Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
Div | ||
---|---|---|
| ||
/wiki/spaces/E2D/pages/29982926 / Single Sign-On / Configuring SSO Connections / Service Provider Connections / Current: Setting up SSO with Salesforce |
The EmpowerID SSO framework allows you to integrate Salesforce with EmpowerID, making EmpowerID the identity provider for your organization's Salesforce account. In this way, users can access their Salesforce accounts directly from EmpowerID using their EmpowerID credentials, their corporate AD logins or those of another trusted ( third-party ) identity provider that has been integrated with EmpowerID.
This topic describes how to set up SSO with Salesforce.
To set up Single Sign-On in SalesforceInfo | ||
---|---|---|
| ||
Before setting up Single Sign-On in Salesforce, decide the name for the Salesforce application you are creating in EmpowerID. You |
need to use |
the same name when setting up SSO in Salesforce. |
The name must be one word, such as Salesforce or CorporateSalesforce. |
You also need the public certificate (.cer file) for the private key (.pfx file) used for signing SAML assertions in your EmpowerID deployment. Salesforce needs the public certificate to verify that the SAML assertions come from your organization. |
- Log in to Salesforce and click Settings > , then Identity > , then Setup. From
- In the Navigation Sidebar of Salesforce, navigate to Settings > , then Identity, and then click Single Sign-On Settings. From
- On the Single Sign-On Settings page, enable federated authentication using SAML by clicking the Edit button underneathbelow Single Sign-On Settings. Image Removed Tick , click the Edit button to enable federated authentication using SAML.
Image Added - Select SAML Enabled and then click Save.
Image Added
Back in the main Single Sign-On Settings page, click the New button underneath below SAML Single Sign-On Settings.
Image Added From the SAML Single Sign-On Settings page that appears, do the following:
Info Salesforce populates the value of the API Name field based on the value given in the Name field, but you can change it.
- Type an appropriate name in the Name field.
- Observe the value of API Name field and change it if desired.
- Enter EmpowerID in the Issuer and field.
- If your Salesforce has domains deployed, enter either the base domain ( https://saml.salesforce.com) or the custom domain in the Entity ID field.
- Click Choose File and then browse
- to the public certificate (.cer file) for the SAML Signing certificate (.pfx file) used in your EmpowerID deployment.
In the Identity Provider Login URL field,
enter
https://<FQDN_Of_Your_EmpowerID_Web_Server>/EmpowerIDWebIDPForms/Login/<CorporateSalesforce>
Warning Replace <FQDN_Of_Your_EmpowerID_Web_Server> with the FQDN of your EmpowerID Web server and <CorporateSalesforce> with the name of the Salesforce application you
chose for the Salesforce SSO application you
are creating in EmpowerID.
- Click Save.
The SAML Single Sign-On Settings page at this point looks similar to this image.
Image Added
- Below Endpoints,
- copy the Login URL. You
- need this to
- create the Salesforce SSO application in EmpowerID.
Image Added - Back in the main pane of the Single Sign-On Settings page, click the link for the Request Signing Certificate Salesforce generated for the SSO connection.
Image Added - Click Download Certificate. You
- need
- this
- for the EmpowerID certificate store
- in the next step.
Image Added
To add the Salesforce Request Signing Certificate to the EmpowerID Certificate Store
- Locate the Salesforce Request Signing Certificate and add it to the Personal Certificate store on your EmpowerID server.
- From your EmpowerID server, open the EmpowerID Certificate Manager. You can find this application by searching To find it, search for Certificate Manager or by locating the executable look in the
\Program Files\TheDotNetFactory\EmpowerID\Programs
folder. - In the EmpowerID Certificate Manager, click Upload from Local Certificate Store and select the Salesforce certificate.
Image Added - Enter a password for the certificate and click Ok OK.
Image Added - Close the EmpowerID Certificate Manager.
The next step is to create a Salesforce application in EmpowerID.
To create a Salesforce application in EmpowerID
- From In the Navigation Sidebar of the EmpowerID Web interface, navigate to the Find Applications page by expanding Applications and clicking expand Applications and click Manage Applications.
- From the Actions pane of the Find Application page, click the Create Application action.
Image Added
This opens the Application Details form, which contains various tabs and fields for creating the application.
Image Added - From the General tab of the Application Details form, do the following:
- Enter a name for the Salesforce application in the Name field. The name must be one word and it must be same name you entered in Salesforce.
- Enter a display name and description for the application in the Display Name and Description fields
- .
- In the Icon field, type ~Images/AppLogos/Salesforce.png
- to use the Salesforce image provided by EmpowerID.
- This image represents the Salesforce application in the EmpowerID Web interface for users with access.
- Set Allow Access Requests to specify whether
- the application appears in the IT Shop, allowing users to request or claim an account in the application.
- Set Allow Claim Account to specify whether
- users can claim their accounts and gain instant access after passing the requisite identity proofs.
- Set Allow Request Account
- and Allow Access Requests to allow users to
- request an account in the application.
- Set Login Is Email Address to specify whether the login for the application is an email address. If
- so, EmpowerID sends a one-time password to the email address for identity proofing when claiming accounts.
- This setting is
- used to pass the identity assertion to the application when logging in from EmpowerID.
- Set Make me the Application Owner
- to manage the application and approve or deny access requests.
- Set Configure Advanced Claim and Request Account Options
- and provide advanced configuration information if you have custom pages and workflows configured in EmpowerID
- that process access requests
- and manage accounts linked to the application's
- EmpowerID
- account directory.
- Click the Single Sign-On tab and do the following:
- Select SAML from the Single Sign-On Connection Type drop-down and then select Create a New SAML Connection.
Image Added - In the SAML Connection Information section that appears, select Salesforce SSO Connection Settings from the SAML Application Template drop-down. This populates the SAML Connection Information section with
- Select SAML from the Single Sign-On Connection Type drop-down and then select Create a New SAML Connection.
- common SSO settings for Salesforce.
- Enter a display name for the SSO Connection in the Display Name field.
- This field is populated with the value of the name of the application
- , but you can change it.
- Enter a description for the SSO Connection in the Description field.
- In the Assertion Consumer URL field, enter the Login URL for your organization provided by Salesforce when you set up Single Sign-On there.
- Leave the Issuer set to EmpowerID.
- Enter /EmpowerIDWebIDPForms/Login/<CorporateSalesforce> replacing <CorporateSalesforce> with the name of your application.
- Select the appropriate certificate to sign the SAML assertions sent to Salesforce from the Certificate drop-down. This certificate must be the same certificate you uploaded to Salesforce.
At this point, the SAML Connection Information section of the form looks similar to this image.
Image Added
- Click the Users tab and do one of the following:
- If you have not connected EmpowerID to your enterprise Salesforce account - Tick Create a New Account Directory. If you select this option, EmpowerID uses the Salesforce tracking-only account store that is configured out-of-the-box. The Salesforce tracking-only account store exists as a container within EmpowerID for storing user and group records apart from those located in the actual directory Salesforce maintains for your Salesforce account. EmpowerID uses this directory to map your Salesforce users with their corresponding EmpowerID Persons.
- If you have connected EmpowerID to your enterprise Salesforce account - Select the account store for your Salesforce account from the Select existing Account Directory drop-down. Please note that you must add this account store to EmpowerID before it
- appears in the drop-down.
Image Added
- appears in the drop-down.
- Click Add to Cart.
- Click the My Cart link and in the Cart dialog that appears, type a reason for creating the application and then click Submit.
The next step is to configure the Salesforce SSO connection.
To configure the Salesforce SSO connection
- From the Navigation Sidebar of the EmpowerID Web interface, navigate to the Find SAML Connections page by expanding Admin > expand Admin, then SSO Connection, and clicking click SAML.
- Search for the Salesforce connector and then click the drop-down arrow to the left of it and click Edit.
Image Added - Scroll to the certificates section of the form and select the Salesforce certificate you uploaded to the EmpowerID Identity Warehouse using the EmpowerID Certificate Manager.
Image Added - Click the Subject Confirmations tab and then click the Add New (+) button.
- In the dialog that appears, do the following:
- Type a name for the SAML Subject Confirmation in the Name field.
- Select Bearer from the Subject Confirmation Method drop-down.
- Enter the Login URL for your application in the Recipient field.
Image Added - Click Save.
- Click On the Audiences tab and then , click the Add New (+) button.
- In the dialog that appears, do the following:
- Type a name for the SAML Audience in the Name field.
Enter https://saml.salesforce.com in the Audience URL field.
Tip The Audience URL is case sensitive. Salesforce rejects SAML assertions with incorrect casing.
Image Added- Click Save.
- Back in the main SSO connection form, click Save.
Now that the connection has been updated, the next step is to give your users access to the application.
To give users access to the Salesforce SSO application
- From In the Navigation Sidebar of the EmpowerID Web interface, navigate to the Find Applications page by expanding Applications and clicking expand Applications and click Manage Applications.
- Search for the Salesforce application and then click the Display name link for it.
Image Added - From the Application Details page that appears expand the Who Has Access To Application accordion by clicking it.
- From the To which type of actor do you wish to assign access? drop-down, select the appropiate an actor type. In our this example, we are selecting select the Management Role actor type.
Image Added - Click the Add New Assignee (+) button.
- In the Select to whom you wish to grant access dialog that appears, select the specific actor for the actor type. In our this example, we selected select the Self-Service User Management Role.
- Select the appropriate an Access Level from the Access Level drop-down. For example, to allow your users to To let users see the application on their personal applications page, you grant them the Viewer Access Level.
- If you want to add a time constraint to the Access Level assignment, such as adding specific times and days when the application is available for use, tick select the Time constraint box and then select the desired times and days.
- When complete, click the Save button.
Image Added - From the Navigation Sidebar, expand Identities and then click the link for the appropriate actor type you selected above. For example, if you granted access to a Management Role, you click Management Roles.
From the Find page for the actor type, search for the specific actor to whom you granted access. In our example, we are searching for a Management Role.
Info If you selected a different actor type, such as a Business Role and Location, the steps will vary slightly from those demonstrated below.
- Click the Display Name link for the specific actor.
Image Added - From the Details page for the actor that appears, click on the Advanced tab and then , expand the User Interface Access accordion and then click the Edit button.
Image Added - Search for Applications and then select SSO Applications page. This page displays to users any SSO applications the users may access.
Image Added Click Submit. Users with access
will be able tocan view the page and SSO to Salesforce at the next compilation of the RBAC engine.
Tip You can compile RBAC immediately by navigating to theSelf-Service (Workflows)view of the IT Shop and clickingRefresh RBAC and IIS App Pools.
Image Added
To test the Salesforce SSO application
- Log in to the EmpowerID Web application as a person with a Salesforece account.
- From In the Navigation Sidebar of the EmpowerID Web interface, navigate to Personal Applications Dashboard by expanding Applications and clicking expand Applications and click Login.
Image Added - Click the Salesforce tile.
EmpowerID opens a new browser tab and logs you in to your Salesforce account.
Info | ||||
---|---|---|---|---|
| ||||
Image Added
Div | ||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||
|