Salesforce.com
To enable SSO to Salesforce using SAML, you will need to configure both Salesforce and OpenIAM. The following section describes how to configure both.
Configure OpenIAM Authentication provider
The OpenIAM IdP must be configured to support the service provider. The step below describe this process.
- Login to the OpenIAM Webconsole
- Go to Access Control -> Authentication Provider -> Create new Provider
- Select
Add service to OpenIAM (IDP)from the dropdown. - Complete the form as described in the table below
| Field Name | Description |
|---|---|
| Provider Name | Descriptive name that will help you identify this integration; ie. Salesforce |
| Application URL | Refers to your Salesforce tenant https://[your Salesforce domain].salesforce.com. As example: https://openiam-dev-ed.my.salesforce.com |
| Linked to Managed System | OpenIAM allows you to have a different identity for each application. This configuration indicates which identity should be used for this integration with Salesforce. If you are using OpenIAM to also manage the user life cycle in Salesforce, then you should select the 'Salesforce Managed System'. |
| Audiences | Your Salesforce domain URLs. As example https://saml.salesforce.com,https://openiam-dev-ed.my.salesforce.com |
| Assertion Consumer URL | Endpoint on the service provider where the IdP will "POST" its authentication response. Take this value from Saleforce SSO configuration - Salesforce Login URL. As example: https://login.salesforce.com/?saml=02HKiPoin4VAtAjJ4WkzLqDMx3P6Fy__Fg9HQb0qdVSInEW.lzhytJaeSb |
| Request Issuer | This is the URL of your service provider. As example: https://openiam-dev-ed.my.salesforce.com |
| SAML Signed Requests | Enable this checkbox as its signs your requests. |
| Digest Algorithm | The SAML digest algorithm is part of the validation process to ensure the integrity of the request. Select SHA-256 from the dropdown |
| Signature Algorithm | Select http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 from the dropdown. |
| Sign Assertions | Enable this checkbox |
| Public key for signing signatures | Generate certificate in OpenIAM (using link 'Generate a new key') and press button 'Download Signing Public Key' and upload it in Saleforce SSO configuration |
| SLO Binding | Defines how the Single logout request should be exchanged. Select POST |
| Relay state strategy | URL that users will be directed to after a successful authentication using SAML. Select Default Relay State Strategy |
Configure Salesforce
1) To configure the Salesforce go to the Salesforce SSO Screen: https://na14.salesforce.com/_ui/identity/saml/SingleSignOnSettingsUi/d?retURL=%2Fui%2Fsetup%2FSetup%3Fsetupid%3DSecurity&setupid=SingleSignOn 2) Login using your credentials 3) Click Edit and populate the screen with the below values. Your base domain may be different. Upload certificate that you downloaded from idp by clicking 'Identity Provider Certificate'. Save configuration.
Configure SSO
With the IdP / SP configuration are completed, return the SAML configuration page and follow the steps to "Grant access to your application". Go in Seflservice->My Applications find Salesforce and click on it, you should be redirected to a salesforce home page.
Validation
On Salesforce configuration SSO page click 'SAML assertion validator'. There you can see the latest SAML Response and its results of validation, it can help to troubleshoot if needed.