To enable SSO to Salesforce using SAML, you will need to configure both Salesforce and OpenIAM. The following section describes how to configure both.
Configure IDP in OpenIAM
The OpenIAM IdP must be configured to support the service provider. The step below describe this process.
- Login to the OpenIAM Webconsole
- Go to Access Control -> Authentication Provider -> Create new Provider
Add service to OpenIAM (IDP)from the dropdown.
- Complete the form as described in the table below
|Provider Name||Descriptive name that will help you identify this integration; ie. |
|Application URL||Refers to your Salesforce tenant |
|Linked to Managed System||OpenIAM allows you to have a different identity for each application. This configuration indicates which identity should be used for this integration with Salesforce. If you are using OpenIAM to also manage the user life cycle in Salesforce, then you should select the 'Salesforce Managed System'.|
|Audiences||Your Salesforce domain URLs. As example |
|Assertion Consumer URL||Endpoint on the service provider where the IdP will "POST" its authentication response. Take this value from Saleforce SSO configuration - Salesforce Login URL. As example: |
|Request Issuer||This is the URL of your service provider. As example: |
|SAML Signed Requests||Enable this checkbox as its signs your requests.|
|Digest Algorithm||The SAML digest algorithm is part of the validation process to ensure the integrity of the request. Select |
|Signature Algorithm||Select |
|Sign Assertions||Enable this checkbox|
|Public key for signing signatures||Generate certificate and save it to upload it in Saleforce SSO configuration|
|SLO Binding||Defines how the Single logout request should be exchanged. Select |
|Relay state strategy||URL that users will be directed to after a successful authentication using SAML. Select |
1) To configure the Salesforce go to the Salesforce SSO Screen: https://na14.salesforce.com/_ui/identity/saml/SingleSignOnSettingsUi/d?retURL=%2Fui%2Fsetup%2FSetup%3Fsetupid%3DSecurity&setupid=SingleSignOn 2) Login using your credentials 3) Click Edit and populate the screen with the below values. Your base domain may be different. Upload certificate that you downloaded from idp by clicking 'Identity Provider Certificate'. Save configuration.
With the IdP / SP configuration are completed, return the SAML configuration page and follow the steps to "Grant access to your application". Go in Seflservice->My Applications find Salesforce and click on it, you should be redirected to a salesforce home page.
On Salesforce configuration SSO page click 'SAML assertion validator'. There you can see the latest SAML Response and its results of validation, it can help to troubleshoot if needed.