Click Settings > Identity > Single Sign-On Settings.
Upload the Identity Provider Signing Certificate that you obtained in Step 7 of section 27.7.3.
In Single Sign-On Settings, click New and specify the following details:
Name: Advanced Authentication.
API Name: AAF.
Issuer: https://AdvancedAuthenticationServerAddress/osp/a/TOP/auth/saml2/metadata, where you must replace AdvancedAuthenticationServerAddress with the domain name or IP address of your Advanced Authentication server.
Entity ID: https://CompanyName.my.salesforce.com/.
Click Browse to open the Identity Provider certificate.
SAML Identity Type: Select Assertion contains the Federation ID from the User object.
SAML Identity Location: Select Identity is in an Attribute element.
Attribute Name: upn.
Service Provider Initiated Request Binding: Select HTTP Redirect.
Identity Provider Login URL: https://AdvancedAuthenticationServerAddress/osp/a/TOP/auth/saml2/sso.
Select User Provisioning Enabled.
Click Save.
Click Edit for Federated Single Sign-On Using SAML.
Select SAML Enabled.
Click Save.
Click Settings > Users.
Click Edit for the required Salesforce users by adding Federation ID for the user accounts. The Federation ID corresponds to userPrincipalName attribute in Active Directory. For example, pjones@company.com.
NOTE:The name that you specify in Federation ID is case sensitive. The following error appears, if you ignore the case:
We can't log you in. Check for an invalid assertion in the SAML Assertion Validator (available in Single-Sign On Settings) or check the login history for failed logins.
Click your profile icon and click Switch to Salesforce Classic.
This mode is required to tune the domain options.
Click Setup Administrator > Domain Management > My Domain > Edit to access the Authentication Configuration screen.
Select Login Page and osp options.
Click Save.