IBM Security Verify

 View Only

[Verify SaaS] Series:: Configure Salesforce as the service provider (SP) & Verify SaaS as the identity provider (IdP)

By Lekha Shindhe S posted Tue March 29, 2022 01:49 PM


Recently started getting hands on with IBM Security Verify SaaS, thought why not blog the learnings so far!!!!! So Here I am sharing my learnings with the larger community.Feel free to comment! Happy Reading..

In this Blog I have elaborated the steps involved in performing SAML Integration of the most popular SaaS App - Salesforce with our very own IDaaS solution - ISV SaaS.

Let’s Get the Basics Right

Admin Configuration Steps

  • Login to IBM Security Verify (ISV) Admin Console
  • Go to the Applications Sections and Choose Add Applications

  • Search for Salesforce App with Keyword’s and Choose the respective Salesforce App from the options
  • Click  on Add Applications again

  • On the General Page , Enter the Hostname while rest of the fields can be left as-is

  • Choose the Sign-On Tab , To enter ACS URL , we need salesforce app’s metadata hence now quickly move to the Salesforce’ UI

  • Log in as an admin user to your Salesforce account
  • If you are using Salesforce Classic UI, navigate to Setup > Security Controls > Single Sign-On Settings.
    If you are using Salesforce Lightning Experience UI, navigate to Setup > Settings > Identity > Single Sign-On Settings.
  • Select the SAML Enabled check box.
  • And Click Save

  • On the Same Page Click New to set up the SAML based login service

Specify the following settings:

  • Name – Provide a unique name for the SAML SSO setting. [IBM SSO]
  • Issuer – Provide the value mentioned on the ISV Sign On Page  [ ]
  • Entity ID –  Provide the Salesforce organisation domain URL []
  • Upload the following X.509 identity provider certificate found on the ISV Sign On Page
  • Request Signature Method – RSA-SHA256 
  • SAML Identity Type – Assertion contains the User's Salesforce username
  • SAML Identity Location – Identity is in the NameIdentifier element of the Subject statement.
  • Service Provider Initiated Request Binding – HTTP Redirect
  • Identity Provider Logout URL – Provide the value mentioned on the ISV Sign On Page []
  • Click Save
  • Click Download Metadata to download Salesforce metadata

  • Open the Metadata File on a Browser and  Locate the AssertionConsumerService tag in the downloaded metadata file. It looks something as highlighted in the Picture: []

  • Use the value specified for the Location attribute as Assertion Consumer Service URL on the Sign-on Tab
  • []
  • Click Save

  • Under Entitlement , I Choose to assign this app to all user and group (Choice is totally up to the admin)
  • Click Save

  • To configure the Salesforce login page for single sign-on, perform the following tasks:
  • If you are using Salesforce Classic UI, navigate to Setup > Domain Management > My Domain > Authentication Configuration.
    If you are using Salesforce Lightning Experience UI, navigate to Setup > Settings > Company Settings > My Domain > Authentication Configuration.
  • Click Edit.
  • For the Authentication Service field, select the check box that corresponds to the SAML SSO settings name specified earlier
  • Click Save to save your changes

This Completes the Configuration. However ensure you have test users on IBM Security Verify SaaS & Salesforce Console. Using these test user credential the following User Experience  is captured!

End UX -  IDP Initiated Flow

End UX -  SP Initiated Flow