Integrations · OIDC + SAML
Salesforce SSO
Enable Single Sign-On for Salesforce CRM and Experience Cloud using Clavex as the IdP. Salesforce supports both SAML 2.0 (classic) and OIDC (Connected Apps). This guide covers both approaches — use SAML for standard Salesforce SSO and OIDC for connected apps or API access.
Option A — SAML 2.0 SSO (Recommended for Salesforce Orgs)
Step A1 — Clavex IdP Parameters
| Parameter | Value |
|---|---|
| Entity ID (Issuer) | https://id.acme.eu/acme/saml |
| SSO URL | https://id.acme.eu/acme/saml/sso |
| SLO URL | https://id.acme.eu/acme/saml/slo |
| Certificate | Download from /acme/saml/idp/metadata |
Step A2 — Configure SAML SSO in Salesforce
- Setup → Identity → Single Sign-On Settings
- Click New (SAML 2.0)
- Fill in:
Field Value Name ClavexAPI name clavexIssuer https://id.acme.eu/acme/samlIdentity provider's certificate Upload Clavex signing cert (PEM) Request signing certificate Leave default or upload SP cert Identity provider login URL https://id.acme.eu/acme/saml/ssoSAML Identity type Assertion contains User's Salesforce usernameSAML Identity location Identity is in the NameIdentifier elementService provider initiated request binding HTTP Redirect - Save and note the Salesforce Login URL and Audience displayed on the detail page
Step A3 — Register Salesforce SP in Clavex
# Entity ID and ACS URL are shown on Salesforce SSO settings detail page
# Typical values for a production org:
$ curl -X POST https://id.acme.eu/api/v1/organizations/acme/saml/sp \
-H 'Authorization: Bearer $ADMIN_TOKEN' \
-H 'Content-Type: application/json' \
-d '{
"entity_id": "https://saml.salesforce.com",
"acs_url": "https://acme.my.salesforce.com?so=00D000000000001",
"name_id_format": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
"sign_assertions": true
}'
Find your ACS URL: In Salesforce Setup → Single Sign-On Settings → click your SSO config →
the Salesforce Login URL field is the ACS URL. It looks like
https://acme.my.salesforce.com?so=00D…
Option B — OIDC Connected App
Step B1 — Register OIDC Client in Clavex
$ curl -X POST https://id.acme.eu/api/v1/organizations/acme/clients \
-H 'Authorization: Bearer $ADMIN_TOKEN' \
-H 'Content-Type: application/json' \
-d '{
"client_id": "salesforce",
"client_name": "Salesforce",
"grant_types": ["authorization_code"],
"redirect_uris": ["https://acme.my.salesforce.com/services/authcallback/clavex"],
"scopes": ["openid", "profile", "email"],
"token_endpoint_auth_method": "client_secret_post"
}'
Step B2 — Create Auth Provider in Salesforce
- Setup → Auth. Providers → New → type OpenID Connect
- Fill in:
Field Value Name ClavexURL suffix clavexConsumer key salesforceConsumer secret cs_xxxxxxxxxxxxxxxxAuthorize endpoint URL https://id.acme.eu/acme/authorizeToken endpoint URL https://id.acme.eu/acme/tokenUser info endpoint URL https://id.acme.eu/acme/userinfoDefault scopes openid profile email
Troubleshooting
| Symptom | Cause | Fix |
|---|---|---|
We can't log you in because of an issue with single sign-on |
NameID value doesn't match Salesforce username | Ensure the SAML NameID value is the exact Salesforce username (email format) |
| Certificate error | Expired or wrong certificate uploaded to Salesforce | Re-download from /acme/saml/idp/metadata and re-upload |
OIDC: invalid_client_credentials |
Wrong consumer key/secret | Verify Auth Provider settings match Clavex client registration |