Configure single sign-on for internal users Salesforce

Learning objectives

After completing this module, you will be able to:

  • Create a federation ID.
  • Configure single sign-on with an external identity provider.
  • Get familiar with tools for troubleshooting SAML requests .

Single sign-on

With a custom login page and domain, it makes it easy for employees to log into your Salesforce org with a secure, easy-to-remember URL.
Want to make the process even easier so that it is not necessary to log in? In that case, configure single sign-on (SSO).
SSO offers many benefits.

  • Password management takes less time.
  • Employees can save time by not having to manually log into Salesforce. Did you know that it takes 5-20 seconds for users to log into an online application? These seconds add up to time.
  • More users use Salesforce. Users can send links to Salesforce records and reports and recipients can open them with a single click.
  • You can manage access to sensitive information from a single location.

In this unit, we show you how to configure SSO Inbound . Users log in to another location, such as a local app, and access Salesforce without needing to log in. Additionally, you can configure outbound SSO so that users log in to Salesforce and access other services without having to log in again. We will save this topic for another module.

Configure inbound SSO with a third-party identity provider

Let’s start by setting up inbound SSO with a third-party identity provider.

IT manager Sean Sollo tells you that he sets up Salesforce users with SSO so they can log into the Salesforce org with their Jedeye network credentials. Here, we are going to follow the steps to configure SSO for Sia Thripio, the new Jedeye Tech employee. You are going to configure inbound SSO with the Axiom Heroku web application as the identity provider.

Does this start seem difficult to you? Actually, it is not. We are going to describe the process in a series of simple steps.

  1. Create a federation ID for each user.
  2. Set the SSO settings to Salesforce.
  3. Set the Salesforce settings to the SSO provider.
  4. Make sure everything works.

Remember the requirement for SSO? This is a custom domain. Since you’ve completed the drive to configure your custom domain, you’re ready to go.

Step 1: Create a federation ID

When you configure SSO, you use a unique attribute to identify each user. This attribute is the link that associates the Salesforce user with the external identity provider. You can use a username, user ID, or federation ID. We are going to use a federation ID.

No, a federation ID is not owned by an interstellar shipping organization with incomprehensible designs. It’s basically a term that the identity industry uses to refer to a unique user ID.

Typically, you assign a federation ID to a user account. When you configure SSO in your production environment, you can assign the federation ID for multiple users at once with tools like the Salesforce Data Loader. For now, we are setting up an account for Sia Thripio, a new employee at Jedeye Tech.

  1. Under Settings, enter Users in the Quick Find box, then select Users .
  2. Click Modify > next to Sia’s name.
  3. Under Single Sign-On Information, enter the federation ID: sia@jedeye-tech.com.  Tip : A federation ID must be unique for each user in an organization. This is why the username is so useful. But if the user belongs to multiple organizations, use the same federation ID for the user in each organization.
  4. Click Save.
Id. de Federación de la configuración de SSO

Step 2: Set up your SSO provider in Salesforce

The service provider must have information about the identity provider and vice versa. In this step, you are in the Salesforce part to provide information about the identity provider, which in this case is Axiom. In the next step, you provide Axiom with information about Salesforce.

In the Salesforce part, we set the SAML configuration. SAML is the protocol that Salesforce Identity uses to implement SSO.

Tip : You will be working in both the Salesforce Developer org and the Axiom application. Keep them open in separate browser windows so you can copy and paste between the two.

  1. In a new browser window, go to http: / /axiomsso.herokuapp.com .
  2. Click SAML Identity Checker and Provider .
  3. Click Download the identity provider certificate . Since you must upload this certificate later in the Salesforce org, remember where you saved it.
  4. In your Salesforce org, go to Settings and enter Unique in the Quick Find box, then select Single sign-on settings .
  5. Click Modify .
  6. Select SAML Enabled.
  7. Click Save .
  8. Under SAML Single Sign-On Settings:
    1. Click New .
    2. Enter the following values.
      • Name: Axiom test application
      • Issuer: http: //axiomsso.herokuapp .com
      • Identity Provider Certificate: Select the file you downloaded in step 3.
      • Request signing method: Select RSA-SHA1 .
      • SAML identity type: select Assertion contains federation ID of l user object .
      • SAML entity location: select The identity is found in the name identifier element of the subject statement .
      • The service provider has initiated the request binding: select Redirect HTTP .
      • Id. Entity: Enter your My Domain URL, which is displayed on your organization’s My Domain setup page. Make sure the entity ID includes “https” and refers to the Salesforce domain. It should look something like this: https://mydomain-dev-ed.my.salesforce.com.
  9. Click Save and leave the browser page open.
Página de configuración de SSO de SAML de Salesforce antes de pulsar Guardar

Now that you have configured Salesforce to get information about the identity provider (Axiom), you must provide the identity provider with information about the service provider (Salesforce).

You must complete several fields on the following Axiom form. It can not be easier. Since you are providing the Salesforce SSO configuration, keep two browser windows open (one for Salesforce and one for Axiom).

  1. Return to the Axiom web application. If you don’t have the application open in a browser window, go to http: // axiomsso.herokuapp.com .
  2. Click SAML Identity Checker and Provider .
  3. Click the generate a SAML response .
  4. Enter the following values. Leave the rest of the fields as they are.
    • SAML Version: 2.0
    • Username or Federation ID: The federation ID from Sia’s Salesforce User page < / li>
    • Sender: http://axiomsso.herokuapp.com
    • Recipient URL: The URL of the Salesforce SAML Single Sign-On Configuration page. Does not find her? It is included at the bottom with the Salesforce login URL tag.
    • Id. entity ID: The entity ID of the Salesforce SAML Single Sign-On Configuration page
La configuración de inicio de sesión único de SAML para ingresar en Axiom

When you’re done, the Axiom setup page will look like the following:

Configuración de inicio de sesión único de SAML en Axiom

Step 4: Confirm that everything works

Great, now that the setup is complete, let’s make sure it works. How can it be demonstrated? Obviously, upon successful login.

  1. In the Axiom configuration browser window, click Request response from SAML . (This option is at the end.)
  2. Axiom generates the SAML assertion in XML. Doesn’t this remind you of the language used by a robot to communicate with a moisture condenser station in the desert? Examine it again. If you think about it, it’s not that complicated. To access the information of interest, scroll through the XML.
  3. Click Login .
Afirmación SAML

If everything is correct, sign in as Sia on your Salesforce home page. The Axiom app allows you to log into your Salesforce org as the user with the assigned federation ID.

Congratulations! You have just set up SSO for Salesforce for users accessing Salesforce from another app. Take your place on stage to receive your badge.