Recently started getting hands on with IBM Security Verify SaaS, thought why not blog the learnings so far!!!!! So Here I am sharing my learnings with the larger community.Feel free to comment! Happy Reading..

In this Blog I have elaborated the steps involved in performing SAML Integration of the most popular SaaS App - Salesforce with our very own IDaaS solution - ISV SaaS.

Let’s Get the Basics Right

Admin Configuration Steps

• Login to IBM Security Verify (ISV) Admin Console
• Go to the Applications Sections and Choose Add Applications

• Search for Salesforce App with Keyword’s and Choose the respective Salesforce App from the options
• Click  on Add Applications again

• On the General Page , Enter the Hostname while rest of the fields can be left as-is

• Choose the Sign-On Tab , To enter ACS URL , we need salesforce app’s metadata hence now quickly move to the Salesforce’ UI

• Log in as an admin user to your Salesforce account
• If you are using Salesforce Classic UI, navigate to Setup > Security Controls > Single Sign-On Settings.
  If you are using Salesforce Lightning Experience UI, navigate to Setup > Settings > Identity > Single Sign-On Settings.
• Select the SAML Enabled check box.
• And Click Save

• On the Same Page Click New to set up the SAML based login service

Specify the following settings:

• Name – Provide a unique name for the SAML SSO setting. [IBM SSO]
• Issuer – Provide the value mentioned on the ISV Sign On Page  [https://lekhashindhe.verify.ibm.com/saml/sps/saml20ip/saml20 ]
• Entity ID –  Provide the Salesforce organisation domain URL [https://lekhashindhe-dev-ed.my.salesforce.com]
• Upload the following X.509 identity provider certificate found on the ISV Sign On Page
• Request Signature Method – RSA-SHA256 
• SAML Identity Type – Assertion contains the User's Salesforce username
• SAML Identity Location – Identity is in the NameIdentifier element of the Subject statement.
• Service Provider Initiated Request Binding – HTTP Redirect
• Identity Provider Logout URL – Provide the value mentioned on the ISV Sign On Page [https://lekhashindhe.verify.ibm.com/idaas/mtfim/sps/idaas/logout]
• Click Save
• Click Download Metadata to download Salesforce metadata

• Open the Metadata File on a Browser and  Locate the AssertionConsumerService tag in the downloaded metadata file. It looks something as highlighted in the Picture: [https://d5j00000b7t77eaf-dev-ed.my.salesforce.com]

• Use the value specified for the Location attribute as Assertion Consumer Service URL on the Sign-on Tab
• [https://d5j00000b7t77eaf-dev-ed.my.salesforce.com]
• Click Save

• Under Entitlement , I Choose to assign this app to all user and group (Choice is totally up to the admin)
• Click Save

• To configure the Salesforce login page for single sign-on, perform the following tasks:
• If you are using Salesforce Classic UI, navigate to Setup > Domain Management > My Domain > Authentication Configuration.
  If you are using Salesforce Lightning Experience UI, navigate to Setup > Settings > Company Settings > My Domain > Authentication Configuration.

• Click Edit.
• For the Authentication Service field, select the check box that corresponds to the SAML SSO settings name specified earlier
• Click Save to save your changes

This Completes the Configuration. However ensure you have test users on IBM Security Verify SaaS & Salesforce Console. Using these test user credential the following User Experience  is captured!

End UX -  IDP Initiated Flow

End UX -  SP Initiated Flow

​​​​​​