- Set Up Single Sign-On for Your Internal Users | Salesforce | SSO | Axiom

Shaping the great minds.

Saturday, 3 February 2018

Set Up Single Sign-On for Your Internal Users | Salesforce | SSO | Axiom

Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials (e.g., name and password) to access multiple applications. The service authenticates the end user for all the applications the user has been given rights to and eliminates further prompts when the user switches applications during the same session. On the back end, SSO is helpful for logging user activities as well as monitoring user accounts.
Some SSO services use protocols such as Kerberos and the security assertion markup language (SAML). SAML is an XML standard that facilitates the exchange of user authentication and authorization data across secure domains. SAML-based SSO services involve communications between the user, an identity provider that maintains a user directory, and a service provider. When a user attempts to access an application from the service provider, the service provider will send a request to the identity provider for authentication. The service provider will then verify the authentication and log the user in. The user will not have to log in again for the rest of his session. In a Kerberos-based setup, once the user credentials are provided, a ticket-granting ticket (TGT) is issued. The TGT fetches service tickets for other applications the user wishes to access, without asking the user to re-enter credentials.

Configure Inbound SSO with a Third-Party Identity Provider

Let’s start configuring inbound SSO with a third-party identity provider.

The head of your IT department, Dharmik Patel, tells you to set up Salesforce users with SSO so that they can log in to your Salesforce org with their engineeringway network credentials. Here, we walk you through the steps to set up SSO for engineeringway Tech’s new employee, Darshil patel. You’ll set up inbound SSO using the Axiom Heroku web app as the identity provider.

Is this starting to sound difficult? It’s not, really. Let’s break it down into simple steps.
  1. Create a Federation ID for each user.
  2. Set up SSO settings in Salesforce.
  3. Set up Salesforce settings in the SSO provider.
  4. Make sure it all works.

Remember what the prerequisite is for SSO? That’s right, a custom domain. Because you’ve already completed the unit to set up your custom domain, you’re ready to go.

Step 1: Create a Federation ID

When setting up SSO, you use a unique attribute to identify each user. This attribute is the link that associates the Salesforce user with the external identity provider. You can use a username, user ID, or a Federation ID. We’re going to use a Federation ID.

No, a Federation ID isn’t owned by an interstellar shipping organization with nefarious designs. It’s basically a term that the identity industry uses to refer to a unique user ID.
Typically, you assign a Federation ID when setting up a user account. When you set up SSO on your production environment, you can assign the Federation ID for many users at once with tools like the Salesforce Data Loader. For now, let’s set up an account for engineeringway Tech’s new employee, Darshil patel.

  1. From Setup, enter Users in the Quick Find box, then select Users.
  2. Click Edit next to Darshil’s name.
  3. Under Single Sign On Information, enter the Federation ID: ceo@engineeringway.com.

Tip: A Federation ID must be unique for each user in an org. That’s why the username is handy. But if the user belongs to multiple orgs, use the same Federation ID for the user in each org.

Click Save.

Step 2: Set Up Your SSO Provider in Salesforce

Your service provider needs to know about your identity provider and vice versa. In this step, you’re on the Salesforce side providing information about the identity provider, in this case, Axiom. In the next step, you give Axiom information about Salesforce.
On the Salesforce side, we configure SAML settings. SAML is the protocol that Salesforce Identity uses to implement SSO.

Tip: You’re going to work in both your Salesforce Dev org and the Axiom app. Keep them open in separate browser windows so that you can copy and paste between the two.

  1. In a new browser window, go to http://axiomsso.herokuapp.com.
  2. Click SAML Identity Provider & Tester.
  3. Click Download the Identity Provider Certificate.
  4. You upload this certificate later to your Salesforce org, so remember where you save it.
  5. In your Salesforce org, from Setup, enter Single in the Quick Find box, then select Single Sign-On Settings.
  6. Click Edit.
  7. Select SAML Enabled.
  8. Click Save.
  9. In SAML Single Sign-On Settings:

           1.Click New.
           2.Enter the following values.

      • Name: DemoSSO
      • Issuer: http://axiomsso.herokuapp.com
      • Identity Provider Certificate: Choose the file you downloaded in step 3.
      • Request Signature Method: Select RSA-SHA1.
      • SAML Identity Type: Select Assertion contains the Federation ID from the User object.
      • SAML Identity Location: Select Identity is in the NameIdentifier element of the Subject statement.
      • Service Provider Initiated Request Binding: Select HTTP Redirect.
      • Entity ID: Enter your My Domain name, including “https.” Use the subdomain name that you set up in the “Customize Your Login Process with My Domain” unit. Copy and paste it from the browser address bar.

Before you click Save, confirm that the settings page looks something like:

Click Save and leave the browser page open.

Step 3: Link Your Identity Provider to Salesforce

Now that you’ve configured Salesforce to know about the identity provider (Axiom), you teach your identity provider about your service provider (Salesforce).

You fill in a few fields in the following Axiom form. Easy peasy. Because you’re supplying Salesforce SSO settings, keep two browser windows open, one for Salesforce and one for Axiom.

  1. Return to the Axiom web app. If you don’t have the app open in a browser window, go to http://axiomsso.herokuapp.com.
  2. Click SAML Identity Provider & Tester.
  3. Click generate a SAML response.
  4. Enter the following values. Leave the other fields as is.
      • SAML Version: 2.0
      • Username or Federated ID: ceo@engineeringway.com
      • Issuer: http://axiomsso.herokuapp.com
      • Recipient URL: Get the URL from the Salesforce SAML Single Sign-On Settings page. Don’t see it? It’s at the bottom labeled Salesforce Login URL.
      • Entity Id: The Entity ID from the Salesforce SAML Single Sign-On Settings page.

When you’re finished, the Axiom settings page looks something like:

Step 4: Make Sure It All Works

OK, now that everything’s all configured, let’s make sure that it works. A successful login will be the complete proof.
  1. In the Axiom settings browser window, click Request SAML Response. (It’s way down at the bottom.)
  2. Axiom generates the SAML assertion in XML. Does it look like language used by a robot communicating with desert outpost moisture evaporators? Look again. You can see that it doesn’t look all that bad. To get to the interesting information, scroll through the XML.

Click Login.

If everything’s OK, you’re logged in as Sia at your Salesforce home page. The Axiom application logs you in to your Salesforce org as the user with the assigned Federation ID.
Congratulations! You just configured Salesforce SSO for your users who are accessing Salesforce from another app.
, , , ,

No comments:

Post a Comment