If you want to log users into Salesforce using SAML, you first have to go through a few steps in Salesforce, which should take no more than a minute.

1. In OneLogin, go to Security -> SAML.
2. Click the download link to download the certificate for your account.
3. Go to the dashboard by clicking the padlock, then click Find app.
4. Select the Salesforce app from the list.
5. In Authentication Method, select SAML.
6. Click Update.
7. Copy the SAML Issuer value by clicking the clipboard icon below the SAML Issuer field.
   
   
8. Login to Salesforce using your current Salesforce username and password.
9. Click Setup -> Security Controls -> Single Sign-on Settings
10. Set SAML version to 2.0
11. For the Identity Provider Certificate, upload onelogin.cert file that you downloaded in step 2.
12. Set SAML User ID Type to "Assertion contains User's salesforce.com username"
13. Set SAML User ID Location to "User ID is in the NameIdentifier element on the Subject statement"
14. Insert the SAML Issuer value from step 7 in the Issuer field.
    
     
    
    
15. Click Save.

Now your users can log into Salesforce.com from OneLogin without the use of a password.

User ID

By default, users are authenticated in Salesforce using the email address they are registered by in OneLogin. However, in some cases it is not practical or even possible to use the email address as the user ID though, for example if the same user has access to multiple Salesforce accounts.

You can specify another ID for an user by editing the user's login record under People -> Users. Just scroll down to the relevant Salesforce entry and click edit.

Deep linking

If you click on a Salesforce link in an email you will be taken directly to the requested page in Salesforce. If you are not logged into OneLogin, the link will be followed upon successful authentication. Note that this will not work until Salesforce has successfully set a cookie in your browser, typically after the first successful login.

Enabling directory integration for Chatter, Salesforce Mobile etc. 

By default, Salesforce allow users to login using their Salesforce usernames and passwords, even though Salesforce is configured to use SAML. When implementing single sign-on throughout the corporation, managing passwords in Salesforce should be avoided. For this purpose, you can use the Delegated Authentication feature in Salesforce to delegate the password validation to OneLogin. If OneLogin is setup to integration with LDAP and/or Active Directory, OneLogin will delegate the password validation to those directories. Follow these steps:

1. Contact your Salesforce representative or support, and ask them to enable Delegated Authentication for your account. Note that this requires at least the professional edition of Salesforce.
2. In Salesforce, click Setup -> Security Controls -> Single Sign-On settings. 
3. Click Edit.
4. Insert the following text in the field Delegated Gateway URL:
   
   https://app.onelogin.com/delegation/?app=salesforce
   
   
5. Click Save. 

If you are using the Enterprise or Unlimited edition of Salesforce, you should edit your profiles and add the "Use Single Sign-On" permission.

Important: Do not add this setting to the administrator profile. Administrators should always be able to login using their username and password in order to modify single sign-on settings if necessary.