Implement SAML based Single Sign On (SSO) | Using Salesforce as Identity Provider (Idp) as well as Service Provider (SP)

Previously we have seen, How to setup SAML based Single Sign On Where Salesforce will be Service Provider and some other application like AXIOM will be Identity Provider. In this article we will use one Salesforce Instance as Identity Provider and other Salesforce Instance as Service Provider.

Before starting you have to decide which salesforce Instance will act as Identity Provider and which one will act as Service Provider. To Avoid confusions, we can create app with different Logo to distinguish Identity Provider and Service Provider like I did.

Step 1 : Enable Domain in Identity Provider Organization
From Setup, click Domain Management | My Domain, enter a new subdomain name, and click Check Availability. If the name is available, click the Terms and Conditions check box, then click Register Domain.

Step 2 : Enable Identity Provider

  • From Setup, click “Security Controls | Identity Provider“.
  • Click Enable.
  • Click “Download Certificate”. Remember where you save the certificate, as you will upload it later.

Once you enable Identity Provider, You will see page like below with Identity Provider related information

Salesforce Identity Provider Setup
Image 1 – Salesforce Identity Provider Setup

In above image, Issuer is nothing but domain URL of Identity provider Org.

Step 3: Enable Single Sign On in Service Provider Org
Now we have to go to Other Salesforce Instance which is acting as Service Provider.

  • From Setup, click “Security Controls | Single Sign-On Settings”, then click Edit.
  • Select the SAML Enabled check box.
  • Use the following settings:
SAML Single Sign On Setting in Service Provider
Image2 – SAML Single Sign On Setting in Service Provider

We have to upload certificate downloaded from Identity Provider to here in Service provider while declaring SSO related settings. We have to come back again here to setup “Identity Provider Login URL“, We will get this URL once we define “Connected Apps” in Identity Provider Instance.

Step 4 : Define Connected App for Service Provider in Identity Provide Instance

  • Log into the Salesforce organization that acts as the identity provider.
  • From Setup, click “Create | Apps”, then in the “Connected Apps” section, click New.
  • Specify the following information:
  • Connected App Name – Salesforce Service Provider
  • Contact Email – Contact salesforce.com should use for contacting you or your support team.
  • Enable SAML – Select this option to enter service provider details.
  • Entity Id – https://saml.salesforce.com
  • ACS URL – Use the Salesforce Login URL from Service Provider as shown in Image 2

Once you save, you should be able to see setting page something like shown below :

Define Connected App for Service Provider in Identity Provide Instance
Image 3 : Define Connected App for Service Provider in Identity Provide Instance

Important Note : Once you define Connected App, We need to add which profiles should be able to access this app.

From above setting page, copy URL of “IdP-Initiated Login URL” and go back to SSO setting page of Service Provider and Add this URL. In Image 2, You can see placeholder in red font.

SAML Single Sign On Setting in Service Provider with Identity Provider Login URL
Image 4 – SAML Single Sign On Setting in Service Provider with Identity Provider Login URL

Step 5 : Setting up Users

Everything is already at place, Lets start with user setup.

Copy one of Username from Identity Provider instance to “Federation Id” field of related user in Service Provider.

Example : In Identity provider, I have user “zaa.minal1@gmail.com”. Now in Service Provider i have user “zaa.minal@gmail.com” and want to relate this user. So in “Federation Id” field of “zaa.minal@gmail.com” user, I will copy “zaa.minal1@gmail.com”.

User Setup in SSO Salesforce
User Setup in SSO Salesforce

Testing Scenario 1 : IdP initiated SSO

It is possoble that you want to login into Identity Provider Org and it should redirect user to Service Provider. For this In Image 3, open URL of “IdP-Initiated Login URL” in Browser, make sure it is complete URL. In my case, URL is something like : “https://zaa-dev-ed.my.salesforce.com/idp/login?app=0sp40000000TN1U

Once you hit this URL, Login page will appear. Enter your Username of Identity Provider (This Username is Federation ID in Service Provider). If everything is good, you will be redirected to Service Provider.

IdP Initiated Single Sign On - Salesforce as IdP
Image 6 – IdP Initiated Single Sign On – Salesforce as IdP

Testing Scenario 2 : Service Provider Initiated SSO

To Test this, we need to inform Salesforce that Instead of Standard Login Page, Users have to use Single Sign on settings.

Navigate to “Domain Management | My Domain | Login Page Branding” and click to Edit.

Enable Service Provider Initiated Single Sign on - Salesforce
Image 7 – Enable Service Provider Initiated Single Sign on – Salesforce

As you can see in above image, we will get option for all SSO and Login page also. If we dont disable Login Page, Users can login by their standard Salesforce username and password and SSO will not called. So, uncheck everything except required SSO settings and Save it.

Now, navigate to Login page of Service Provider and try to enter username and password of Identity provider. You should be redirected to Service provider after authentication.

Service Provider Initiated Single Sign On - Salesforce as IdP
Image 8 – Service Provider Initiated Single Sign On – Salesforce as IdP

Testing scenario 3 : SSO in Salesforce1 app

In Salesforce1 application, If you try to setup IdP initiated SSO then you might run into below error

The value of the “app” parameter contains a character that is not allowed or the value exceeds the maximum allowed length.

I was not able to resolve above problem and posted question in StackExchange also, but no luck. However when I tried to login using Service Provider Initiated SSO, I was able to resolve this problem.

Testing Scenario 4 : Interesting scenario in Single Sign On

Lets say i have implemented SSO for Salesforce and IDp lets say is some .Net based Webservice which implements SAML 2.  When user tried to authenticate, He was active in IDp as well as in SP. He was succesfully able to authenticate Salesforce1 app using OAuth (After SAML based login succeeded). However, after few day he got deactivated from IDp and still active in Service Provider (Salesforce). As he is still active in Salesforce and OAuth is already setup, he can access his Salesforce1 application. How should i check or revoke his access once he is not active in Identi provider ? Same Question was asked in StackExchange also.

After discussion with @metadaddy and @cmort, only solution I found was to make callout from IdP to Service Provider to remove OAuth token or deactivate user.

Related posts

  • Really nice example…clear and simple…Thanks…Do you have some examples of single sign on in windows asp.net

  • Neerpal

    Hi Jitendra,

    That was a wonderful and very useful post.

    But while testing the Testing
    Scenario 2, I am seeing unusual behavior, means after setting up the SSO login
    page in my domain, when put the Login page
    URL of Service Provider, it is not asking for any user name and password
    of identity provider, instead after redirecting it is directly taking me to Service
    provider instance.

    Please let me know if I am doing any thing wrong.

    Thanks & Regards,
    Neerpal Singh

    • Seema Singh

      Hi Jitendra,
      Could you please provide a solution for the above post.
      I tried testing 2nd scenario, it’s showing the behaviour as neerpal mentioned.

      Thanks,
      Seema.

      • Hi Semma, Did you disabled standard login as suggested in post ? If you don’t disable standard login then it will still ask for SP username and password instead of IDp

  • Rishav

    Hii jitendra,
    I configured step by step as you given but when I am going to test the scenario1
    then I am getting “insufficient privilege” errors.
    It is not redirecting me to service provider domain.

  • Shah

    I am getting “insufficient privilege” errors. How do I fix that?

    • Ashutosh

      You need to associate connected app to relevant profile in your IDP instance

  • Rishikant Dubey

    Testing Scenario 1 : IdP initiated SSO

    Subject type = Username in Connected App of IDP org should be same as the SAML identity type = Federation ID in SSO settings

    I mean username in the IDP org should be the Federation ID in the other org.

    • Connected App needs to be created in IDp initiated Org. Subject should be “Username” (String, not actual username) and Service provider org should have SSO defined so that it will know that can be logged in from other location as well. When some app like heroku, twitter or FB wants to connect to Salesforce using OAuth, it should have a conncted app defined. Connected app gives us Consumer key and secret.

  • Deep Singhal

    Hi Jitendra,

    I am trying to clarify my understanding and hence the following question:-

    I understand we need to create Connected App in Identity Provider. While creating the same we have options to use – SAML or OAuth2.0. Since you used SAML you have to specify SAML setting under Single Sign-on in Service Provider. Had we used Oauth2.0 in connected App and created an Auth Provider in Service Provider org, what would have been the difference?

    Also please suggest when to use SAML and when OAuth2.0 .

    Thanks..

    Deep Singhal

  • Pingback: SSO + Integration between Salesforce Orgs – singhforce()