If you want to log users into Salesforce using SAML, you first have to go through a few steps in Salesforce, which should take no more than a minute.

1. In OneLogin, go to Security -> SAML.
2. Click the download link to download the certificate for your account.
3. Go to the dashboard by clicking the padlock, then click Find app.
4. Select the Salesforce app from the list.
5. In Authentication Method, select SAML.
6. Click Update.
7. Copy the SAML Issuer value by clicking the clipboard icon below the SAML Issuer field.
   
   
8. Login to Salesforce using your current Salesforce username and password.
9. Click Setup -> Security Controls -> Single Sign-on Settings
10. Set SAML version to 2.0
11. For the Identity Provider Certificate, upload onelogin.cert file that you downloaded in step 2.
12. Set SAML User ID Type to "Assertion contains User's salesforce.com username"
13. Set SAML User ID Location to "User ID is in the NameIdentifier element on the Subject statement"
14. Insert the SAML Issuer value from step 7 in the Issuer field.
    
     
    
    
15. Click Save.

Now your users can log into Salesforce.com from OneLogin without the use of a password.

User ID

By default, users are authenticated in Salesforce using the email address they are registered by in OneLogin. However, in some cases it is not practical or even possible to use the email address as the user ID though, for example if the same user has access to multiple Salesforce accounts.

You can specify another ID for an user by editing the user's login record under People -> Users. Just scroll down to the relevant Salesforce entry and click edit.

Deep linking

If you click on a Salesforce link in an email you will be taken directly to the requested page in Salesforce. If you are not logged into OneLogin, the link will be followed upon successful authentication. Note that this will not work until Salesforce has successfully set a cookie in your browser, typically after the first successful login.

Preventing users from logging in with username and password

By default, Salesforce allow users to login using their usernames and passwords, even though Salesforce is configured to use SAML. This can be prevented by adding a second mechanism called Delegated Authentication. Follow these steps:

1. Contact your Salesforce representative or support, and ask them to enable Delegated Authentication for your account. Note that this requires at least the professional edition of Salesforce.
2. In Salesforce, click Setup -> Security Controls -> Single Sign-On settings. 
3. Click Edit.
4. Insert the following text in the field Delegated Gateway URL:
   
   https://app.onelogin.com/saml/salesforce_delegated_authentication
   
   
5. Click Save. 

This causes non-administrator users to be denied access when trying to login to Salesforce using their usernames and passwords. Users with the Administrator profile will remain able to login using a username and password. 

If you are using the Enterprise or Unlimited edition of Salesforce, you should edit your profiles and add the "Use Single Sign-On" permission.

Important: Do not add this setting to the administrator profile. Administrators should allways be able to login using their username and password, in order to modify single sign-on parameters, if they have to.