Set up SAML single sign-on
On this page
StoreConnect supports standards-based single sign-on using SAML 2.0, compatible with any SAML-compliant identity provider (IdP) — such as Okta, OneLogin, PingFederate, or Salesforce acting as an IdP. Use this when your organization manages its own identity infrastructure.
You supply StoreConnect with a single value: your IdP’s SAML metadata URL. StoreConnect fetches and parses that metadata to obtain the IdP’s entity ID, sign-in URL, and signing certificate — so there is no certificate to copy by hand.
SAML is one of several login methods StoreConnect supports. For the other providers and shared login behavior, see Authentication providers and single sign-on (SSO).
Before you begin
- You need administrator access to your Salesforce org and to your identity provider.
- Have your IdP’s SAML metadata URL ready.
- Decide which store this login applies to — each SAML provider is configured against a specific store.
Step 1: Add the SAML option as an Authentication Provider
Authentication provider records do not include SAML as a provider option out of the box, so you need to add it before creating the record.
- Go to Setup > Object Manager > Authentication Provider > Fields & Relationships > Provider.
- Under Values, click New.
- Enter
saml(lowercase) as the value. The value must be exactlysamlin lowercase — this is the value StoreConnect matches on. - Select Save.
Step 2: Create the authentication provider record
- On the store record, go to the Authentication Providers related list, and select New.
-
Configure the record as follows.
StoreConnect Field Value Provider SAML Authorised Domains Your IdP’s host (only needed if the IdP posts its response from a different domain than the metadata URL) Client Id Client Secret Provider URL Your IdP’s SAML metadata URL Reset Password URL - Save the record and take note of the Salesforce record ID (the 15- or 18-character ID in the browser URL, referred to below as
PROVIDER_SFID). It forms part of every SAML URL for this provider.
Step 3: Configure your identity provider
This step completes entirely in your IdP’s admin console. First give it StoreConnect’s service provider (SP) URLs, then set how it sends the assertion.
Enter StoreConnect’s service provider URLs
Use your store domain and the Salesforce record ID you recorded above to form the IdP settings you need. StoreConnect exposes them at a ‘convenience endpoint’. Open this URL in a browser and it returns the values as JSON:
https://your-store-domain/logins/auth/saml/PROVIDER_SFID/config
| IdP setting | Value |
|---|---|
| Entity ID / Issuer | https://your-store-domain/logins/auth/saml/PROVIDER_SFID/metadata |
| Assertion Consumer Service (ACS) URL | https://your-store-domain/logins/auth/saml/PROVIDER_SFID/auth |
| Start URL | your store’s home page |
StoreConnect also publishes the SP metadata as XML at the Entity ID URL above, which many IdPs can import directly.
Configure the assertion
Configure your IdP to send the assertion as follows:
- NameID format: email address (
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress) - SSO binding: HTTP-Redirect
- Attributes: release these attributes so StoreConnect can populate the Contact:
| SAML attribute | Used for |
|---|---|
email (falls back to NameID if omitted) |
Contact email and username |
username (or id) |
The stored SSO user identifier |
firstName |
Contact first name |
lastName |
Contact last name |
Step 4: Verify and add a login link
Confirm the configuration by opening the SP metadata URL in a browser:
https://your-store-domain/logins/auth/saml/PROVIDER_SFID/metadata
If the Provider URL is valid, StoreConnect returns SP metadata XML. If it is misconfigured, the page returns an error instead of XML — recheck the Provider URL on the authentication provider record. When a customer then attempts to sign in with a provider that is still not configured correctly, they see a message that SSO via SAML is not fully configured.
To start a login, the store’s SAML sign-in link submits to:
https://your-store-domain/logins/auth/saml/PROVIDER_SFID/sign_in
What happens on login
SAML supports new-account registration. When a customer signs in via SAML and no matching Contact exists, StoreConnect creates one using the attributes above.
For how StoreConnect matches returning customers to existing Contacts, the fields saved on a new Contact, and logout behavior, see the shared sections in Authentication providers and single sign-on (SSO).
Was this article helpful?
Thanks for your feedback! It helps us improve our docs.