Salesforce supports many Auth Provider out of the box, which can be used as Identity provider. Some of the examples – Facebook, Google, Github, Salesforce, OpenId Connect , Linked In and Janrain.
If you are in need to use Wechat , Yahoo or some other social account like Microsoft, don’t get disappointed. Even if they are not available out of the box as Auth Provider in Salesforce , Salesforce has provided magical box Janrain. Janrain supports vast list of social platform which can be used as Identity provider for your Salesforce instance.
How Janrain is different compared to other SSO solutions for Salesforce
If we configure Identity provider for Salesforce using Single Sign On or Auth Provider, those options will appear on Login Salesforce page as a button (shown in below image).
Previously we have seen, How to setup SAML based Single Sign On Where Salesforce will be Service Provider and some other application like AXIOM will be Identity Provider. In this article we will use one Salesforce Instance as Identity Provider and other Salesforce Instance as Service Provider.
Before starting you have to decide which salesforce Instance will act as Identity Provider and which one will act as Service Provider. To Avoid confusions, we can create app with different Logo to distinguish Identity Provider and Service Provider like I did.
Step 1 : Enable Domain in Identity Provider Organization
From Setup, click Domain Management | My Domain, enter a new subdomain name, and click Check Availability. If the name is available, click the Terms and Conditions check box, then click Register Domain.
In this post, We will be dicussing how to setup Federated SAML based Authentication in Salesforce.
SAML stands for “Security Assertion Markup Language” and it is Open standard for exchanging Authentication and Authorization between Systems. SAML based authentication is supported by all editions of Salesforce.
User Validation can be initiated by any one of below two types:
- Service Provider Initiated SSO
- Identity Provider (IDp) initioated SSO
We are going to use Identity Provider Initiated SSO in this article. Means User will Login from Outside(IDp) and will be redirected to Salesforce (Service Provider). Identity Provider must follow Federated Authentication (SAML) standard which should be deployed to DMZ (URL should be publicly accessible on Internet) layer of your Organization. As a Salesforce developer you should assume that you will always get IDp URL which implements SSO and implements valid SAML response. To Quickly start with this tutorial assume that your organization already deployed SAML based Authentication endpoint and for that we will be using great Heroku app available freely as open source named “AXIOM“.
AXIOM is java based heroku application which implements SAML and can be used for testing purpose to check whether SSO is working properly or not.
IDp Initiated Single Sign On :
In IDp Initiated SSO, User Directly logins to Identity provider and IDp redirects user to proper Salesforce Instance with SAML assertion in request (Service Provider). If SAML assertion is valid then Salesforce validates that user successfuly.