is open in your browser tab and search for "entityID" to find this.
4. For Identity Provider Certificate, choose the Public Certificate key that was recently downloaded.
5. Request Signing Certificate should be pre-filled from the XML data.
6. Make sure Request Signature Method is RSA-SHA256.
7. Under SAML Identity Type select Assertion Contains the Federation ID from the User Object.
8. SAML Identity Location should match screenshot.
9. Service Provider Initiated Request Binding should match screenshot.
10. Identity Provider Login URL and Identity Provider Single Logout URL are not mandatory, but they are provided through the Metadata from the XML file.
11. Check Single Logout Enabled.
12. Click Save.

The Single Sign-on Settings should now be complete, and you can view a larger view of the page for important URLs you will now use to direct your users to sign-on using Evo Security. 

The page should now look something like this with your information:

1. Double-Check to make sure your Entity ID matches your Issuer ID as well as the "entityID" found in your Metadata.
2. Note your new Login URL near the bottom of the page. This will be the URL that your users will use to log-in and authenticate through Evo Security. Please provide that URL to your users.
   1. They can also log-in directly through Salesforce if they choose so using their Salesforce credentials. You can disable this setting, but we will cover this shortly in another section.

Setting up your Domain

Now that you have configured your users and your SSO settings, you must now have your Login URL re-direct them to Evo Security to authenticate properly. 

1. In Salesforce, from Setup, type Domain in Quick Find and click on My Domain.
2. Under Authentication Configuration, click Edit.
3. Under Authentication Service, you should see your newly created SSO as well as Login Form. De-select Login Form and select your new SSO.
   
4. Click Save.

Note: If you would like to disable your users from logging into Salesforce directly and only through Evo Security authentication, follow these steps.

This is NOT recommended as you could potentially lock yourself out of your account if your SSO or user has not been set-up correctly.

1. Still in My Domain, under Policies, click Edit.
2. Under Login Policy, check off Prevent login from https://login.salesforce.com
3. Click Save.

Congratulations! Salesforce is now configured for SSO with Evo Secure Login.

You can test this by following your new Login URL noted at the end of section 2. You should be redirected to Evo Security, sign-in using your Evo Account authentication, and you should be re-directed back to Salesforce upon a successful log-in.

Reference materials > 

• https://trailhead.salesforce.com/content/learn/modules/identity_login/identity_login_sso
• https://help.salesforce.com/s/articleView?id=sf.sso_saml.htm&type=5