Single Sign-on with Salesforce via SAML 2.0

Hi, Questetra users! I’m HATANAKA, Questetra CTO.

I will describe concerning Single Sign-on with Salesforce in this post.

Questetra BPM Suite is capable of configuring Single Sign-on using SAML 2.0.

M310: Enable Login Function using External Authentication service (SAML)

Even though Salesforce can act as either of ID Provider/Service Provider for SAML, here in this post, we will use Salesforce as an ID Provider. Note that Salesforce has more than one edition, but Editions available as ID Provider is limited.

Salesforce Doc.: Identity Providers and Service Providers

1. [Salesforce] Set up “My Domain”

I will start configurations on the Salesforce side. Currently, Salesforce provides two types of user interface such as

  • Lightning Experience
  • Salesforce Classic

Here in this post, I will describe along “Lightning Experience”.

To use Salesforce as ID Provider of SAML, you must access Salesforce in your own unique domain. I guess that it is probably because it issues certificates with the unique domain to be used for SAML. The setting of a domain is done at;

“Setup” in pulldowns of the gear icon
> “Company settings” under “Settings” in the left menu
> “My Domain”

Since you can not change the domain name later, please set it carefully. Also, even if you set up a domain, you can not use the domain unless it is approved by Salesforce. They say that it takes up to 3 days at the most for approval. Please wait patiently.

2. [Salesforce] Enabling ID Provider/Adding of connected App

I will continue to set up on the Salesforce side. Once the domain setting is completed, you will be able to configure the ID provider.

“Setup” in pulldowns of the gear icon
> “Identity” under “Settings” in the left menu
> “Identity Provider”

There, you “Enable Identity Provider”, and create a self-signed certificate as well.

Then, register Questetra BPM Suite in Salesforce. Before that, let’s confirm the required value for registration at the inside of Questetra BPM Suite. In Questetra BPM Suite

“System Settings”
> “SSO (SAML) in the left menu

There, check on “Enable Single Sign-On”. You don’t need to Save at this moment since it’s just a confirmation of the values.

The values to be confirmed are the following two.

  • Entity ID

Write down these two values and go back to Salesforce. Register Questetra BPM Suite as a “Connected App”.

“Setup” in pulldowns of the gear icon
> “Apps” under “PLATFORM TOOLS” on the left menus
> “App Manager”

There are two buttons for creating different types of app on the screen, click on the “New Connected App” button.

Make input referring to the following, and “Save”.

Basic Information

  • Connected App Name
    • Any value may be used. e.g. “Questetra BPM Suite”.
  • API Name
    • Any value may be used. e.g. “qbpms”.
  • Contact Email
    • Enter an email address of the person in charge of Questetra BPM Suite.
  • Leave other items blank.

Web App Settings

  • Check to Enable SAML
  • Entity Id
    • Paste “Entity ID” of Questetra’s “SP Information”
    • Paste “ACS URL” of Questetra’s “SP Information”
  • You do not have to change other items, leave them as the defaults.

3. [Salesforce] Assignment of Users to Connected App

In Salesforce, you need to set which users can use the connected app. Only those users will be able to login to Questetra BPM Suite with single sign-on. First, create a permission set and assign users to it. Then, assign the permission set to the connected app. The relation is as the following.

Connected App ←→ Permission Set ←→ Users

To create Permission Sets, got to

“Setup” in pulldowns of the gear icon
> “Users” under “ADMINISTRATION” in the left menus
> “Permission Sets”

On the screen, there is a “New” button where a little hard to find it. Click it to create Permission Sets.

  • Label
    • Any value may be used. e.g. “Questetra Permission Set”
  • API Name
    • Any value may be used. e.g. “qbpms_grant”
  • Select the type of users who will use this permission set
    • Leave “User License” as “None”.

Next, assign users to the permission set. On the page where you moves to after saving the permission set, click on “Manage assignments”.


A list of users is displayed at the end of “Manage assignments”, so select the necessary users and click on “Add assignments”.

Lastly, assign the Permission Set to the Connected App.

“Setup” in pulldowns of the gear icon
> “Apps” under “PLATFORM TOOLon in the left menus
> “App Manager”

In the application list, click on “Manage” of the target App. Although it is difficult to find, the “Manage” is in the pull-down menu at the rightmost. In the details of Connected App page, click on “Manage Permission Set” (at the bottom).

There, select the Permission Set created earlier, then “Save”.


4. [Questetra BPM Suite] Configuration of ID Provider

Finally, set up in Questetra BPM Suite.

Go back to “SSO (SAML)” < “Settings”, and enable Single Sign-on. This time, configure Salesforce information, then “Save”.

“Entity ID”, “Sign-in page URL”, and “Verification certificate” are mandatory items. Enter as the following respectively, referring to the Identity Provider page of Salesforce. You can view the Identity Provider page through

“Setup” in pulldowns of the gear icon
> “Identity” under “Settings” in the left menu
> “Identity Provider”

It is the same page where you enabled Identity Provider in Salesforce earlier.

  • Entity ID
    • paste the value in Issuer
  • Verification certificate
    • Click on “Download Certificate”, then open the downloaded certificate with your text editor, copy its content and paste it.
  • Sign-in page URL
    • Click on “Download Metadata”, then open it with your text editor, copy the URL part in Location attribute in the element shown below, and paste it.
      ?<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://***"/>test

This completes the setup for single sign-on. On the login page of Questetra BPM Suite, you can log in with single sign-on. If you have already logged in to Salesforce, it will transition directly to the page within Questetra BPM Suite. If you haven’t, it will move to the page within Questetra BPM Suite via logging in to Salesforce.

If it does not work, reconfirm the settings. In case if it does not work well even though there are no incomplete settings, it won’t be easy to specify the cause. Please contact Questetra Support.

That’s it, for today. See you around.

1 thought on “Single Sign-on with Salesforce via SAML 2.0”

  1. Pingback: Examples of Collaborations with Other Systems and BPM Workflow (June, 2019) - Questetra

Comments are closed.

%d bloggers like this: