Previously we have seen, How to setup SAML based Single Sign On Where Salesforce will be Service Provider and some other application like AXIOM will be Identity Provider. In this article we will use one Salesforce Instance as Identity Provider and other Salesforce Instance as Service Provider.
Before starting you have to decide which salesforce Instance will act as Identity Provider and which one will act as Service Provider. To Avoid confusions, we can create app with different Logo to distinguish Identity Provider and Service Provider like I did.
Step 1 : Enable Domain in Identity Provider Organization
From Setup, click Domain Management | My Domain, enter a new subdomain name, and click Check Availability. If the name is available, click the Terms and Conditions check box, then click Register Domain.
Step 2 : Enable Identity Provider
- From Setup, click “Security Controls | Identity Provider“.
- Click Enable.
- Click “Download Certificate”. Remember where you save the certificate, as you will upload it later.
Once you enable Identity Provider, You will see page like below with Identity Provider related information
In above image, Issuer is nothing but domain URL of Identity provider Org.
Step 3: Enable Single Sign On in Service Provider Org
Now we have to go to Other Salesforce Instance which is acting as Service Provider.
- From Setup, click “Security Controls | Single Sign-On Settings”, then click Edit.
- Select the SAML Enabled check box.
- Use the following settings:
We have to upload certificate downloaded from Identity Provider to here in Service provider while declaring SSO related settings. We have to come back again here to setup “Identity Provider Login URL“, We will get this URL once we define “Connected Apps” in Identity Provider Instance.
Step 4 : Define Connected App for Service Provider in Identity Provide Instance
- Log into the Salesforce organization that acts as the identity provider.
- From Setup, click “Create | Apps”, then in the “Connected Apps” section, click New.
- Specify the following information:
- Connected App Name – Salesforce Service Provider
- Contact Email – Contact salesforce.com should use for contacting you or your support team.
- Enable SAML – Select this option to enter service provider details.
- Entity Id – https://saml.salesforce.com
- ACS URL – Use the Salesforce Login URL from Service Provider as shown in Image 2
Once you save, you should be able to see setting page something like shown below :
Important Note : Once you define Connected App, We need to add which profiles should be able to access this app.
From above setting page, copy URL of “IdP-Initiated Login URL” and go back to SSO setting page of Service Provider and Add this URL. In Image 2, You can see placeholder in red font.
Step 5 : Setting up Users
Everything is already at place, Lets start with user setup.
Copy one of Username from Identity Provider instance to “Federation Id” field of related user in Service Provider.
Example : In Identity provider, I have user “firstname.lastname@example.org”. Now in Service Provider i have user “email@example.com” and want to relate this user. So in “Federation Id” field of “firstname.lastname@example.org” user, I will copy “email@example.com”.
Testing Scenario 1 : IdP initiated SSO
It is possoble that you want to login into Identity Provider Org and it should redirect user to Service Provider. For this In Image 3, open URL of “IdP-Initiated Login URL” in Browser, make sure it is complete URL. In my case, URL is something like : “https://zaa-dev-ed.my.salesforce.com/idp/login?app=0sp40000000TN1U“
Once you hit this URL, Login page will appear. Enter your Username of Identity Provider (This Username is Federation ID in Service Provider). If everything is good, you will be redirected to Service Provider.
Testing Scenario 2 : Service Provider Initiated SSO
To Test this, we need to inform Salesforce that Instead of Standard Login Page, Users have to use Single Sign on settings.
Navigate to “Domain Management | My Domain | Login Page Branding” and click to Edit.
As you can see in above image, we will get option for all SSO and Login page also. If we dont disable Login Page, Users can login by their standard Salesforce username and password and SSO will not called. So, uncheck everything except required SSO settings and Save it.
Now, navigate to Login page of Service Provider and try to enter username and password of Identity provider. You should be redirected to Service provider after authentication.
Testing scenario 3 : SSO in Salesforce1 app
In Salesforce1 application, If you try to setup IdP initiated SSO then you might run into below error
The value of the “app” parameter contains a character that is not allowed or the value exceeds the maximum allowed length.
I was not able to resolve above problem and posted question in StackExchange also, but no luck. However when I tried to login using Service Provider Initiated SSO, I was able to resolve this problem.
Testing Scenario 4 : Interesting scenario in Single Sign On
Lets say i have implemented SSO for Salesforce and IDp lets say is some .Net based Webservice which implements SAML 2. When user tried to authenticate, He was active in IDp as well as in SP. He was succesfully able to authenticate Salesforce1 app using OAuth (After SAML based login succeeded). However, after few day he got deactivated from IDp and still active in Service Provider (Salesforce). As he is still active in Salesforce and OAuth is already setup, he can access his Salesforce1 application. How should i check or revoke his access once he is not active in Identi provider ? Same Question was asked in StackExchange also.
“” jitendra zaa (@ilovenagpur) April 18, 2014