SalesLoft supports the use of single sign-on (also called SSO or SAML) identity providers. These are session and user authentication services, such as OneLogin, Okta or Active Directory, that permit a user to use one set of login credentials to access multiple applications.
In this article, we provide a walkthrough of how to set up several popular IDPs, including:
- Okta Instructions
- Salesforce IDP Instructions
- OneLogin Instructions
- Google SSO Through SAML
- Enabling and Disabling Single Sign-On
- What if my solution is not listed?
- SSO Troubleshooting
To set up single sign-on to your Okta server follow these steps:
1. Log into SalesLoft as you usually would and navigate to Single Sign-On in your Team Settings.
2. Now, we need some information from Okta, as you can see:
3. We need to configure the SalesLoft application there and find the RelayState. Open Okta in a new tab and navigate to Applications in the top menu.
4. Click the green Create New App button on the top left of the list.
5. Select SAML 2.0 and click Create.
6. You will be directed to the Create SAML Integration page. In the General Settings, enter the App name field SalesLoft and click Next.
7. Now, you will Configure the SAML Settings with the following information:
- Single sign-on URL: https://accounts.salesloft.com/auth/saml-callback
- Audience URI: SalesLoft
- Default RelayState: Use the RelayState listed at the top of the SalesLoft SSO Settings page, in red. Things to Note: this number is different for each team.Once completed, the page should look like the one below:
8. Click Next, and on the next screen, select "I'm an Okta customer adding an internal app." It is optional to complete the rest of this page, as it is information Okta collects to understand your app integration.
9. Click Finish. You will be redirected to the Sign On page for the SalesLoft app in Okta.
10. Click the Identity Provider metadata link to download the metadata file.
11. Now, we need to associate the SalesLoft app with your Okta profile. From Okta navigate to Directory and select People, and click on your user.
12. Click Assign Applications and click Assign next to the SalesLoft app.
13. Click Save and Go Back, and you should see Assigned next to the SalesLoft app listing:
14. Your user should now have the SalesLoft app assigned to them as well (like below):
15. Go back into the SalesLoft Single-Sign On Settings page, and follow the instructions to Enable Single-Sign On.
In order to setup your Salesforce IDP, we need to configure the SalesLoft application in Salesforce and find the RelayState. Follow the instructions listed below to configure your Salesforce IDP:
1. Open Salesforce in a new tab and enter the word domain in the Quick Find/Search bar on the left side.
2. Select My Domain from the list, and follow the on-screen instructions to set up your domain.
3. Now, use the Quick Find bar on the left of the page and enter Apps. Or you can navigate to the page by selecting Build, then click Create, and, finally, Apps.
4. From the Apps page, scroll to the very bottom section and find Connected Apps. Click the New button.
5. Now you will create a new app. Fill in the fields with the information below:
- Connected App Name: SalesLoft
- API Name: SalesLoft
- Contact Email: Use the email address which matches your admin login in SalesLoft
- Enable SAML: True (check checkbox)
- Entity Id: SalesLoft
- ACS URL: https://accounts.salesloft.com/auth/saml-callback
- Subject Type: Username
- Name ID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
6. Once the fields are completed, click Save at the bottom of the page. Now, the SalesLoft app has been saved.
7. Go to the quick search bar. Enter the word Identity Provider. Select Identity Provider nested under Security Controls.
8. Click the Enable Identity Provider button.
9. In the Quick Find/Search bar on the left side, enter the word app. Select Connected Apps.
10. From the Connected Apps page, locate the SalesLoft app you've just created, and select it.
11. Scroll down to the SAML Login Information section and copy the IdP-Initiated Login URL.
12. Click the Edit Policies button at the top of the page. Paste the URL you just copied into the Start URL field, and then add the following Relay state information to the end of the URL: &RelayState=team-1000000000 (replace "team-1000000000" with the Relay State listed at the top of your SalesLoft SSO Settings page, in red)
13. Click Save.
14. Scroll to the bottom of the screen and find the Profiles. Click the Manage Profiles button.
15. Select profiles for any types of users in Salesforce who will need SSO access in SalesLoft. Click Save.
16. Copy the entire URL in the Start URL field (you may need to "edit policies" to get to a longer URL).
17. Go to the Apps page (Search for "Apps" in the quick find or return to Build>Create>Apps).
18. Under Connected Apps, click the SalesLoft app listed.
19. Confirm that the Start URL is present in the Web Apps section. If it is not, click the edit button and then paste in the URL you just copied.
20. Delete any text in the Issuer field.
21. From the Connected Apps section, select the SalesLoft app. Scroll to the SAML Login Information section and click the Download Metadata button.
22. Go back into the SalesLoft Single-Sign On Settings page, and follow the instructions to Enable Single-Sign On.
We need to configure the SalesLoft application from OneLogin and find the RelayState. Follow the instructions below to configure and find the RelayState:
1. Open OneLogin in a new tab.
2. Navigate to Apps and then Add Apps in the top menu:
3. Click the blue Add App button on the top right.
4. Search for Test connector and select SAML Test Connector (IdP).
5. Enter SalesLoft (IdP) as the display name and click Save.
7. Now select Configuration. Enter the following field information:
- Audience: SalesLoft
- Recipient: https://accounts.salesloft.com/auth/saml-callback
- ACS (Consumer) URL Validator: ^https:\/\/accounts\.salesloft\.com
- ACS (Consumer) URL: https://accounts.salesloft.com/auth/saml-callback
- RelayState: Use the RelayState listed at the top of the SalesLoft SSO Settings page, in red:
8. Click Save.
9. On the next screen, select More Actions. Click SAML Metadata to download the Metadata XML file. You will need this on the SalesLoft Single Sign-In configuration page.
10. Go back into the SalesLoft Single-Sign On Settings page, and follow the instructions to Enable Single-Sign On.
To set up SAML for Google SSO, follow these steps:
Things to Note: You must be a Google Admin in order to complete the setup.
1. Log into your Admin G-Suite Account.
2. Navigate to Apps.
3. Select SAML Apps.
4. Hit the Yellow Plus (+) in the bottom right corner to add a new SAML app.
5. Select Setup my own custom app.
6. Download the IDP metadata file, this is the file we need to upload to SalesLoft
7. Hit Next
8. Enter the Application Name: SalesLoft.
9. (Optional) Add SalesLoft logo
10. Hit Next.
11. Update the Service Provider Details with the following URL information.
- ACS URL: https://accounts.salesloft.com/auth/saml-callback?RelayState=RELAY_STATE_HERE
- Entity Id: SalesLoft
- Start URL: https://accounts.salesloft.com/auth/saml-callback?RelayState=RELAY_STATE_HERE
- Name ID: “Basic Information” “Primary Email”
- Name ID Format: “Email”
12. Replace RELAY_STATE_HERE in the URLs with the Relay State listed at the top of your SalesLoft SSO Settings page, in red.
13. Hit Next.
14. Hit Finish.
15. Select SAML Apps on the top Navigation bar.
16. Find your newly created SAML and select the three vertical dots to the right.
17. Select Turn on for everyone or for the specific group you need.
14. Go back into the SalesLoft Single-Sign On Settings page, and follow the instructions to Enable Single-Sign On.
Once everything is set up on the application end, you can enable single sign-on in your SalesLoft account. Follow the instructions below:
1. Go to the SalesLoft Single-Sign On Settings page.
2. Click the Choose File button to upload the metadata file from your provider.
3. Once the file has been uploaded, you can test that your configuration is correct by clicking the Test SSO Login button. If you have successfully configured your account, this will redirect your account to the new sign-in screen and log you into SalesLoft.
4. Click Enable SSO Login to apply it to your entire team. Things to Note: this will take effect immediately for all team members!
Once you've enabled SSO, you may disable it at any time from the same settings page.
If you are using an internal IDP solution or another IDP not listed here, these are the credentials typically used for setup (please contact support@SalesLoft.com if we do not list a credential you need):
- Audience/Audience URI: SalesLoft
- Recipient/ACS URL/Single sign-on URL: https://accounts.salesloft.com/auth/saml-callback
- ACS (Consumer) URL Validator: ^https:\/\/accounts\.salesloft\.com
- RelayState: Use the RelayState listed at the top of your SalesLoft SSO Settings page, in red:
- I get an error message that says, "Sorry, you can't access SalesLoft because you are not assigned this app in Okta," when I click "Test SSO Login." This means you have not assigned this application to your profile during setup in Okta. Go back to this step and assign the app, and then try again.
- I get an error message that says, "There was an error while trying to parse your metadata file. Please try again." Typically this happens when you uploaded the wrong file or file type, such as a CSV. Please check that you are uploading the metadata XML file you downloaded from Okta. This could also happen if your metadata file is corrupted; when this happens, you can usually re-download a fresh copy of the metadata file and try again.