Tuesday, October 11, 2016

Salesforce: Setting SSO (Single Sign On)

SSO is a process that allows network users to access all authorized networks without having to separately log in to each resource.

Salesforce can be configured as Identity Provider (IdP) using Salesforce Identity, or as Service Provider (SP).
Identity Provider is a trusted service that enables users to access other websites and services without logging in again.
Service Provider is a website or service that hosts apps and accepts identity from an identity provider.

Flow below show when user accessing Salesforce and authenticated by IdP, Salesforce is SP in this scenario.

Another flow when user accessing IdP and will be redirect to Salesforce as SP.

This blog would discuss on setup Salesforce as Service Provider and initiate SSO process:
1. User make a request to Salesforce
2. User is redirected to IdP with SAML Request
3. User authenticates & return with a SAML Response
4. Salesforce process the Response, create a session for user and return to requested resource

User open a specific my domain, without need to enter username and password, user will be auto redirect to access Salesforce.

To setup SSO:
1. Enable My Domain in Salesforce
Refer to this documentation My Domain to create a custom domain name.

2. Enable Single Sign-On in Salesforce
Navigate to Setup | Security Controls | Single Sign-On Settings
Click Edit button "SAML Enabled"

3. SAML Single Sign-On Settings in Salesforce
In the same page as above, click New button in "SAML Single Sign-On Settings".
You need to get "Identity Provider Certificate" and upload the cert file - the authentication certificate issued by your Identity Provider.
- Identity Provider Certificate: upload cert file provided by IdP
- Entity ID: specify Salesforce base domain ( or the custom domain.

4. Configure in IdP
- SAML version: only version 2.0 support for now
- Login URL: this would be Salesforce Login URL stated in SSO setting endpoints, example:
- Entity ID: as defined in step 3 above
- Start Page URL: if you would like your users redirect to a specific page after login