This guide describes detailed steps for configuring SAML 2.0 federated single sign-on using predefined connector between IBM Cloud Identity and Salesforce. It is assumed that organization already has active Salesforce domain, users are already available in this salesforce domain and are actively using it. Refer Salesforce help for instructions to configure custom domain for your community.
This article primarily focuses on how to setup federated single sign-on between IBM Cloud Identity and Salesforce.
For this federation configuration,
- IBM Cloud Identity acts as Identity Provider (IDP).
- Salesforce acts as Service Provider (SP).
Following are the high level steps for configuring SSO between IBM Cloud Identity and Salesforce:
- Configure IBM Cloud Identity as Identity Provider
- Create a salesforce connector using IBM Cloud Identity dashboard.
- Testing SSO
- Create user in IBM Cloud Identity with same name as Salesforce username if it does not exist.
- Test IDP and SP initiated SSO.
Configuration of IBM Cloud Identity as Identity Provider
Following are steps to create salesforce connector using IBM Cloud Identity dashboard:
Log in to your IBM Cloud Identity Connect tenant with admin user.
To start the configuration, navigate to Admin Dashboard.
Go to the Applications tab and click Add applications
Search for the
Salesforce application and click
OK.
Provide name of the Connector. For example: Salesforce
Provide following details in the General tab:
- Domain Name: Provide your organization custom domain for salesforce.
For Example:
If login URL for your salesforce organization is https://<mydomain>.my.salesforce.com, enter “mydomain”.
- Select applications to connect: Select the salesforce applications which is to be displayed on the Launchpad.
If none of the applications are selected, salesforce base application is displayed on Launchpad.
Go to the Single Sign-on tab and provide following details:
- Provider ID: Value for this field will be auto-populated.
- Assertion Consumer Service URL: Provide the Assertion Consumer Service URL for Salesforce.
It should be in the following format:
https://<Salesforce Domain>.my.salesforce.com?so=<Salesforce Organization ID>
To get the value of ‘Salesforce Organization ID”, log in to your salesforce account using admin user and navigate to Company Settings > Company Information. Note down the organization ID listed in “Salesforce.com Organization ID” field.
In the Entitlements tab and specify the access type –
- Automatic access for all users and groups – By default all users and groups get access to this application.
- Approval required for all users and groups – User manager and/or application owner need to approve access for users and groups to access this application.
- Select users and groups and assign individual access - Select specific users and groups to access this application.
I am selecting Automatic access option so that every user and group from my tenant gets access to Salesforce application.
Click Save to save your changes.
On the right side, you can see the instructions to perform configuration at Salesforce.
Configuration of Salesforce as Service Provider
- Login in salesforce account using https://login.salesforce.com/
- Navigate to SETTINGS > Company Settings > My Domain
- Create a new domain.
- Deploy domain to all users.
Now you can use your domain URL to login to your salesforce account.
e.g. https://<domain-name>.my.salesforce.com
1.1 Configure SAML SSO for Salesforce
- Log into the Salesforce organization that acts as the service provider.
- Select
- Navigate to Identity > Single Sign-On Settings.
- Select SAML Enabled
- Click New to setup SAML based login service.
- Provide the Identity Provider details as following:
- Provide the Identity Provider details as following:
|
IDP Partner Property
|
Value
|
|
Name
|
Provide a unique Name for the SAML SSO Settings
|
|
SAML Version
|
2.0
|
|
Issuer
|
Go to the Instructions tab, Copy Issuer URL from instructions and paste it.
|
|
Entity ID
|
https://<Salesforce-domain>.my.salesforce.com
|
|
Identity Provider Certificate
|
Go to the Instructions tab, Copy Identity Provider Certificate from instructions and save it as .cer and upload this certificate.
|
|
Request Signing Certificate
|
Select SAML request signing certificate from the drop-down list.
|
|
Request Signing method
|
RSA-SHA256
|
|
Assertion Decryption Certificate
|
If you want to encrypt the SAML assertion, select Certificate from dropdown list.
|
|
SAML Identity Type
|
Assertion contains User's salesforce.com username
|
|
SAML Identity Location
|
Identity is in the NameIdentifier element of the Subject statement
|
|
Identity Provider Login URL
|
Go to the Instructions tab, Copy Identity Provider Login URL from instructions and paste it.
|
|
Identity Provider Logout URL
|
Copy Identity Provider Logout URL from instructions and paste it.
|
|
Service Provider Initiated Request Binding
|
HTTP Redirect
|
|
User Provisioning Enabled
|
Uncheck this check box.
|
- After saving SSO settings note down Salesforce Login URL in the Endpoints This is the Salesforce Assertion Consumer URL.
- Download salesforce metadata by selecting Download Metadata. This metadata generally is a way to verify Salesforce’s SAML properties like provider ID, ACS URL, etc.
- To configure the Salesforce login page for single sign-on, perform the following tasks:
- If you are using Salesforce Classic UI, navigate to Setup > Domain Management > My Domain > Authentication Configuration.
If you are using Salesforce Lightning Experience UI, navigate to Setup > Settings > Company Settings > My Domain > Authentication Configuration.
- Click Edit.
- For the Authentication Service field, select the check box that corresponds to the SAML SSO settings name specified earlier in step 5.
- Click Save to save your changes.
SSO Testing
Prerequisites
Cloud Identity user matching with Salesforce username needs to be present in IBM Cloud Identity. If not, create it using dashboard as follows:
- Login to dashboard with admin credentials.
- Navigate to Users and Groups.
- Click Add
- Enter exact details of the user and click Save.
IDP initiated SSO:
- Log in to the IBM Cloud Identity Launchpad with end user’s credentials.
- User should see the Salesforce
- Click on the Salesforce User will be logged into the salesforce account.