Step by step guide to Setup Federated Authentication (SAML) based SSO in Salesforce – Video Tutorial

In this post, We will be dicussing how to setup Federated SAML based Authentication in Salesforce.

SAML stands for “Security Assertion Markup Language” and it is Open standard for exchanging Authentication and Authorization between Systems. SAML based authentication is supported by all editions of Salesforce.

User Validation can be initiated by any one of below two types:

  1. Service Provider Initiated SSO
  2. Identity Provider (IDp) initioated SSO

We are going to use Identity Provider Initiated SSO in this article. Means User will Login from Outside(IDp) and will be redirected to Salesforce (Service Provider). Identity Provider must follow Federated Authentication (SAML) standard which should be deployed to DMZ (URL should be publicly accessible on Internet) layer of your Organization. As a Salesforce developer you should assume that you will always get IDp URL which implements SSO and implements valid SAML response. To Quickly start with this tutorial assume that your organization already deployed SAML based Authentication endpoint and for that we will be using great Heroku app available freely as open source named “AXIOM“.

AXIOM is java based heroku application which implements SAML and can be used for testing  purpose to check whether SSO is working properly or not.

IDp Initiated Single Sign On :

In IDp Initiated SSO, User Directly logins to Identity provider and IDp redirects user to proper Salesforce Instance with SAML assertion in request (Service Provider). If SAML assertion is valid then Salesforce validates that user successfuly.

IDp Initiated SAML Based Single Sign On
Image 1 – IDp Initiated SAML Based Single Sign On

Step 1 : Enable My Domain

First step is to enable “My Domain” in Salesforce. This functionality will provide a unique name to your salesforce Instance. It may take 24 hours to activate. Your Domain name must be unique and not used by someone else.

Step 2: Download Identity Provider Certificate

In this step we are going to get certificate from IDp. This certificate will be used by Salesforec to validate that client coming for user authentication is valid to avoid any unauthorized access to Service Provider (In our case it is Salesforce).

You can download certificate by navigating to Axiom application here.

Step 3: Enable Single Sign On in Salesforce

Navigate to “Setup | Security Controls | Single Sign-On Settings” and check “SAML Enabled” option.

Step 4 : Configure Single Sign On

Once SAML is enabled, new section will appear on same page to create New “SAML Single-On Settings”.

Click on New Button and provide following informations

  • NAME – any name will work
  • API Name – any valid name
  • Issuer – Any name. You must remember this as your IDp must pass the same name while sending request
  • Identity Provider Certificate – Upload certificate here downloaded on step 2.
  • Entity Id – “https://saml.salesforce.com”
  • SAML Identity Type – Assertion contains the Federation ID from the User object
  • SAML Identity Location – Identity is in the NameIdentifier element of the Subject statement
  • Identity Provider Login URL – “http://axiomsso.herokuapp.com/RequestSamlResponse.action” (This URL must be publicly accesible on Internet)
  • Service Provider Initiated Request Binding – HTTP POST

Once you are done with settings, you should be able to see seetings page something like this:

SAML Single Sign-On Settings
Image 2 – SAML Single Sign-On Settings

Step 5: Generate a SAML Response

Navigate to this URL and click on “generate a SAML Response” link.

Enter following detail in next screen:

  • SAML Version – 2.0
  • Username OR Federated ID – Once saml is enabled, One new field is created on user record “Federation ID”. This field can be used as a username to validated against IDp. In my case i have provided Employee numver – 123456. Note this is not in Email format.
  • User ID Location – Subject
  • Issuer – Issuer name which we already in Step4 while configuring SSO. In our case it is AXIOM
  • Recipient URL – This should be “Salesforce Login URL” which will be visible once we save SSO settings in Step 4. You can see it in Image 2 above.
  • Entity Idhttps://saml.salesforce.com
  • SSO Start Pagehttp://axiomsso.herokuapp.com/RequestSamlResponse.action
  • User Type – Standard
Generate SAML response
Image 3 – Generate SAML response

After providing above details click on “Request SAML response” button. Below Screen will appear.

Login using SAML Response from AXIOM
Image 4 – Login using SAML Response from AXIOM

In this page, you can see format of SAML response. You dont have to change anything on this screen, click on Login button.

If everything is OK, you will be on Salesforce Home page.

Question : Can I force users to login with Federated SSO only?
Answer : Yes, Please refer this Article from Salesforce.

Dont allow user to use Standard Login page to Login in Salesforce
Image 5 – Dont allow user to use Standard Login page to Login in Salesforce

Video Tutorial


Related Posts

Comments

22 responses to “Step by step guide to Setup Federated Authentication (SAML) based SSO in Salesforce – Video Tutorial”

  1. mailtoharshit Avatar
    mailtoharshit

    Neat, you know what, I am big fan of article and video and that what I am pushing in with editorial team here. I love the flow when you see video and re-read the blog to follow the step, neat job

    1. JitendraZaa Avatar
      JitendraZaa

      Thanks Harshit….

  2. Ajith Avatar
    Ajith

    Hi Jitendra, how do we handle the relay states in SAML based SSO? I have set up IDP initiated SSO (IBM Tivoli) and works like a charm in a normal browser. But when trying to login from Salesforce1, the IDP redirects the Salesforce1 pages to the desktop version of the page – means normal browser page loads inside the Salesforce 1 container. After doing some research, I got a hint on Relay states but not a clue yet how to set it. Have you encountered such a scenario?

    1. JitendraZaa Avatar
      JitendraZaa

      Hi ajith, I also faced something like this. You can check my other post on same topic. I asked questions on stack exchange and twitter also. You will need to use SP initiated SSO.

  3. Balaji Bondar Avatar
    Balaji Bondar

    Nice artical jitendra

    1. JitendraZaa Avatar
      JitendraZaa

      Thanks Balaji

  4. Rishav Avatar
    Rishav

    HI jitendra,

    i am trying to configure this it’s returning me error ” saying to fill all the field like “Start URL / Relay State” that i left empty” what is this please tell

  5. anandha prassanna Avatar
    anandha prassanna

    Very Good and neatly documented. Came in handy for a quick verification. As the test site of herokuapp can be generically used to submit a SAML artifact response to any site which is SAML compliant. – aprassanna

  6. krishna Dev Annamaneni Avatar
    krishna Dev Annamaneni

    Hi Jitendra,
    In case of Federated SSO with ADFS how to exclude System Admins and integration user accounts so that they we not be impacted when ADFS is down or some interruption in service.

    Regards,
    krishna Dev

  7. Vikash Kumar Avatar
    Vikash Kumar

    Its worth watching it. Very helpful.

    I am facing a problem with implementing SSO with ADFS. I’m sure from salesforce I configured everything perfect but while testing sometimes it is allowing user to login and sometimes not. Also as soon as I’m clicking on SSO button it is first taking me to the ADFS login page which seems strange to me.

    Am I missing something here?

    Thanks in advance.

    -Vikash Kumar

  8. Neeraj Jadhav Avatar
    Neeraj Jadhav

    If my service provider is a force.com site application, how do I verify the user? What will the IDP send back to the force.com site and how do I find it? Is the assertion sent in the form of cookies or response headers? Is there an apex code to do that?

    1. Neeraj Jadhav Avatar
      Neeraj Jadhav

      Sorry, I did not get that.

      1. shrenb Avatar
        shrenb

        Neeraj
        I have the same question for similar situation. can you please share the answer you got and /or have you been able to solve for your situation?

  9. Kapil Sharma Avatar
    Kapil Sharma

    Hi Jitendra, your article is very informative. I want to know, is there a way through which my users can login through a common interface and can access both my PHP website and their Salesforce? Thanks.

  10. trupth Avatar
    trupth

    Can i get any help on SSO from G suite to salesforce. not showing up service provider app in identity provider list even after Created a Connected app in Salesforce.

  11. Priyanka Singh Avatar

    Hi Jitendra, I am working on SSO in my current project in which salesforce will work as SP and third party will act as IDP. It will be idp initiated and third party user will redirect to sales force.I have done Axiom part and succeed. Now my question is do I need to create x no SSO setup in sales force for x no users existing in 3rd party if I have to do with federation Id.can we do SSO through profile or permission set? But how ? And tell me how can I enable SSO for all users in third party ? Please tell me complete solution.need your solutionv urgent please reply.

    1. Deep Naik Avatar
      Deep Naik

      Hi Priyanka,

      I have a similar task. Just wanted to check with you, if you were able to implement this solution.

      Thanks,
      Deep

  12. amit Avatar
    amit

    Hi,
    Need you use this code .net c# for sso login. Could you please guide samples for saml response generator in .net

  13. Shruthi Avatar
    Shruthi

    Hi Jitendra, I am implementing an extended version of this scenario and stuck at how to get data from one Service Provider to another Service Provider using the obtained SAML assertion?

    I have 3 Salesforce orgs (IDP, SP1 and SP2) and have set up SSO where IDP is my Identity-Provider and SP1 and SP2 are 2 Service-Providers. Using SP1-initiated SSO login, the user gets authenticated in IDP org and returns SAML assertion in response to SP1.

    Now my requirement is when the user is redirected to SP1 from IDP after authentication, I want to fetch some case related data from SP2 and display in SP1 without making the user login into SP2.

    Can you help me understand how to achieve this.

  14. Hemanth Avatar
    Hemanth

    will this work for mobile app also? or do we need any additional changes to do in iOS or Android apps?

  15. sam Avatar
    sam

    Hello Jitendra,
    I implemented Idp Initiated SSO which redirect user to salesforce. I am using customer portal and some portal user has also full license user. Therefore, portal user cannot use SSO because of the same federation Id. Can Idp sends additional attribute “user license information” and Salesforce SAML identity check this additional attribute along with federation Id and let the identical user with different license can login based on their license permission?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from Jitendra Zaa

Subscribe now to keep reading and get access to the full archive.

Continue Reading