Skip to main content
Skip table of contents

Salesforce - SAML integration

This documentation guides you to integrate Trustbuilder MFA Service with Salesforce SAML 2.0 authentication.

Prerequisites

To use SAML 2.0 easily with Salesforce, you need to have a domain configured on your Salesforce account. If you don’t have one logon to Salesforce, go to Setup > Company Settings > My Domain and configure your domain.

1. Configure SAML connector in Trustbuilder

Configure a SAML Trust Relationship between Salesforce (Service Provider) and Trustbuilder (Identity Provider). This is done by exchanging metadata between both parties:

  1. Login to Trustbuilder MFA administration console.

  2. Go to Secure sites tab.

  3. In the "connectors” section, click on Add a connector of type… and select SAML 2.0.

    image-20250923-145618.png

  4. Name your connector.

  5. Click on Add to create the connector.

  6. Click on Download IDP SAML 2.0 certificate.
    You will get a .crt file.

    image-20250923-145955.png

  7. Keep this window open.
    You will need to come back to copy the metadata URLs and to finalize the connector later.

2. Configure Salesforce SAML

  1. Login to your Salesforce console.

  2. Click the cogwheel icon then Setup.

    image-20250929-120851.png

  3. Go to Identity > Single Sign-On Settings.

    image-20250929-122417.png

  4. Click on Edit.

    image-20250929-122638.png

  5. Enable SAML and click Save.

    image-20250929-123241.png

  6. Click on New.

    image-20250929-123157.png

  7. Fill in the form:

    • Name: enter a name (e.g Trustbuilder MFA)

    • Issuer: paste the Issuer URL copied from SAML connector in Trustbuilder.

    • Request signature method: select RSA-SHA256.

    • Identity Provider Certificate: upload the IDP SAML 2.0 certificate (.crt) you downloaded previously.

    • Identity Provider Login URL: paste the Single Sign On URL copied from SAML connector in Trustbuilder.

    • Entity Id: Enter your Salesforce domain URL (e.g. https://thisismydomain-dev-ed.my.salesforce.com).

    • SAML Identity Type: choose how Salesforce identify the user:

      • Option 1: if the identifier sent by TrustBuilder matches the Salesforce username, choose Assertion contains the User's Salesforce username.

      • Option 2: if you are using the Federation ID field in Salesforce to map users, choose Assertion contains the Federation ID from the User object. Later you will have to configure the Attribute Name to match the federationId in Trustbuilder connector. See 3. Finalize TrustBuilder SAML connector

    • SAML Identity location: choose depending on your configuration. If you choose Identity is in an Attribute element, provide :

      • the Attribute Name configured in Trustbuilder connector (ex: mail - more information),

      • the Name ID Format (it should be urn:oasis:names:tc:SAML:2.0:attrname-format:basic).

    • Entity Id: enter your Salesforce domain URL
      (example: https://thisismydomain-dev-ed.my.salesforce.com)

  8. Click Save.

  9. Click on Download Metadata to download Salesforce metadata.
    You will need it later in Trustbuilder.

    image-20250929-140132.png

  10. Go to Company settings > My Domain.

  11. In Authentication Configuration section, click on Edit.

  12. For Authentication Service, select the Trustbuilder MFA service that you have just created.
    This will show a “Connect with Trustbuilder MFA” button on the notification page.
    Leave standard Salesforce authentication enabled (Login Form).

    image-20250929-150354.png

  13. Click Save.

3. Finalize TrustBuilder SAML connector

  1. From the TrustBuilder admin console, open the previously created SAML 2.0 connector.

  2. Open Salesforce metadata file with a text editor. Copy the entire content and paste the Salesforce metadata into the required field in Trustbuilder.

  3. Update the connector.

  4. Configure the Connector options:

    1. Set the NameID format to Email address.

    2. Set the NameID value to User email.

    3. Set others parameters according to your need (more information).

  5. Configure SAML Attributes. It should match the configuration in Salesforce (see above).

  6. Click on Update to save the connector.

4. Create a secure site in Trustbuilder

In TrustBuilder MFA admin console:

  1. Go to the Secure Sites tab.

  2. Click on Add a secure site of type… and select the SAML connector name you previously configured.

  3. Set the Called URL to point to your Salesforce domain URL.

  4. Leave the default value in Authentication page.

  5. Click on Add to create the secure site.

5. Enforce Trustbuilder MFA authentication for users

At this stage, your Salesforce users can log in both:

You can enforce SSO login to that all users authenticate through TrustBuilder MFA. This prevents users from bypassing your SSO.

To enforce SSO login:

  1. Go to Company Settings > My Domain.

  2. In My Domain Settings section, click on Edit.

  3. Check the following box: Prevent login from https://login.salesforce.com and https://welcome.salesforce.com

    image-20250930-150605.png

  4. Click Save.

Test the configuration

To test the configuration:

  1. Go to https://www.myinwebo.com/ and click on the Salesforce SAML secure site.

  2. You will be redirected to https://thisismydomain-dev-ed.my.salesforce.com which will be redirected to TrustBuilder MFA SAML login page.

  3. Authenticate with Trustbuilder MFA.

  4. If authentication is successful, you will be directly connected to Salesforce.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close