Why Setup Okta at all?
This is a perfectly legitimate question, one I asked myself around 4 years ago when I setup my first Okta integration with Salesforce. The answer to this question is pretty straight forward though, let me break it down for you.
Okta Benefit #1: At the company you work for you might have 20+ different systems that users could/should be given access to and someone at your company has to manage all that access (hopefully). To simplify that problem you setup and use an access management tool like Okta. That way the person in charge of access management at your company doesn’t have to provision users by going to each individual system and provisioning them, but rather they can do all that from Okta. In short, it makes the person in charge of access management for your company’s life much easier.
Okta Benefit #2: You probably want to make sure your different apps have the same authentication policy everywhere. In other words, when a user logs in to a system they should always have the same company enforced password policies. By using Okta SSO for your systems you can make sure that the password/login policies are all the same for your org and you can easily ensure they are following policy.
Setting up your Salesforce My Domain
Before we get too far into this, if you want service provider initiated authentication to working on your Salesforce login page, you need to setup your My Domain in Salesforce. Unless something has recently changed I don’t believe this is mandatory for Identity provider initiated authentication, but chances are you’ll want to setup both authentication types.
The choice is yours, but make sure to consider this step before setting up Okta.
Creating a free Okta Developer Account
If you’re an admin reading this, don’t worry, we’re not doing any true development here, but we do need a free Okta dev account so we setup and test out our single sign-on integration with Salesforce.
You can get a free dev account here: Sign-up for a free Okta Developer Account
Setting up Okta Single Sign-On
The first this we’re gonna do after setting up our account is go into Okta and click the Applications tab. Once there click the “Add Applications” button.
After clicking the add applications button click, search for Salesforce.com in the search bar. DO NOT SELECT THE SALESFORCE FEATURED INTEGRATION!!! The featured integration does not have to ability to use SAML which we will need. There are multiple Salesforce apps in Okta. Make sure to search for and select the Salesforce.com app.
After selecting the correct Salesforce App, make sure to click the “Add” button to add the app. After adding the app you’ll need to setup its general settings. Make sure to do three things on the general settings page:
1) Select the correct instance type
2) Enter your custom my domain if you have in Salesforce in the “Custom Domain” text field.
3) Enter the correct User Profile & Type value
I typically leave the rest as is (aside from the name field, I typically change that to something more meaningful), but that’s ultimately up to you and what your okta setup needs.
After setting up your general settings, click the “Next” button in the bottom right of the page to start setting up your Sign-On Options.
In the sign in options area we want to select “SAML 2.0” as our Sign-On Method. Then we wanna click the “View Setup Instructions” button. This is super important, the “View Setup Instructions” button actually generates some values in the document it pops up that we’re gonna need when we go back to Salesforce in just a second and setup our SSO record.
Now, let’s open Salesforce in a new tab and setup our single sign-on settings and create an SSO record.
1) After opening a new tab with Salesforce go to Setup -> Single Sign-On Settings
2) Click the “Edit” button on the top of the Single Sign-On Settings page and then check the “SAML Enabled” checkbox.
3) After enabling SAML, go back to the Single Sign-On Settings page and click the “New” button for SAML Single Sign-On Settings.
4) Name the SSO record in Salesforce whatever you want.
5) Put your Salesforce My Domain url in the Entity Id field or https://saml.salesforce.com if you don’t have a My Domain setup.
6) Follow the instructions in step 6 of the Okta Setup Instructions, you opened up in Okta just a little bit ago, to fill out the rest of the SSO record in Salesforce.
7) Save your SSO record
8) After saving your record you should see an “Endpoints” section on your Salesforce SSO record and one of those endpoints should be a login URL. Copy that URL and go back to your Okta Salesforce.com App’s Sign-On Options page.
9) Once you’re back to your Salesforce.com app in okta, place the Login URL you copied from Salesforce into the Login URL in your Okta Salesforce.com App.
10) Click the “Done” button at the bottom of the page in Okta.
11) That’s it your SSO setup is done! Now we just need to important our users into Okta from Salesforce.
How to setup our Salesforce integration to import our Users from Salesforce into Okta
The final thing we need to do is import our users from Salesforce into Okta so that we can assign them the Salesforce app in Okta and give them access to Okta in general.
To this we need to do a few things:
1) In the Salesforce.com App we just setup in Okta we need to click the provisioning tab.
2) We then need to click the “Configure API Integration” button
3) After clicking that button we need to check the “Enable API Integration” checkbox that pops up and then enter our username and password + security token.
4) Click the “Test API Credentials” button to make sure you are connecting successfully to Salesforce.
5) Click the “Save” button after you connect successfully
How to Import our Users from Salesforce to Okta
Now that we have our integration setup, importing users is pretty simple we just need to follow a few steps:
1) In your Salesforce.com app in Okta click the Import tab.
2) Click the “Import Now” button on the import tab. This will scan your Salesforce org for users who aren’t yet assigned to the Salesforce.com app in Okta.
3) After the users are scanned in Salesforce, Okta will display a list of users who are not currently assigned to your Salesforce app in Okta. Check the boxes next to each user you intend to import into Okta and assign to the Salesforce app
4) After checking the boxes next to the users, click the “Confirm Assignments” button to confirm the users should be brought into Okta and assigned to the Salesforce.com app.
5) You did it! All done!
Demoing your Single Sign-On from Okta to Salesforce
If you set everything up right and you linked your Okta user with your Salesforce user, you should be able to click the “My Apps” button at the top of the screen and see your Salesforce.com app as a button you can click once you are at your My Apps screen. Clicking that Salesforce.com button should automatically sign you in to Salesforce! Woot!!
How to setup Service Provider Initiated Authentication in Salesforce
This part is super easy as long as you followed along above and created a my domain. We just need to do the following:
1) In Salesforce go to Setup -> My Domain
2) In the “Authentication Configuration” section of My Domain, click the edit button
3) Check the box next to the “Authentication Service” that represents the SSO record you setup for Okta just a little while ago.
4) Click the “Save” button
5) All done! You can test this out by logging out of Salesforce and using the new Okta button you see on your login page!
Get Coding With The Force Merch!!
We now have a redbubble store setup so you can buy cool Coding With The Force merchandise! Please check it out! Every purchase goes to supporting the blog and YouTube channel.
Get Shirts Here!
Get Cups, Artwork, Coffee Cups, Bags, Masks and more here!
Check Out More Coding With The Force Stuff!
Salesforce Development Books I Recommend
Advanced Apex Programming
Salesforce Lightning Platform Enterprise Architecture
Mastering Salesforce DevOps
Good Non-SF Specific Development Books: