Start tracking your progress
Trailhead Home
Trailhead Home

Use the Salesforce Mobile App with Single Sign-On

Learning Objectives

After completing this module, you’ll be able to:
  • Define single sign-on.
  • List some requirements for getting the Salesforce mobile app to work with single sign-on.
  • Outline the basic steps for implementing the Salesforce mobile app with single sign-on.

An Overview of Single Sign-On

When you want users to move seamlessly between Salesforce orgs and applications without having to repeatedly log in, set up something called single sign-on (SSO). Here are some advantages of SSO:

  • You spend less time managing passwords.
  • Users save time by not having to manually log in to Salesforce.
  • You can manage access to sensitive information from one place.
Diagram of single sign-on

SSO streamlines the process of logging in to enterprise resources, so your company might already use it to access Salesforce. And the Salesforce mobile app supports SSO, which means your mobile users can also enjoy speedy access to Salesforce.

However, if your company is using SSO, have the person who manages your SSO implementation review the information in this unit. Because some customers will have to make a few changes when they decide to roll out the Salesforce app.

What You Need to Know About SSO

If you’re not the person who set up SSO for your organization, there's a chance you’re unfamiliar with some of the fundamental SSO concepts and jargon. We briefly cover them here and explain how all this relates to your mobile rollout and SSO implementation.

If you’d like to know more about SSO, see the Identity Basics and User Authentication modules on Trailhead.

Authentication with SSO

As you can imagine, the essence of SSO is authentication. Whether Salesforce is your SSO solution or you use external SSO solution, here’s how it works:

  1. A user tries to access a service.
  2. The service provider sends out a request to the identity provider basically asking, “Hey, is it okay if this user accesses my service?”
  3. The identity provider makes sure that users are who they say they are by checking its database and then returning a response saying, “Yes, this user is authorized.”

Service Providers and Identity Providers

Wait a minute. What’s the difference between an identity provider and a service provider? Basically, the identity provider is the one authenticating the user. The service provider is asking if the user has rights to gain access to the service.

If you use an external SSO solution, then Salesforce is the service provider. This configuration is common because often your company is already using an identity provider. The identity provider can be one of several on the market, like Microsoft’s Active Directory Federation Services (ADFS), Ping Identity’s PingFederate, open-source Shibboleth, or ForgeRock’s OpenAM.

Login Initiation

We don’t go into too much detail about how authentication happens with SSO here. For our purposes, just know that the login process can be initiated by the service provider or by the identity provider. The full Salesforce site supports both methods. The Salesforce mobile app only supports service provider-initiated login.

Review Your SSO Configuration

If someone at your company already set up SSO, it's possible they configured identity provider-initiated login. Before rolling out the Salesforce mobile app, your SSO expert has to reconfigure your SSO implementation so it’s service provider-initiated.

Implement the Salesforce App with SSO

Every SSO implementation is different, and therefore we can’t provide explicit steps for setting up your SSO solution so it works with the Salesforce app. But we can offer some high-level guidance to point you in the right direction.

Here are the general steps for rolling out the Salesforce app with an existing SSO solution:

  1. Review this knowledge base article that outlines mobile SSO requirements and common issues.
  2. Set up a domain using My Domain. This is a prerequisite for service provider-initiated login.
  3. Work with your SSO vendor to make sure the necessary changes are made to your SSO configuration. Changes can include the switch from identity provider-initiated login to service provider-initiated login.
  4. Make any necessary changes to the single sign-on settings in Salesforce. For example, enter your new My Domain URL in the Entity ID field.

Now that you know how to enable SSO for your mobile users, it’s time to discuss the last component of mobile security: managing your users’ devices.

retargeting