Sign into Saleforce console
Click the Setup icon on the top-right corner, then select Setup
Create a New Permission Set for STS
Navigate to ADMINISTRATION | Users | Permission Sets
Click the New button
Enter the Lebel and API Name
Click Save to create this new permission set
Click the newly created permission set, e.g. SafeID Token Service
Scroll down to the System section
Click the System Permissions link
Click the Edit button
Scroll down until you see the option "Manage Multi-Factor Authentication in API"
Enable the option "Manage Multi-Factor Authentication in API" and "Manage Multi-Factor Authentication in User Interface"
Scroll up to the top
Click the "Save" button to save the settings.
Create the Access User for STS
Navigate to ADMINISTRATION | Users | Users
Click New User
Fill out the new user's properties, and make sure the User License must be set as Salesforce
Click Save to create the new user
You will receive an email from Saleforce
Click Verify Account to verify your account and set the password of the account
Assign the STS permission set to the STS access user
In the Salesforce console, navigate to ADMINISTRATION | Users | Users
Click the newly created user account, e.g. API
Click "Permission Set Assignments
Click "Edit Assignments"
Select the permission set you created earlier for STS, e.g. SafeID Token Service
Click the Save button to save the settings
If you get an error at this time, then make sure the user has a license that allows the Permission Set to be assigned
Create a new App for STS
Navigate to PLATFORM TOOLS | Apps | App Manager
Click "New Connected App"
Fill in App Name, API Name and Contact Email
Enable the option "Enable OAuth Settings"
Add “Access the identity URL service" and "Manage User data via APIs” in the selected OAuth Scopes section.
Click the Save button to create this new app
Once you’ve been redirected to the page for the App you just created take a copy of the Consumer Key and also Consumer Secret in the API section.
Configure IP Relaxation for STS
To allow the STS server to communicate with Salesforce, you either need to set the IP relaxation to “Relax IP Restrictions” or add the IP range of the Azure servers to your security settings.
To change the IP Relaxation follow the directions below.
Navigate to PLATFORM TOOLS | Apps | Connected Apps | Manage Connect Apps
Click Edit against the STS app
You can select "Relax IP restrictions", or "Enforce IP restrictions"
If you select Enforce IP restrictions, then you must add the IP address range of Azure servers to the trusted IP list
Navigate to SETTINGS | Security | Network Access
Click New to create a new set of trusted IP ranges