With SSO, the application or website that the user is trying to access relies on a trusted third party to verify user authentication.
Here application or website that the user is trying to access is called Service Provider and 3rd party which performs the authentication is called an identity provider.
Example- In most of the project salesforce will be service provider, however, Microsoft's Active Directory is an identity provider.
Below Steps are required for SSO:
The first step is to enable “My Domain” in Salesforce. This
functionality will provide a unique name to your Salesforce Instance. It may
take 24 hours to activate. Your Domain name must be unique and not used by
someone else.
In this step, we are going to get a certificate from IDp. This certificate will be used by Salesforce to validate that client coming for user
authentication is valid to avoid any unauthorized access to Service Provider
(In our case it is Salesforce).
In this step, we are going to get certificate from IDp. This certificate will be used by Salesforce to validate that client coming for user authentication is valid to avoid any unauthorized access to Service Provider (In our case it is Salesforce).
You can download certificate by navigating to Axiom application here.
Step 3: Enable Single Sign-On in Salesforce
Navigate to “Setup | Security Controls | Single Sign-On
Settings” and check “SAML Enabled” option.
Step 4: Configure Single Sign-On-
Once SAML is enabled, new section will appear on the same page
to create New “SAML Single-On Settings”.
Click on New Button and provide the following information’s
NAME – any name will work (Identity Connect)
API Name – any valid name (Identity_Connect)
Issuer – Any name. You must remember this as your IDp must
pass the same name while sending request (Active_Directory)
Identity Provider Certificate – Upload certificate here
downloaded on step 2.
Entity Id – “https://saml.salesforce.com”
SAML Identity Type – Assertion contains the Federation ID
from the User object
SAML Identity Location – Identity is in the NameIdentifier
element of the Subject statement
Identity Provider Login URL –
“http://axiomsso.herokuapp.com/RequestSamlResponse.action” (This URL must be
publicly accesible on Internet)
Service Provider Initiated Request Binding – HTTP POST
Navigate to this URL and click on “generate a SAML Response” link.
Enter following the detail in the next screen:
- SAML Version – 2.0
- Username OR Federated ID – Once saml is enabled, One new field is created on user record “Federation ID”. This field can be used as a username to validated against IDp. In my case i have provided Employee numver – 123456. Note this is not in Email format.
- User ID Location – Subject
- Issuer – Issuer name which we already in Step4 while configuring SSO. In our case it is AXIOM
- Recipient URL – This should be “Salesforce Login URL” which will be visible once we save SSO settings in Step 4. You can see it in Image 2 above.
- Entity Id – https://saml.salesforce.com
- SSO Start Page – http://axiomsso.herokuapp.com/RequestSamlResponse.action
- User Type – Standard
No comments:
Post a Comment