Cezanne HROther ArticlesSingle Sign-OnSAML 2.0 SetupImplement Salesforce Single Sign-On

Implement Salesforce Single Sign-On

This article explains how to implement Single Sign-On (SSO) from Salesforce into Cezanne HR using SAML 2.0.

Salesforce Configuration

This section of the article assumes you are logged into Salesforce as an administrator; and that you are familiar with Salesforce.


  • You must register a Salesforce domain (see here). Note that this process may take up to 24 hours to complete. You do not need to register a new Salesforce domain if one has already been registered.

Enable Salesforce as a SAML Identity Provider

1. Log in to Salesforce with your Administrator account.

2. Click the Setup button in the top right of the screen.

3. From Setup, click Security Controls >> Identity Provider, and then click Enable Identity Provider.

  • If there are no existing self-signed certificates, Salesforce will create one and use it to sign SAML messages.
  • If there are existing self-signed certificates, Salesforce will present the following screen. Select the certificate you wish to use or “Create new certificate…” to create a new one. Click Save.

4. Click Download Certificate and save the certificate (a .crt file) to a safe place. You will need it later.

Enable Salesforce as a SAML Identity Provider

Create the 'Cezanne' Service Provider

1. From Setup, click Create >> Apps.

2. Scroll down to the Connected Apps section and click New.

Create the 'Cezanne' Service Provider

3. Enter ‘Cezanne’ into the Connected App Name field. This is the display name used in Salesforce to identify the application. Press the Tab key.

  • The API Name will autocomplete. Make sure it says ‘Cezanne’ too.

4. Enter [email protected] into the Contact Email field.

5. Scroll down to the Web App Settings section and check the Enable SAML check box in the Web App Settings section and then set the following values (where {company-identifier} should be replaced to match your company's Primary URL):

  • Set Entity Id to ‘https://w3.cezanneondemand.com/CezanneOnDemand/’.
  • Set ACS URL to ‘https://w3.cezanneondemand.com/CezanneOnDemand/-/{company-identifier}/Saml/samlp’.
  • Set Subject Type to Username.
  • Set Name ID Format to ‘urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified’.
  • The Issuer field should be automatically completed. Check that it is set to your Salesforce domain.

6. Scroll to the bottom of the page and click Save.

Add Profiles to the 'Cezanne' Application

You need to add at least one Salesforce profile to the new 'Cezanne' application before any users will have access to it.

You can learn more about Salesforce profiles here. Only users in the selected profiles will be able to use Salesforce to authenticate with Cezanne.

1. Select the Manage Apps >> Connected Apps Salesforce menu.

2. Click on Cezanne in the Master Label column of the table.

Add Profiles to the 'Cezanne' Application

3. Scroll down the Profiles section.

4. Click the Manage Profiles button.

5. Check one or more profiles and click Save.

Cezanne Configuration

1. Log in to Cezanne as an HR Professional user.

2. Navigate to: System Setup >> Security Settings >> Single Sign-On Configuration.

3. Check the SAML 2.0 check box.

4. Click Save.

5. Click Advanced Configuration.

2. Cezanne Configuration

6. Click Add New.

7. In the Display Name box, enter a display name for the identity provider. This name is used to identify the provider within the application and does not have to match the entity ID, machine name or any other technical identifier.

8. In the Entity Identifier box, enter https://salesforcedomain.my.salesforce.com (where salesforcedomain.my.salesforce.com should be replaced with the fully qualified name of your Salesforce service).

9. In the SAML Binding list, select the POST.

10. In the Security Token Service End Point box, enter https://salesforcedomain.my.salesforce.com/idp/endpoint/HttpPost (again, salesforcedomain.my.salesforce.com should be replaced with the fully qualified name of your Salesforce service).

11. Leave the User ID Attribute Name box empty. This tells Cezanne to read the user ID from the NameID element of the Subject of the assertion.

12. Use the Public Key Certificate upload button to import the Salesforce certificate that you downloaded earlier from Salesforce. Cezanne will check that all assertions are signed with this certificate.

13. Click Save and Close.

Associating Salesforce Users with Cezanne Users

There are two ways to associate your users' Salesforce identities with their Cezanne user accounts. You can use the User Settings screen to associate individual users or the SAML 2.0 Users Data Import to associate users in bulk.

Using the User Settings Screen

1. Navigate to: System Setup >> Manage Users >> User Settings.

2. Search for the user you wish to update.

3. Select the Single Sign-On tab.

4. In the SAML 2.0 Identifiers section, click Add New.

5. In the Identity Provider column select Salesforce and in the User Identifier column enter the user's Salesforce username.

6. Click Save.

Associating Salesforce Users with Cezanne Users

Using the SAML 2.0 Users Data Import

1. Navigate to: System Setup >> Data Management >> Import Data.

2. Select SAML 2.0 Users on the Settings tab.

3. Follow the on-screen instructions. For information about data imports, please refer to the Data Importing Knowledge Base article.