Single Sign-on with Salesforce via SAML 2.0

Hi Questetra users! I’m Hatanaka, Questetra’s CTO.

I will explain Single Sign-on with Salesforce in this post.

Questetra BPM Suite is capable of configuring Single Sign-on using SAML 2.0.

M310: Enable Login Function using External Authentication service (SAML)

Even though Salesforce can act as either an ID Provider or Service Provider for SAML, here in this post we will use Salesforce as an ID Provider. Note that although Salesforce has multiple editions, there are only a limited number of editions available that can be used as an ID Provider.

Salesforce Doc.: Identity Providers and Service Providers

1. [Salesforce] Set up My Domain

I will start configurations on the Salesforce side. Currently, Salesforce provides two types of user interface

• Lightning Experience
• Salesforce Classic

Here in this post I will describe Lightning Experience.

To use Salesforce as an SAML ID Provider you must access Salesforce in your own unique domain. I guess that’s probably because it issues certificates to be used for SAML for the unique domain. The domain settings are as follows;

Setup in the gear icon pull-down menu
> “Company settings” under Settings in the left menu
> My Domain

Since you can not change the domain name later, please set it carefully. Also, even if you set up a domain, you can’t use the domain unless it is approved by Salesforce. They say that it takes up to 3 days at the most for approval. Please wait patiently.

2. [Salesforce] Enabling ID Provider/Adding a connected App

I will continue to set up the Salesforce side. Once the domain setting is completed, you will be able to configure the ID provider.

Setup in the gear icon pull-down menu
> “Identity” under Settings in the left menu
> Identity Provider

There, you click Enable Identity Provider and create a self-signed certificate as well.

Then, register Questetra BPM Suite in Salesforce. Before that, let’s check the values required for registration in Questetra BPM Suite.

System Settings
> SSO (SAML) in the left menu

There, check the Enable Single Sign-On box. You don’t need to save at this moment since it’s just a confirmation of the values.

The values to be confirmed are the following.

• Entity ID
• ACS URL

Write down these two values and go back to Salesforce. Register Questetra BPM Suite as a “Connected App”.

Setup in the gear icon pull-down menu
> “Apps” under PLATFORM TOOLS on the left menu
> App Manager

There are two buttons for creating different types of app on the screen, click on the New Connected App button.

Input the following information and click Save.

Basic Information

• Connected App Name
  • Any value may be used. E.g. Questetra BPM Suite.
• API Name
  • Any value may be used. E.g. qbpms.
• Contact Email
  • Enter the email address of the person in charge of Questetra BPM Suite.
• Leave other items blank.

Web App Settings

• Check to Enable SAML
• Entity Id
  • Paste the Entity ID from Questetra’s SP Information
• ACS URL
  • Paste the ACS URL from Questetra’s SP Information
• You do not have to change other items, leave them as the defaults.

3. [Salesforce] Assignment of Users to Connected App

In Salesforce, you need to set which users can use the connected app. Only those users will be able to login to Questetra BPM Suite using single sign-on. First, create a permission set and assign users to it. Then, assign the permission set to the connected app.

Connected App ←→ Permission Set ←→ Users

To create Permission Sets, go to

Setup in the gear icon pull-down menu
> “Users” under ADMINISTRATION in the left menu
> Permission Sets

On the screen, there is a “New” button which is a little hard to find. Click it to create Permission Sets.

• Label
  • Any value may be used. E.g. Questetra Permission Set
• API Name
  • Any value may be used. E.g. qbpms_grant
• Select the type of users who will use this permission set
  • Leave User License as “None”

Next, assign users to the permission set. On the page that you move to after saving the permission set, click on Manage Assignments.

A list of users is displayed in the Manage Assignments section, so select the necessary users and click on Add Assignments.

Lastly, assign the Permission Set to the Connected App.

Setup in the gear icon pull-down menu
> “Apps” under PLATFORM TOOL in the left menu
> App Manager

In the application list, click on the Manage button of the target App. Although it is difficult to find, the Manage option is in the pull-down menu at the rightmost side of the page. In the Connected App details page, click on Manage Permission Set (at the bottom).

There, select the Permission Set created earlier, then click Save.

4. [Questetra BPM Suite] Configuration of ID Provider

Finally, set up Questetra BPM Suite.

Go back to SSO (SAML) < Settings, and enable Single Sign-on. This time, configure the Salesforce information, then click Save.

Entity ID, Sign-in page URL, and Verification certificate are mandatory items. Enter the following, referring to the Identity Provider page in Salesforce. You can view the Identity Provider page through

Setup in the gear icon pull-down menu
> “Identity” under Settings in the left menu
> Identity Provider

It’s the same page where you enabled Identity Provider in Salesforce earlier.

• Entity ID
  • Paste the value in Issuer
• Verification certificate
  • Click on Download Certificate, then open the downloaded certificate with your text editor, copy its content and paste it.
• Sign-in page URL
  • Click on Download Metadata, then open it with your text editor, copy the URL part in the Location attribute in the element shown below, and paste it.

    ?<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://***.my.salesforce.com/idp/endpoint/HttpPost"/>test

This completes the setup for single sign-on. On the login page of Questetra BPM Suite you should be able to log in with single sign-on. If you have already logged in to Salesforce it will transition directly to the page within Questetra BPM Suite. If you haven’t, it will move to the page within Questetra BPM Suite via logging in to Salesforce.

If it does not work reconfirm the settings. In the event it doesn’t work even though there are no incomplete settings, it won’t be easy to specify the cause, so please contact Questetra Support.

That’s it for today. See you around.