Summary
This document will guide you through the steps to provide Single-Sign-On to Salesforce using SAML with PhenixID Authentication Services as SAML IdP.
System Requirements
- PhenixID Authentication Services 2.0 or higher
- Salesforce corporate domain
- Users provisioned to Salesforce
Instruction
- Setup PhenixID Authentication Services as a SAML IdP using one of the Federation scenarios described here. (If the desired authentication method is not provided by a scenario, use the documentation for the SAML authenticator here)
- Download the SAML IdP Metadata as a file.
- Logon to your Salesforce domain as an admin
- In the left-hand menu, select Administer->Security controls->Single Sign-On Settings.
- Click Edit
- Select “SAML Enabled”
- Click Save.
- To the right of SAML Single Sign-On Settings, Click New
- Fill out the form. These values must be fetched from the SAML IdP metadata:
– Issuer (entityID from IdP Metadata)
– Identity Provider Login URL (SingleSignOnService -> Location URL from IdP Metadata)
– Identity Provider Logout URL (SingleLogoutService -> Location URL from IdP Metadata)
– Identity Provider Certificate (Follow these instructions on how to extract identity provider signing certificate to a file from the IdP Metadata) - “Name” and “API Name” can be set to any value of your choice.
- The other values in the form can be leaved as default.
- Save the form
- In the left-hand menu, select Administer->Domain Management->My Domain
- Click “Edit” next to Authentication Configuration
- Select the newly added IDP next to Authentication Service
- Click Save.
- In the left-hand menu, select Administer->Security controls->Single Sign-On Settings.
- Click the IDP link
- Click Download metadata. (This is the Salesforce SAML SP Metadata) Rename the downloaded file to salesforce_meta_sp.xml
- Add the Salesforce SP metadata file to the <PhenixID_Authentication_Services>/resources folder
- Restart PhenixID Authentication Services.
- Logon to PhenixID Authentication Services Configuration Manager
- Click on the Configuration tab
- Click “SAML Meta loading”
- Add Salesforce SAML SP metadata by adding this configuration snippet:
{
“id”: “https://saml.salesforce.com”,
“resource”: “salesforce_meta_sp.xml”
} - Click “Stage changes” and then “Commit changes”
- Configure the authentication method(s) to be used for the Salesforce federation.
http://support.phenixid.se/phenix-serverdoc/authenticators/#SAML - Click on the Configuration tab
- Click on Pipes
- Modify the pipe(s) connected to the authenticators.
- Fetch email from the user data source:
{
“name”: “LDAPSearchValve”,
“config”: {
“connection_ref”: “MyAD”,
“base_dn”: “ou=demo,DC=demo,DC=phenixid,DC=net”,
“scope”: “SUB”,
“size_limit”: “0”,
“filter_template”: “(&(objectClass=user)(samaccountname={{request.username}}))”,
“attributes”: “mail”
}
} - Configure SAML assertion. Change “targetEntityID” to the id of your SAML Identity Provider.
{
“name”: “AssertionProvider”,
“config”: {
“targetEntityID”: “PhenixID_IdP”,
“nameIDAttribute”: “mail”,
“misc”: {
“excludeSubjectNotBefore”: “true”
},
“sourceID”: “https://saml.salesforce.com”,
“audienceRestriction”: “https://saml.salesforce.com”
}
}
- Fetch email from the user data source:
- Click “Stage changes” and then “Commit changes”
Test
- Browse to your salesforce domain. (https://<company_domain.my.salesforce.com)
- This should result in a redirect to PhenixID Authentication Services
- Select authentication method
- Authenticate
- You should now be logged in to Salesforce.
Just-in-time Provisioning
By default, Salesforce requires pre-provisioned users. If you would like to provision (create and update) users when they log in to Salesforce, pls follow these steps:
- Login to Salesforce as a Salesforce admin
- Enable JIT in the Single-Sign-On-Settings.
- Login to PhenixID Server (/config) as an administrator.
- Edit the pipe that creates the assertion targeted for Salesforce. Add additional attributes to the assertion. Example here:
{ "id": "pipe_JIT_SF", "valves": [ { "name": "LDAPSearchValve", "config": { "connection_ref": "MyAD", "base_dn": "DC=demo,DC=phenixid,DC=net", "scope": "SUB", "size_limit": "0", "filter_template": "(&(objectclass=*)(sAMAccountName={{request.username}}))", "attributes": "mail,givenName,sn" } }, { "name": "LDAPBindValve", "config": { "connection_ref": "MyAD", "password_param_name": "password" } }, { "name": "PropertyCopyValve", "config": { "source": "mail", "dest": "User.Username" } }, { "name": "PropertyCopyValve", "config": { "source": "mail", "dest": "User.Email" } }, { "name": "PropertyCopyValve", "config": { "source": "givenName", "dest": "User.FirstName" } }, { "name": "PropertyCopyValve", "config": { "source": "sn", "dest": "User.LastName" } }, { "name": "PropertyAddValve", "config": { "name": "User.ProfileId", "value": "Chatter Free User" } }, { "name": "AssertionProvider", "config": { "targetEntityID": "PhenixID_IdP_LAB", "nameIDAttribute": "mail", "misc": { "excludeSubjectNotBefore": "true" }, "sourceID": "https://saml.salesforce.com", "additionalAttributes": "User.Username,User.Email,User.LastName,User.FirstName,User.ProfileId" } } ] }
For more information about Salesforce Just-in-time provisioning, please view https://developer.salesforce.com/docs/atlas.en-us.sso.meta/sso/sso_jit_requirements.htm
DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.
PhenixID - support.phenixid.se