PhenixID

Step by Step – Salesforce SSO with PhenixID Authentication Services

Summary

This document will guide you through the steps to provide Single-Sign-On to Salesforce using SAML with PhenixID Authentication Services as SAML IdP.

System Requirements

  • PhenixID Authentication Services 2.0 or higher
  • Salesforce corporate domain
  • Users provisioned to Salesforce

Instruction

  1. Setup PhenixID Authentication Services as a SAML IdP using one of the Federation scenarios described here. (If the desired authentication method is not provided by a scenario, use the documentation for the SAML authenticator here)
  2. Download the SAML IdP Metadata as a file.
  3. Logon to your Salesforce domain as an admin
    1. In the left-hand menu, select Administer->Security controls->Single Sign-On Settings.
    2. Click Edit
    3. Select “SAML Enabled”
    4. Click Save.
    5. To the right of SAML Single Sign-On Settings, Click New
    6. Fill out the form. These values must be fetched from the SAML IdP metadata:
      – Issuer (entityID from IdP Metadata)
      – Identity Provider Login URL (SingleSignOnService -> Location URL from IdP Metadata)
      – Identity Provider Logout URL (SingleLogoutService -> Location URL from IdP Metadata)
      – Identity Provider Certificate (Follow these instructions on how to extract identity provider signing certificate to a file from the IdP Metadata)
    7. “Name” and “API Name” can be set to any value of your choice.
    8. The other values in the form can be leaved as default.
    9. Save the form
    10. In the left-hand menu, select Administer->Domain Management->My Domain
    11. Click “Edit” next to Authentication Configuration
    12. Select the newly added IDP next to Authentication Service
    13. Click Save.
    14. In the left-hand menu, select Administer->Security controls->Single Sign-On Settings.
    15. Click the IDP link
    16. Click Download metadata. (This is the Salesforce SAML SP Metadata) Rename the downloaded file to salesforce_meta_sp.xml
  4. Add the Salesforce SP metadata file to the <PhenixID_Authentication_Services>/resources folder
  5. Restart PhenixID Authentication Services.
  6. Logon to PhenixID Authentication Services Configuration Manager
  7. Click on the Configuration tab
  8. Click “SAML Meta loading”
  9. Add Salesforce SAML SP metadata by adding this configuration snippet:
    {
            “id”: “https://saml.salesforce.com”,
            “resource”: “salesforce_meta_sp.xml”
        }
  10. Click “Stage changes” and then “Commit changes”
  11. Configure the authentication method(s) to be used for the Salesforce federation.
    http://support.phenixid.se/phenix-serverdoc/authenticators/#SAML
  12. Click on the Configuration tab
  13. Click on Pipes
  14. Modify the pipe(s) connected to the authenticators.
    1. Fetch email from the user data source:
          {
      “name”: “LDAPSearchValve”,
      “config”: {
      “connection_ref”: “MyAD”,
      “base_dn”: “ou=demo,DC=demo,DC=phenixid,DC=net”,
      “scope”: “SUB”,
      “size_limit”: “0”,
      “filter_template”: “(&(objectClass=user)(samaccountname={{request.username}}))”,
      “attributes”: “mail”
      }
      }
    2. Configure SAML assertion. Change “targetEntityID” to the id of your SAML Identity Provider.
      {
      “name”: “AssertionProvider”,
      “config”: {
      “targetEntityID”: “PhenixID_IdP”,
      “nameIDAttribute”: “mail”,
      “misc”: {
      “excludeSubjectNotBefore”: “true”
      },
      “sourceID”: “https://saml.salesforce.com”,
      “audienceRestriction”: “https://saml.salesforce.com”
      }
      }
  15. Click “Stage changes” and then “Commit changes”

Test

  1. Browse to your salesforce domain. (https://<company_domain.my.salesforce.com)
  2. This should result in a redirect to PhenixID Authentication Services
    screen-shot-2016-11-08-at-13-16-12
  3. Select authentication method
    screen-shot-2016-11-08-at-13-33-19
  4. Authenticate
    screen-shot-2016-11-08-at-13-29-43img_7013
  5. You should now be logged in to Salesforce.

Just-in-time Provisioning

By default, Salesforce requires pre-provisioned users. If you would like to provision (create and update) users when they log in to Salesforce, pls follow these steps:

  1. Login to Salesforce as a Salesforce admin
  2. Enable JIT in the Single-Sign-On-Settings.
  3. Login to PhenixID Server (/config) as an administrator.
  4. Edit the pipe that creates the assertion targeted for Salesforce. Add additional attributes to the assertion. Example here:
    {
    
            "id": "pipe_JIT_SF",
    
            "valves": [
    
                {
    
                    "name": "LDAPSearchValve",
    
                    "config": {
    
                        "connection_ref": "MyAD",
    
                        "base_dn": "DC=demo,DC=phenixid,DC=net",
    
                        "scope": "SUB",
    
                        "size_limit": "0",
    
                        "filter_template": "(&(objectclass=*)(sAMAccountName={{request.username}}))",
    
                        "attributes": "mail,givenName,sn"
    
                    }
    
                },
    
                {
    
                    "name": "LDAPBindValve",
    
                    "config": {
    
                        "connection_ref": "MyAD",
    
                        "password_param_name": "password"
    
                    }
    
                },
    
                {
    
                    "name": "PropertyCopyValve",
    
                    "config": {
    
                        "source": "mail",
    
                        "dest": "User.Username"
    
                    }
    
                },
    
                {
    
                    "name": "PropertyCopyValve",
    
                    "config": {
    
                        "source": "mail",
    
                        "dest": "User.Email"
    
                    }
    
                },
    
                {
    
                    "name": "PropertyCopyValve",
    
                    "config": {
    
                        "source": "givenName",
    
                        "dest": "User.FirstName"
    
                    }
    
                },
    
                {
    
                    "name": "PropertyCopyValve",
    
                    "config": {
    
                        "source": "sn",
    
                        "dest": "User.LastName"
    
                    }
    
                },
    
                {
    
                    "name": "PropertyAddValve",
    
                    "config": {
    
                        "name": "User.ProfileId",
    
                        "value": "Chatter Free User"
    
                    }
    
                },
    
                {
    
                    "name": "AssertionProvider",
    
                    "config": {
    
                        "targetEntityID": "PhenixID_IdP_LAB",
    
                        "nameIDAttribute": "mail",
    
                        "misc": {
    
                            "excludeSubjectNotBefore": "true"
    
                        },
    
                        "sourceID": "https://saml.salesforce.com",
    
                        "additionalAttributes": "User.Username,User.Email,User.LastName,User.FirstName,User.ProfileId"
    
                    }
    
                }
    
            ]
    
        }

For more information about Salesforce Just-in-time provisioning, please view https://developer.salesforce.com/docs/atlas.en-us.sso.meta/sso/sso_jit_requirements.htm


DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se