Salesforce.com

To enable SSO to Salesforce using SAML, you will need to configure both Salesforce and OpenIAM. The following section describes how to configure both.

Configure OpenIAM Authentication provider

The OpenIAM IdP must be configured to support the service provider. The step below describe this process.

  • Login to the OpenIAM Webconsole
  • Go to Access Control -> Authentication Provider -> Create new Provider
  • Select Add service to OpenIAM (IDP) from the dropdown.
  • Complete the form as described in the table below
Field NameDescription
Provider NameDescriptive name that will help you identify this integration; ie. Salesforce
Application URLRefers to your Salesforce tenant https://[your Salesforce domain].salesforce.com. As example: https://openiam-dev-ed.my.salesforce.com
Linked to Managed SystemOpenIAM allows you to have a different identity for each application. This configuration indicates which identity should be used for this integration with Salesforce. If you are using OpenIAM to also manage the user life cycle in Salesforce, then you should select the 'Salesforce Managed System'.
AudiencesYour Salesforce domain URLs. As example https://saml.salesforce.com,https://openiam-dev-ed.my.salesforce.com
Assertion Consumer URLEndpoint on the service provider where the IdP will "POST" its authentication response. Take this value from Saleforce SSO configuration - Salesforce Login URL. As example: https://login.salesforce.com/?saml=02HKiPoin4VAtAjJ4WkzLqDMx3P6Fy__Fg9HQb0qdVSInEW.lzhytJaeSb
Request IssuerThis is the URL of your service provider. As example: https://openiam-dev-ed.my.salesforce.com
SAML Signed RequestsEnable this checkbox as its signs your requests.
Digest AlgorithmThe SAML digest algorithm is part of the validation process to ensure the integrity of the request. Select SHA-256 from the dropdown
Signature AlgorithmSelect http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 from the dropdown.
Sign AssertionsEnable this checkbox
Public key for signing signaturesGenerate certificate in OpenIAM (using link 'Generate a new key') and press button 'Download Signing Public Key' and upload it in Saleforce SSO configuration
SLO BindingDefines how the Single logout request should be exchanged. Select POST
Relay state strategyURL that users will be directed to after a successful authentication using SAML. Select Default Relay State Strategy

OpenIAM IDP configuration

Configure Salesforce

1) To configure the Salesforce go to the Salesforce SSO Screen: https://na14.salesforce.com/_ui/identity/saml/SingleSignOnSettingsUi/d?retURL=%2Fui%2Fsetup%2FSetup%3Fsetupid%3DSecurity&setupid=SingleSignOn 2) Login using your credentials 3) Click Edit and populate the screen with the below values. Your base domain may be different. Upload certificate that you downloaded from idp by clicking 'Identity Provider Certificate'. Save configuration.

Salesforce SSO configuration

Configure SSO

With the IdP / SP configuration are completed, return the SAML configuration page and follow the steps to "Grant access to your application". Go in Seflservice->My Applications find Salesforce and click on it, you should be redirected to a salesforce home page.

Validation

On Salesforce configuration SSO page click 'SAML assertion validator'. There you can see the latest SAML Response and its results of validation, it can help to troubleshoot if needed.