By Priyanka Kumar
Single Sign-On (SSO) is a feature that connects multiple applications through one password. It makes life simple, by eliminating the need to remember multiple passwords, and allows you to log in once and access many systems.
The Terminology of Single Sign-On:
Here, we will be focusing on SAML-based Single Sign-On. There are a few basic terms to remember for Single Sign-On:
- Security Assertion Markup Language (SAML): A language specification for federated authentication.
- Identity Provider (IdP): The authentication server.
- Service Provider (SP): An accessible business application.
There will be one Identity Provider and many Service Providers. Identity Providers will authenticate all Service Providers.
Salesforce Single Sign-On Support:
• Salesforce can be the Identity Provider, accessing other applications.
• Salesforce can also be Service Provider, accessed from another authentication server.
SAML Assertion is in XML format, and it’s sent by Identity Providers. SP validates the IdP using this assertion.
SAML assertion requests mainly have the following components:
• The Identity Provider’s digital signature.
• Issuer: The name of the Identity Provider.
• Entity Id: The name of the Service Provider. Generally a URL format. (Example – https://saml.salesforce.com)
• The Subject: The user ID or the Federation ID.
IdP Initiated Single Sign-On:
IdP provides a digital certificate which is then uploaded to a Service Provider.
The user then tries to login to IdP. IdP will send SAML Assertion in request to the proper Salesforce instance (SP). SAML assertion is validated in SP, and If it’s valid, the user gets logged into SP.
Service Provider Initiated Single Sign-On:
In this case, the user has SP URL link, and tries to log into SP. SP redirects to IdP for proper authentication. If authenticated, the user is redirected to the link which was requested.
Here, Salesforce is the SP and the IdP can be any external system which will be used to provide authentication. The SAML request is initiated by Salesforce.
When the user tries to login to their domain URL in SP, they’ll be redirected to IdP.
In the IdP, the user enters the login credentials of this specific IdP. If this step is successful, the user is redirected to their SP. In this case, Salesforce.
Step By Step Configuration of Single Sign-On:
In the example below, one Salesforce instance acts as IdP, and another acts as SP. This also goes for any Salesforce instance, as it can be flexible with its role.
Identity Provider Salesforce Instance Configuration
To configure, follow the process step-by-step:
- Register your domain. From Setup, go to Domain Management then select My Domain to check if your domain is available. If it is, click on Register Domain.
- Once your domain is registered, go to Security Controls then Identity Provider under the Setup menu. Click Enable Identity Provider. This will enable your org as Salesforce IdP.
- A self-signed certificate will be generated by Salesforce, click on Save.
- You will see a screen like the one below after step three completes:
Screen 1: IdP Configuration
- Click on the Download Certificate button as shown in the image above. This certificate will be uploaded to the Service Provider (SP) later, and provides the authentication that tells which Identity Provider the request is coming from.
- Notice the Issuer in the above screen. This is the domain URL of the Identity Provider which we will be using later.
- Notice the Connected App in the Service Provider section in the above image. We can configure it with all the service providers, which need to be accessed from IdP. For each service provider, we need to create a separate app. We will come back to it later after configuring Service Provider (SP).
Service Provider Salesforce Instance Configuration:
Login to the Salesforce Instance, which acts as the Service Provider.
Follow the steps below :
- Go to Security Controls then Single Sign On-Settings under Setup. Click Edit, and select the SAML Enabled check box.
- Click on New. The user will be asked to fill in these parameters:
– Name: Any name of your choice.
– Issuer: It will be the domain URL of the Identity Provider as described in Step six of the IdP configuration.
– Identity Provider Certificate: Upload the certificate downloaded from IdP.
– Entity Id: URL used to identify Salesforce, e.g. https://saml.salesforce.com
– SAML Identity Type: It can be the username or the Federation ID on the user object.
– IdP Initiated Login URL: This URL will be provided by the Connected App, which we will configure in the Identity Provider later.
You will see something like the screen below after you click Save. Note that a Salesforce Login URL is generated here by Salesforce, which we will be using later.
Screen 2: SP Configuration
Connected App Configuration in Identity Provider:
Earlier, we saw that we need to configure apps for each Service Provider.
- Go to your Identity Provider Salesforce Instance. Click on Setup and then Apps. Go to Connected Apps and click New.
Enter the information below:
– Connected App Name: Can be any name.
– Contact Email: This email can be your email or any support team email used for contacting you.
– Enable SAML: Check this checkbox under Web App Settings.
– Entity Id: URL used to identify Salesforce, e.g. https://saml.salesforce.com. It should be the same as what was entered in Service Provider.
– ACS URL: It is the login URL from the Service Provider as shown in Screen two.
Hit Save, then click on the Manage button, you will see a screen like the one below:
Screen 3: Connected App Configuration
Here, under Manage Profiles, you need to add those profiles which will be able to access this app.
Also, the IdP Initiated Login URL needs to be copied to the Service Provider Configuration shown in Screen two.
IdP initiated Single Sign On:
The user will login to the IdP URL, provide a username and password of the IdP, and will be redirected to the SP. For this, the SP user needs to identify the user of the IdP.
You can do this by following the below steps:
- Copy one of the usernames of the users from IdP and provide it in the Federation ID field of the user you want to relate in the Service Provider.
- Login to the IdP using the IdP initiated Login URL. In this example it is: https://pkumar-dev-ed.my.salesforce.com/idp/login?app=0sp28000000Gmzd
- After you hit this URL, the login page will appear, enter your username and password for the IdP. You will then be redirected to the Service Provider.
Following the steps mentioned above, the user hits the IdP URL, will give credentials of the IdP, but will then be redirected to SP. This will lead to ease of use, as the user can use a single username and password while also reducing the administrative costs by decreasing the number of support requests.