Skip to main content

Setting up Salesforce as an Identity Provider


As I mentioned in my previous post, I am currently working on enabling Single Sign On (SSO) for my Salesforce Org. To do this research, I needed an identify provider that would act as my SAML end point to validate identity requests and respond with valid SAML responses. Well I figured why dont i setup another one of my Salesforce orgs as an Idp provider.

Below are the steps i followed to enable one of my Salesforce Orgs as an Idp that is capable of sending SAML responses to valid requests -


  • As a prerequisite to enabling an org as an Idp, you will need to setup a My Domain for that environment. Please see my previous blog for instructions - Setup my Domain on Salesforce
  • For the org that will act as your Identity Provider, navigate to the Setup -> Security Controls -> Identity Providers screen


  • Now click the Enable Identity Provider button
  • In the next step, you will be asked to select a certificate to enable secure communication of the SAML requests and responses. You can choose the Salesforce provided self-signed certificate or use another certificate that you may have already imported into the "Certificates and Key Management" screen previously. Since this is just a research setup on my developer edition org, i am going to use the Salesforce provided certificate.

  • Thats it, your org is now enabled to act as an Idp with ability to respond to SAML requests. The resulting screen will show as below -

  • It has the SAML endpoint details and has a button that enables you to download all metadata needed at the service provider side to enable SSO
  • As a next step you will need to add your Service Provider as a Connected app in this org. Since in my experiment I am adding another Salesforce org as my service provider (to enable it for SSO), i will add that in a separate post. Update - I added the steps for adding the connected app in the above Salesforce app in following post - Setting up an SSO enabled connected app.
In my next post, i will walk through the setup of an SSO enabled Salesforce org. Till then, enjoy!

.

Labels

Labels:

Comments

Post a Comment

Popular posts from this blog

Workaround to bypass Salesforce SSO

One of the best practices for implementing Single Sign On for your Salesforce org is always ensure there is a way your System administrator can login via the standard login page side-stepping the SSO configuration.  Reason for this is if ever something goes wrong with your Idp provider's service and the SSO authentication responses are not coming as expected, all your users are unable to login. That is, if you have setup your My domain to prevent logins via standard Salesforce login urls (login.salesforce.com). This includes the System administrator as well. Only if your system administrator can somehow login, then he or she can disable the SSO settings for your domain and allow login via the normal login page as a temporary measure. What do you do in such a situation? Well Salesforce has built a workaround for this which is not well documented anywhere (probably for a good reason :) ). I found out about it from a colleague at work. If your my domain url is - https://Com...
42 comments
Read more

DBAmp for Salesforce - salesforce integration for SQL Server DBAs

Recently i got the opportunity to explore a tool called DBAmp for integration with Salesforce. I found it to be a very useful tool which will help with any data manipulation requirements in Salesforce. Following are my learnings from the exercise. Hope it helps any of you who may need to work with this tool -  DBAmp is a SQL Server package that can be used to integrate with Salesforce. The site where this software is available is - http://www.forceamp.com/ Overview: It essentially installs on top of an existing SQL Server database and provides an OLE DB connector that can be used to connect to Salesforce. Behind the scenes, it executes API calls against Salesforce for any SQL server command it receives. Thus we can create a connection in SQL server to Salesforce org and pull data into tables in the database just as if we are querying against Salesforce tables directly. Use cases for DBAmap + Salesforce: Many use cases exist for using this tool against Sales...
7 comments
Read more

Asynchronous Apex webservice callout - Continuation pattern

In my last two posts, we went through a basic example of consuming an external web service in Salesforce to generate a stub class and then using that stub class to call the webservice from a visualforce page controller. Integrating Salesforce with SOAP webservice - Apex callout Integrating Salesforce with SOAP webservice - Apex callout part 2 In the above example, our callout was synchronous. The user as well as our code (system resources) are going to wait for the webservice to reply and our code to process the response prior to be able to do anything else. If the external webservice responds within 1-2 seconds, no harm done. This should be fine. However there are chances you will encounter webservices in business scenarios that will take longer to respond. This may be because they have to do a significant amount of work prior to responding back to Salesforce. Maybe they process huge number of transactions and during peak loads, their response is slower. All possible scenar...
8 comments
Read more