Configure Salesforce for UserLock Single Sign-On (SSO)

Enable Salesforce Single Sign-On (SSO) with UserLock to centralize authentication, enforce corporate access policies, and simplify user access to Salesforce.

Published September 26, 2025

Introduction

This guide explains how to integrate Salesforce with UserLock Single Sign-On (SSO) using the SAML 2.0 protocol.

Once configured, Salesforce logins are authenticated by UserLock against Active Directory, enabling administrators to enforce UserLock access policies (MFA, time, machine, or location restrictions) on Salesforce sessions.

🚩️ Before starting:

Step 1. Configure Salesforce for Single Sign-On

Choose one of the two methods below:

  • Using the UserLock SSO metadata file (recommended)

  • Manual method

Method A — Using the SSO metadata file (recommended)

  1. In the UserLock console, go to ⚙️ Server settings ▸ Single Sign-On.

  2. Click Download ▸ SAML certificate and save the file.

  3. In Salesforce, go to Setup ▸ Identity ▸ Single Sign-On Settings.

  4. Click Edit on Federated Single Sign-On Using SAML, check SAML Enabled, and Save.

  5. Next to SAML Single Sign-On Settings, click New from Metadata File.

  6. Select and upload the metadata file you downloaded from UserLock, then click Create.

  7. Salesforce will pre-fill the SSO form. Review and modify the following fields as needed:

    • SAML Identity Type: set to Assertion contains the Federation ID from the User object.

    • Service Provider Initiated Request Binding: HTTP POST.

    • Single Logout Enabled: unchecked.

    • Name: optional display name.

  8. Click Save.

Method B — Manual method

  1. In Salesforce, go to Setup → Identity → Single Sign-On Settings.

  2. Click Edit on Federated Single Sign-On Using SAML, check SAML Enabled, and Save.

  3. Next to SAML Single Sign-On Settings, click New.

  4. Enter the values below:

    Property

    Value

    Name

    Preferred display name (e.g., UserLock SSO)

    Issuer

    UserLock SSO address
    (visible in UserLock console▸ ⚙ Server settings ▸ Single Sign-On)

    Identity Provider Certificate

    1. Go to UserLock console▸undefined️ Server Settings▸ Single Sign-On

    2. Click on Download ▸ SAML certificate.

    3. Upload the downoaded file

    Request Signing Certificate

    Leave default (if not using signed authn requests)

    Request Signature Method

    RSA-SHA256

    Assertion Decryption Certificate

    Leave default

    SAML Identity Type

    "Assertion contains the Federation ID from the User object"

    SAML Identity Location

    "Identity is in the Name Identifier element of the Subject statement"

    Service Provider Initiated Request Binding

    HTTP POST

    Identity Provider Login URL

    https://<SSO address>/saml/sso

    Custom Logout URL

    https://<SSO address>/connect/endsession

    Custom Error URL

    Leave empty

    Single Logout Enabled

    <Unchecked>

    API Name

    Accept default

    Entity ID

    https://saml.salesforce.com

    User Provisioning Enabled

    <Unchecked>

  5. Click Save.

Step 2. Configure Salesforce users

For each user that will use SSO, set their Salesforce user Federation ID to match the corresponding Active Directory ImmutableID (or the attribute you use to map accounts):

  1. In Salesforce, go to Administration ▸ Users ▸ Users.

  2. Click Edit on the user record.

  3. In the Single Sign-On Information section, set Federation ID to the AD user’s ImmutableID (or the chosen mapping attribute).

  4. Click Save.

Step 3. Enable SSO for the domain

Activate SSO for your Salesforce domain:

  1. In Salesforce Setup, go to Company Settings ▸ My Domain.

  2. Next to Authentication Configuration, click Edit.

  3. Check the box corresponding to UserLock SSO.

  4. Click Save.

Step 4. Enable Salesforce in UserLock SSO

Configure the Salesforce profile in UserLock:

  1. In Salesforce, go to Setup ▸ Security ▸ Certificate and Key Management.

  2. Under Certificates, click on the last certificate in the list (SelfSignedCert_... .crt), then download it.

  3. In the UserLock console, go to ⚙️ Server settings ▸ Single Sign-On.

  4. Click the Salesforce row.

  5. Fill in the fields with values from your Salesforce configuration:

    Settings

    Values

    Domaine d'application

    https://<yourInstance>.my.salesforce.com
    (your Salesforce instance domain)

    Issuer

    ClientId / Entity ID of the Salesforce service provider (as configured in Salesforce)

    Certificate

    Open the downloaded certificate with a text editor and copy the content (including -----BEGIN CERTIFICATE----- / -----END CERTIFICATE-----)

Troubleshooting

For common issues, see Troubleshooting SSO.
If the problem persists, please contact IS Decisions Support.

Handling SSO unavailability

If SSO is temporarily unavailable and admins need to sign in using standard credentials:

  1. Go to https://MyDomain.my.salesforce.com?login

  2. Sign in with an administrator account

  3. Revert back to a standard Log-In sessions while SSO is unavailable.