Disable Single Sign on in SSO settings if you enabled it previously. As in this step, we don't want to login into Salesforce through SSO but we want Salesforce to provide SSO for us and act as Identity Provider.

Identity provider setup - In link Setup -> Security controls -> Identity provider you need to setup Salesforce as IDP.

Generate certificate - first generate certificate on first screen. This certificate will be used to sign SAMLResponse messages sent from Salesforce IDP.

After certificate will be generated in Salesforce, you can download it to your computer.

Configure generated certificate for Identity Provider - In Identity Provider setup, you need to select the certificate, which you just generated

Add service provider - In section Setup -> Security Controls -> Identity Provider -> Service providers you can add your Picketlink application as Service Provider. We will use application sales-post-sig from Picketlink quickstarts . So in first screen of configuration of your Service provider, you need to add ACS URL and Entity ID like http://localhost:8080/sales-post-sig/ . Subject type needs to be Federation ID and you also need to upload certificate corresponding to signing key of sales-post-sig application. You first need to export this certificate from your keystore file. See previous tutorial for how to do it. In next screen, you can select profile for users, who will be able to login to this Service Provider. By checking first checkbox, you will automatically select all profiles. After confirm this screen, you will have your service provider created. Let's see how your final configuration can looks like after confirming: