Unable to render embedded object: File (Emp18Notice.png) not found.
Skip to end of banner
Go to start of banner

settingupssowithsalesforce

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Home / Configuring SSO Connections / Current: Setting up SSO with Salesforce

The EmpowerID SSO framework allows you to integrate Salesforce with EmpowerID, making EmpowerID the identity provider for your organization's Salesforce account. In this way, users can access their Salesforce accounts directly from EmpowerID using their EmpowerID credentials, their corporate AD logins or those of another trusted (third-party) identity provider that has been integrated with EmpowerID.

This topic describes how to set up SSO with Salesforce.

To set up Single Sign-On in Salesforce

  1. Before setting up Single Sign-On in Salesforce, decide the name for the Salesforce application you are creating in EmpowerID. You will need to use this when setting up SSO in Salesforce. Please note the name for the application must be one word, such as Salesforce or CorporateSalesforce. In addition, you will need to have the public certificate (.cer file) for the private key (.pfx file) used for signing SAML assertions in your EmpowerID deployment. Salesforce needs the public certificate to verify the SAML assertions come from your organization.
    Log in to Salesforce and click Settings > Identity > Setup. From the Navigation Sidebar of Salesforce, navigate to Settings > Identity and then click Single Sign-On Settings. From the Single Sign-On Settings page, enable federated authentication using SAML by clicking the Edit button underneathSingle Sign-On Settings. Tick SAML Enabled and then click Save.
  2. Back in the main Single Sign-On Settings page, click the New button underneath SAML Single Sign-On Settings.
  3. From the SAML Single Sign-On Settings page that appears, do the following:
  4. Type an appropriate name in the Name field.
  5. Observe the value of API Name field and change it if desired.
  6. Enter EmpowerID in the Issuer and field.
  7. If your Salesforce has domains deployed, enter either the base domain ( https://saml.salesforce.com) or the custom domain in the Entity ID field.
  8. Click Choose File and then browse for and select the public certificate (.cer file) for the SAML Signing certificate(.pfx file) used in your EmpowerID deployment.
  9. In the Identity Provider Login URL field, enter the https://<FQDN_Of_Your_EmpowerID_Web_Server>/EmpowerIDWebIDPForms/Login/<CorporateSalesforce>. Be sure to replace <FQDN_Of_Your_EmpowerID_Web_Server> with the FQDN of your EmpowerID Web server and <CorporateSalesforce> with the name of the Salesforce application you have chosen for the Salesforce SSO application you will be creating in EmpowerID.
  10. Click Save.
  11. Underneath Endpoints, locate and copy the Login URL. You will need to use this when you create the Salesforce SSO application in EmpowerID.
  12. Back in the main pane of the Single Sign-On Settings page, click the link for the Request Signing Certificate Salesforce generated for the SSO connection.
  13. Click Download Certificate. You will need to add this certificate to the EmpowerID certificate store, which is described below.

To add the Salesforce Request Signing Certificate to the EmpowerID Certificate Store

  1. Locate the Salesforce Request Signing Certificate and add it to the Personal Certificate store on your EmpowerID server.
  2. From your EmpowerID server, open the EmpowerID Certificate Manager. You can find this application by searching for Certificate Manager or by locating the executable in the \Program Files\TheDotNetFactory\EmpowerID\Programs folder.
  3. In the EmpowerID Certificate Manager, click Upload from Local Certificate Store and select the Salesforce certificate.
  4. Enter a password for the certificate and click Ok.
  5. Close the EmpowerID Certificate Manager.

To create a Salesforce application in EmpowerID

  1. From the Navigation Sidebar of the EmpowerID Web interface, navigate to the Find Applications page by expanding Applications and clicking Manage Applications. From the Actions pane of the Find Application page, click the Create Application action. This opens the Application Details form, which contains various tabs and fields for creating the application.
  2. From the General tab of the Application Details form, do the following:
  1. Enter a name for the Salesforce application in the Name field. The name must be one word and it must be same name you entered in Salesforce.
  2. Enter a display name and description for the application in the Display Name and Description fields, respectively.
  3. In the Icon field, type ~Images/AppLogos/Salesforce.png. This is the path to the Salesforce image provided by EmpowerID. Users with access to the application will see this image for the Salesforce application in the EmpowerID Web interface.
  4. Select or deselect Allow Access Requests to specify whether to allow access requests. When this option is selected, the application appears in the IT Shop, allowing users to request or claim an account in the application.
  5. Select or deselect Allow Claim Account to specify whether to give users the ability to claim an account they have in the application. When this option is selected, users can claim their accounts and gain instant access after passing the requisite identity proofs.
  6. Select or deselect Allow Request Account to specify whether to allow users to request an account in the application. When this option is selected and Allow Access Requests is selected, users can request an account in the application.
  7. Select or deselect Login Is Email Address to specify whether the login for the application is an email address. If the login is an email address, EmpowerID sends a one-time password to the email address for identity proofing when claiming accounts. Additionally, this setting is necessary for passing the appropriate identity assertion to the application when logging in from EmpowerID.
  8. Select or deselect Make me the Application Owner to specify whether you are the owner of the application. Application owners have the ability to manage the application and approve or deny access requests.
  9. Configure Advanced Claim and Request Account Options - Select this option and then provide the appropriate advanced configuration information if you have custom pages and workflows configured in EmpowerID for processing access requests as well as for managing any accounts linked to the application's (internal to EmpowerID) account directory.
  10. Click the Single Sign-On tab and do the following:
  11. Select SAML from the Single Sign-On Connection Type drop-down and then select Create a New SAML Connection.
  12. In the SAML Connection Information section that appears, select Salesforce SSO Connection Settings from the SAML Application Template drop-down. This populates the SAML Connection Information section with the common SSO settings for Salesforce.
  13. Enter a display name for the SSO Connection in the Display Name field. Please note this field is populated with the value of the name of the application. You can leave the value as is or change it.
  14. Enter a description for the SSO Connection in the Description field.
  15. In the Assertion Consumer URL field, enter the Login URL for your organization provided by Salesforce when you set up Single Sign-On there.
  16. Leave the Issuer set to EmpowerID.
  17. Enter /EmpowerIDWebIDPForms/Login/<CorporateSalesforce> replacing <CorporateSalesforce> with the name of your application.
  18. Select the appropriate certificate to sign the SAML assertions sent to Salesforce from the Certificate drop-down. This certificate must be the same certificate you uploaded to Salesforce.
  19. Click the Users tab and do one of the following:
  20. If you have not connected EmpowerID to your enterprise Salesforce account - Tick Create a New Account Directory. If you select this option, EmpowerID uses the Salesforce tracking-only account store that is configured out-of-the-box. The Salesforce tracking-only account store exists as a container within EmpowerID for storing user and group records apart from those located in the actual directory Salesforce maintains for your Salesforce account. EmpowerID uses this directory to map your Salesforce users with their corresponding EmpowerID Persons.
  21. If you have connected EmpowerID to your enterprise Salesforce account - Select the account store for your Salesforce account from the Select existing Account Directory drop-down. Please note that you must add this account store to EmpowerID before it will appear in the drop-down.
  22. Click Add to Cart. Click the My Cart link and in the Cart dialog that appears, type a reason for creating the application and then click Submit.

The next step is to configure the Salesforce SSO connection.

To configure the Salesforce SSO connection

  1. From the Navigation Sidebar of the EmpowerID Web interface, navigate to the Find SAML Connections page by expanding Admin > SSO Connection and clicking SAML.
  2. Search for the Salesforce connector and then click the drop-down arrow to the left of it and click Edit.
  3. Scroll to the certificates section of the form and select the Salesforce certificate you uploaded to the EmpowerID Identity Warehouse using the EmpowerID Certificate Manager.
  4. Click the Subject Confirmations tab and then click the Add New (+) button.
  5. In the dialog that appears, do the following:
    1. Type a name for the SAML Subject Confirmation in the Name field.
    2. Select Bearer from the Subject Confirmation Method drop-down.
    3. Enter the Login URL for your application in the Recipient field.
    4. Click Save.
  6. Click the Audiences tab and then click the Add New (+) button.
  7. In the dialog that appears, do the following:
    1. Type a name for the SAML Audience in the Name field.
    2. Enter https://saml.salesforce.com in the Audience URL field.
    3. Click Save.
  8. Back in the main SSO connection form, click Save.

To give users access to the Salesforce SSO application

  1. From the Navigation Sidebar of the EmpowerID Web interface, navigate to the Find Applications page by expanding Applications and clicking Manage Applications.
  2. Search for the Salesforce application and then click the Display name link for it.
  3. From the Application Details page that appears expand the Who Has Access To Application accordion by clicking it.
  4. From the To which type of actor do you wish to assign access? drop-down, select the appropiate actor type. In our example, we are selecting the Management Role actor type.
  5. Click the Add New Assignee (+) button.
  6. In the Select to whom you wish to grant access dialog that appears, select the specific actor for the actor type. In our example, we selected the Self-Service User Management Role.
  7. Select the appropriate Access Level from the Access Level drop-down. For example, to allow your users to see the application on their personal applications page, you grant them the Viewer Access Level.
  8. If you want to add a time constraint to the Access Level assignment, such as adding specific times and days when the application is available for use, tick the Time constraint box and then select the desired times and days.
  9. When complete, click the Save button.
  10. From the Navigation Sidebar, expand Identities and then click the link for the appropriate actor type you selected above. For example, if you granted access to a Management Role, you click Management Roles.
  11. From the Find page for the actor type, search for the specific actor to whom you granted access. In our example, we are searching for a Management Role.
  12. Click the Display Name link for the specific actor.
  13. From the Details page for the actor that appears, click the Advanced tab and then expand the User Interface Access accordion and then click the Edit button.
  14. Search for Applications and then select SSO Applications page. This page displays to users any SSO applications the users may access.
  15. Click Submit. Users with access will be able to view the page and SSO to Salesforce at the next compilation of the RBAC engine.

To test the Salesforce SSO application

  1. Log in to the EmpowerID Web application as a person with a Salesforece account.
  2. From the Navigation Sidebar of the EmpowerID Web interface, navigate to Personal Applications Dashboard by expanding Applications and clicking Login.
  3. Click the tile.

Related Content

  • No labels