Skip to main content

Enabling SAML based Single Sign On (SSO) in Salesforce



Today I continue my little experiment to enable Single Sign On (SSO) on one of my Salesforce Orgs using SAML.

For this research, I previously setup another one of my Salesforce developer orgs as my Identity Provider. The steps to follow while setting up an Idp in Salesforce are captured in my previous post - Setting up Salesforce as an Identity Provider.

As a first step, you may need information from your Idp to help setup SSO. Things you will need to know are -

  • SAML version (1.1 or 2.0)
  • Entity Id (or Issuer) of the Idp
  • A certificate that will be used to authenticate the requests
  • SAML assertion parameters such as SAML User id type

It may be easier to do this setup by obtaining the SAML metadata xml from the Identity Provider.
In my case as the Idp is another Salesforce org, I can use the Download Metadata button to download the xml required from the Setup -> Security Controls -> Identity Providers screen.

There will be steps the Identity Provider will have to do to enable this communication as well. I will cover the steps I need to do in my Salesforce Idp environment as well in this post.

Below are steps to enable Single Sign On in Salesforce -

  • Navigate to Setup -> Security Controls -> Single Sign On Settings screen.
  • Click Edit and select the checkbox "SAML Enabled".

  • Next you can click New button in the SAML Single Sign On Settings section and come to below screen. Here you can fill in the SAML settings manually.
    Here you can set the details you gathered from the Idp like the Entity Id, Issuer, the certificate from the Idp, SAML Identity Type, SAML Identity Location, Idp's login and logout urls.

You could rather avoid doing this manually by importing the metadata xml provided by the Idp. I am going to do that myself using the xml I obtained from my Salesforce Idp environment.
  • So instead of above step, I am going to click the New from Metadata button and choose the file provided by the Idp. This will fill in details in the above screen for you. If you are also using Salesforce as your Idp, you will something on these lines - 
    • Issuer - It will be set to the my domain name of your Idp Org. If you are not using Salesforce as the Idp, the Issuer will be set to value provided by your Idp.
    • Entity id - It will be set to the my domain name of your Org. (this will be used at the Idp. In our scenario, it will be set in the Connected Apps section in the Idp Salesforce Org).
    • identity location - it will be set to NameIdentifier element
    • identity type - it will be set to Federation id. This is important. I will explain this in a step below.
    • service provider initiated request binding - HTTP Redirect
    • Idp login url - it will be set to the Idp endpoint url
    • Idp Certificate - Certificate provided by the Idp
    • Request Signing Certificate - choose a certificate from Certificates & key management screen list. I am going to go with the Default Certificate setting as this is only research.
    • Request Signing method - choose the mechanism to be used for encryption.
  • I am not setting up Just in time provisioning. I will leave that to my Salesforce administrator for now.
  • In the above settings, identity location and identity type are set to Subject and Federation Id as I am using Salesforce as my Idp. However based on the Idp you are using, these values may differ. You will need to work with your Idp to select the correct values. Federation Id field value on the user record should match the value sent by the Idp saml subject.
  • Once you save the settings, you will see the Salesforce Login URL on the page. This is also referred to as ACS url. Note this down as it will be useful later when you setup this environment as a connected app in your salesforce Idp org.
  • Now that you have setup SSO in the environment, you need to link these settings to the My Domain of the org. Only then will it know that it has to use these SSO settings.
  • Navigate to Setup -> Domain Management -> My Domain. For your My Domain, edit the Authentication Configuration and set the Authentication Service to this SSO setting. Disable the Login Page option from under your My Domain.
If you are using an Idp who has already configured all settings required for enabling SSO for you, you are done! You should be able to access your my domain url and see the Idp's login page or get logged in without a prompt (if you were previously logged in to the Idp on the browser).

In my case, I need to do one more step to enable this connectivity. That is to enable this above org as a connected app in the Idp Salesforce Org. I am adding the steps for doing that in the next blog post.

Labels:

Comments

  1. Sakthi MuruganApril 7, 2018 at 4:54 AM

    I just like the valuable info you provide for your articles. bookmark your weblog and take a look at once more right here regularly.
    Salesforce Course
    Salesforce Developer Training

    ReplyDelete

Post a Comment

Popular posts from this blog

Workaround to bypass Salesforce SSO

One of the best practices for implementing Single Sign On for your Salesforce org is always ensure there is a way your System administrator can login via the standard login page side-stepping the SSO configuration.  Reason for this is if ever something goes wrong with your Idp provider's service and the SSO authentication responses are not coming as expected, all your users are unable to login. That is, if you have setup your My domain to prevent logins via standard Salesforce login urls (login.salesforce.com). This includes the System administrator as well. Only if your system administrator can somehow login, then he or she can disable the SSO settings for your domain and allow login via the normal login page as a temporary measure. What do you do in such a situation? Well Salesforce has built a workaround for this which is not well documented anywhere (probably for a good reason :) ). I found out about it from a colleague at work. If your my domain url is - https://Com...
42 comments
Read more

DBAmp for Salesforce - salesforce integration for SQL Server DBAs

Recently i got the opportunity to explore a tool called DBAmp for integration with Salesforce. I found it to be a very useful tool which will help with any data manipulation requirements in Salesforce. Following are my learnings from the exercise. Hope it helps any of you who may need to work with this tool -  DBAmp is a SQL Server package that can be used to integrate with Salesforce. The site where this software is available is - http://www.forceamp.com/ Overview: It essentially installs on top of an existing SQL Server database and provides an OLE DB connector that can be used to connect to Salesforce. Behind the scenes, it executes API calls against Salesforce for any SQL server command it receives. Thus we can create a connection in SQL server to Salesforce org and pull data into tables in the database just as if we are querying against Salesforce tables directly. Use cases for DBAmap + Salesforce: Many use cases exist for using this tool against Sales...
3 comments
Read more

Summer 16 Salesforce Administrator Maintenance exams

I was able to clear my Summer 16 Salesforce administrator maintence exam earlier today. Next I need to start working on Winter 17 immediately. Anyway before that i thought i will leave some pointers to any folks who may be taking Summer 16 anytime soon Below are some topics you can read about to prepare yourself for the exam - 1. Process builder improvements -  Process builder can now execute immediate actions and then evaluate the next criteria in the flow. Please see this link - https://releasenotes.docs.salesforce.com/en-us/summer16/release-notes/rn_forcecom_process_multiple_actions.htm Expect a question on this. 2. Files sharing permission -  In Classic, when a file is shared to a user via a record, its access can be set to "Set by Record". This allows the record level access to determine access level for the file as well. Read about this below - https://releasenotes.docs.salesforce.com/en-us/summer16/release-notes/rn_files_access_by_record.htm 3. Chatter Q...
1 comment
Read more