function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
David GeneveDavid Geneve 

Where is the SAML ACS URL?

I'm trying to get SAML federation setup with the developer edition of Salesforce.  I'm getting the ACS URL is not correct in the SAML validator.  There is no Salesforce Login URL or ACS URL in my Single Sign on settings.
Ajay K DubediAjay K Dubedi
Hi David,
SAML (Security Assertion Markup Language) is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) 
such as Okta, and a service provider (SP) such as Box, Salesforce, G Suite, Workday, etc.

Both IdP and SP-initiated authentication flow rely upon assertions that are passed between the user’s browser and URLs that are specifically created to handle SAML traffic (known as endpoints). These assertions are in XML format and contain information that verifies who the identity provider is, who the 
user is, and whether the user should have access to the SP

1. The user (e.g. john@MyBusiness.com) navigates to the SP’s login page and begins to log in. Some SPs offer a link to "sign in using SSO" on the login page, whereas others can be configured to utilize SAML for all sign-on requests based upon the domain portion of the username (e.g. users@MyBusiness.com). SPs that utilize custom login pages (e.g. https://MyCompany.Dropbox.com) can often be configured to utilize SAML for ALL login attempts.
2. The SP generates a SAML request and redirects the user to the Okta Single Sign-On URL endpoint with the request embedded. This endpoint is unique for each application within each Okta tenant.
3. Once the user is redirected to Okta they’ll need to enter their Okta credentials, unless they had already authenticated into Okta in a previous session within the same browser. In either case, a successful authentication request will redirect the user back to the SP’s Assertion Consumer Service (ACS) URL with an embedded SAML response from Okta. At a minimum, the response will:
a)Indicate that it is indeed from Okta and hasn’t been altered, and contain a digital signature proving such. This signature will be verified by the SP using a public key from Okta that was previously uploaded to the SP as a certificate.
b)Indicate that the user has authenticated successfully into Okta
c)Indicate who the user is via the NameID, a standard attribute used in SAML assertions.
4. After the assertion is successfully parsed by the SP’s ACS, the user will then be sent to the SP’s default relay state, which is usually the same page they’d wind up if they’d simply logged into the SP with a username and password. As SPs such as G Suite and Office 365 host several different services, the default relay state will help dictate which specific service to send them to (for example, directly to Outlook Webmail instead of Office 365’s main landing page).

Please check the below link for more information:
https://support.okta.com/help/s/article/Beginner-s-Guide-to-SAML

I hope you find the above solution helpful. If it does, please mark as Best Answer to help others too.
Thanks,
Ajay Dubedi
David GeneveDavid Geneve
Thank you for your reply.  I think I wasn’t clear enough.  I wasn’t looking for a saml 101 lesson.   I need to know the value to enter at the IdP.  The documents say it is supposed to show up in the Single sign on settings as Salesforce login URL but there is nothing there.  I tried https://login.salesforce.com but that doesn’t work.
David GeneveDavid Geneve
Here is what my single sign on settings screen looks like.  There is no Salesforce Login URL listed.
Single Sign on settings image
Ricky Lowe 19Ricky Lowe 19
Hi David, I know this question was asked a while ago, but for the sake of people looking for the answer you have to first save the Single Sign On setting to view the ACS URL. You need the URL "Login URL":
screenshot of where the SAML ACS URL is