Salesforce (SAML)
  Last reviewed:  8 months ago  
 This guide covers how to configure Salesforce ↗ as a SAML application in Cloudflare Zero Trust.
- An identity provider configured in Cloudflare Zero Trust
- Admin access to a Salesforce account
- In Zero Trust ↗, go to Access > Applications.
- Select SaaS.
- For Application, select Salesforce.
- For the authentication protocol, select SAML.
- Select Add application.
- Fill in the following fields:
- Entity ID: https://<your-domain>.my.salesforce.comorhttps://<your-domain>.my.salesforce.com?so=<your-salesforce-org-id>, if your account was created before summer 2019 or does not have a My Domain subdomain.
- Assertion Consumer Service URL: https://<your-domain>.my.salesforce.comorhttps://<your-domain>.my.salesforce.com?so=<your-salesforce-org-id>, if your account was created before summer 2019 or does not have a My Domain subdomain.
- Name ID format: Email
 
- Entity ID: 
- Copy the SSO endpoint, Public key, and Access Entity ID or Issuer.
- Configure Access policies for the application.
- Save the application.
- Paste the Public key in a text editor.
- Wrap the certificate in -----BEGIN CERTIFICATE-----and-----END CERTIFICATE-----.
- Set the file extension as .crtand save.
- In Salesforce, go to Setup.
- In the Quick Find box, enter single sign-onand select Single Sign-On Settings.
- In SAML Single Sign-On Settings, select New.
- Fill in the following fields:
- Name: Name of the SSO provider (for example, Cloudflare Access). Users will select this name when signing in to Salesforce.
- API name: (this will pre-populate)
- Issuer: Paste the Access Entity ID or Issuer from application configuration in Cloudflare Zero Trust.
- Identity Provider Certificate: Upload the .crtcertificate file from 2. Create a certificate file.
- Entity ID: https://<your-domain>.my.salesforce.com
- SAML Identity type: If the user's Salesforce username is their email address, select Assertion contains the User's Salesforce username. Otherwise, select Assertion contains the Federation ID from the User object and make sure the user's Federation ID matches their email address.
 Configure Federation IDs - In the Quick Find box, enter usersand select Users.
- Select the user.
- Verify that the user's Federation ID matches the email address used to authenticate to Cloudflare Access.
 - Identity Provider Login URL: SSO endpoint provided in Cloudflare Zero Trust for this application.
 
- Name: Name of the SSO provider (for example, 
- Select Save.
- Configure Single Sign-On settings:
- In the Quick Find box, enter single sign-onand select Single Sign-On Settings.
- (Optional) To require users to login with Cloudflare Access, turn on Disable login with Salesforce credentials.
- Turn on SAML Enabled.
- Turn on Make federation ID case-insensitive.
 
- In the Quick Find box, enter 
- 
Enable Cloudflare Access as an identity provider on your Salesforce domain: - In the Quick Find box, enter domainand select My Domain.
- In Authentication Configuration, select Edit.
- In Authentication Service, turn on the Cloudflare Access provider.
 
- In the Quick Find box, enter 
To test, open an incognito browser window and go to your Salesforce domain (https://<your-domain>.my.salesforce.com).
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark