Setting Up SSO with Salesforce
- Universal Importer for Confluence
- Kim Landis (Unlicensed)
- Phillip Hanegan
The EmpowerID SSO framework allows you to integrate Salesforce with EmpowerID, making EmpowerID the identity provider for your organization's Salesforce account. In this way, users can access their Salesforce accounts directly from EmpowerID using their EmpowerID credentials, their corporate AD logins or those of another trusted third-party identity provider that has been integrated with EmpowerID.
This topic describes how to set up SSO with Salesforce.
Prerequisites
Before setting up Single Sign-On in Salesforce, decide the name for the Salesforce application you are creating in EmpowerID. You need to use the same name when setting up SSO in Salesforce.
The name must be one word, such as Salesforce or CorporateSalesforce.
You also need the public certificate (.cer file) for the private key (.pfx file) used for signing SAML assertions in your EmpowerID deployment. Salesforce needs the public certificate to verify that the SAML assertions come from your organization.
- Log in to Salesforce and click Settings, then Identity, then Setup.
- In the Navigation Sidebar of Salesforce, navigate to Settings, then Identity, and click Single Sign-On Settings.
- On the Single Sign-On Settings page, below Single Sign-On Settings, click the Edit button to enable federated authentication using SAML.
- Select SAML Enabled and then click Save.
Back in the main Single Sign-On Settings page, click the New button below SAML Single Sign-On Settings. From the SAML Single Sign-On Settings page that appears, do the following:
Salesforce populates the value of the API Name field based on the value given in the Name field, but you can change it.
- Type an appropriate name in the Name field.
- Observe the value of API Name field and change it if desired.
- Enter EmpowerID in the Issuer and field.
- If your Salesforce has domains deployed, enter either the base domain ( https://saml.salesforce.com) or the custom domain in the Entity ID field.
- Click Choose File and then browse to the public certificate (.cer file) for the SAML Signing certificate (.pfx file) used in your EmpowerID deployment.
In the Identity Provider Login URL field, enter
https://<FQDN_Of_Your_EmpowerID_Web_Server>/EmpowerIDWebIDPForms/Login/<CorporateSalesforce>Replace <FQDN_Of_Your_EmpowerID_Web_Server> with the FQDN of your EmpowerID Web server and <CorporateSalesforce> with the name of the Salesforce application you chose for the Salesforce SSO application you are creating in EmpowerID.
- Click Save.
The SAML Single Sign-On Settings page at this point looks similar to this image. - Below Endpoints, copy the Login URL. You need this to create the Salesforce SSO application in EmpowerID.
- Back in the main pane of the Single Sign-On Settings page, click the link for the Request Signing Certificate Salesforce generated for the SSO connection.
- Click Download Certificate. You need this for the EmpowerID certificate store in the next step.
To add the Salesforce Request Signing Certificate to the EmpowerID Certificate Store
- Locate the Salesforce Request Signing Certificate and add it to the Personal Certificate store on your EmpowerID server.
- From your EmpowerID server, open the EmpowerID Certificate Manager. To find it, search for Certificate Manager or look in the
\Program Files\TheDotNetFactory\EmpowerID\Programs
folder. - In the EmpowerID Certificate Manager, click Upload from Local Certificate Store and select the Salesforce certificate.
- Enter a password for the certificate and click OK.
- Close the EmpowerID Certificate Manager.
The next step is to create a Salesforce application in EmpowerID.
To create a Salesforce application in EmpowerID
- In the Navigation Sidebar of the EmpowerID Web interface, expand Applications and click Manage Applications.
- From the Actions pane of the Find Application page, click the Create Application action.
This opens the Application Details form, which contains various tabs and fields for creating the application. - From the General tab of the Application Details form, do the following:
- Enter a name for the Salesforce application in the Name field. The name must be one word and it must be same name you entered in Salesforce.
- Enter a display name and description for the application in the Display Name and Description fields.
- In the Icon field, type ~Images/AppLogos/Salesforce.png to use the Salesforce image provided by EmpowerID. This image represents the Salesforce application in the EmpowerID Web interface for users with access.
- Set Allow Access Requests to specify whether the application appears in the IT Shop, allowing users to request or claim an account in the application.
- Set Allow Claim Account to specify whether users can claim their accounts and gain instant access after passing the requisite identity proofs.
- Set Allow Request Account and Allow Access Requests to allow users to request an account in the application.
- Set Login Is Email Address to specify whether the login for the application is an email address. If so, EmpowerID sends a one-time password to the email address for identity proofing when claiming accounts. This setting is used to pass the identity assertion to the application when logging in from EmpowerID.
- Set Make me the Application Owner to manage the application and approve or deny access requests.
- Set Configure Advanced Claim and Request Account Options and provide advanced configuration information if you have custom pages and workflows configured in EmpowerID that process access requests and manage accounts linked to the application's EmpowerID account directory.
- Click the Single Sign-On tab and do the following:
- Select SAML from the Single Sign-On Connection Type drop-down and then select Create a New SAML Connection.
- In the SAML Connection Information section that appears, select Salesforce SSO Connection Settings from the SAML Application Template drop-down. This populates the SAML Connection Information section with common SSO settings for Salesforce.
- Enter a display name for the SSO Connection in the Display Name field. This field is populated with the value of the name of the application, but you can change it.
- Enter a description for the SSO Connection in the Description field.
- In the Assertion Consumer URL field, enter the Login URL for your organization provided by Salesforce when you set up Single Sign-On there.
- Leave the Issuer set to EmpowerID.
- Enter /EmpowerIDWebIDPForms/Login/<CorporateSalesforce> replacing <CorporateSalesforce> with the name of your application.
- Select the appropriate certificate to sign the SAML assertions sent to Salesforce from the Certificate drop-down. This certificate must be the same certificate you uploaded to Salesforce.
At this point, the SAML Connection Information section of the form looks similar to this image.
- Select SAML from the Single Sign-On Connection Type drop-down and then select Create a New SAML Connection.
- Click the Users tab and do one of the following:
- If you have not connected EmpowerID to your enterprise Salesforce account - Tick Create a New Account Directory. If you select this option, EmpowerID uses the Salesforce tracking-only account store that is configured out-of-the-box. The Salesforce tracking-only account store exists as a container within EmpowerID for storing user and group records apart from those located in the actual directory Salesforce maintains for your Salesforce account. EmpowerID uses this directory to map your Salesforce users with their corresponding EmpowerID Persons.
- If you have connected EmpowerID to your enterprise Salesforce account - Select the account store for your Salesforce account from the Select existing Account Directory drop-down. Please note that you must add this account store to EmpowerID before it appears in the drop-down.
- Click Add to Cart.
- Click the My Cart link and in the Cart dialog that appears, type a reason for creating the application and then click Submit.
The next step is to configure the Salesforce SSO connection.
To configure the Salesforce SSO connection
- From the Navigation Sidebar of the EmpowerID Web interface, expand Admin, then SSO Connection, and click SAML.
- Search for the Salesforce connector and then click the drop-down arrow to the left of it and click Edit.
- Scroll to the certificates section of the form and select the Salesforce certificate you uploaded to the EmpowerID Identity Warehouse using the EmpowerID Certificate Manager.
- Click the Subject Confirmations tab and click the Add New (+) button.
- In the dialog that appears, do the following:
- Type a name for the SAML Subject Confirmation in the Name field.
- Select Bearer from the Subject Confirmation Method drop-down.
- Enter the Login URL for your application in the Recipient field.
- Click Save.
- On the Audiences tab, click the Add New (+) button.
- In the dialog that appears, do the following:
- Type a name for the SAML Audience in the Name field.
Enter https://saml.salesforce.com in the Audience URL field.
The Audience URL is case sensitive. Salesforce rejects SAML assertions with incorrect casing.
- Click Save.
- Back in the main SSO connection form, click Save.
Now that the connection has been updated, the next step is to give your users access to the application.
To give users access to the Salesforce SSO application
- In the Navigation Sidebar of the EmpowerID Web interface, expand Applications and click Manage Applications.
- Search for the Salesforce application and then click the Display name link for it.
- From the Application Details page that appears expand the Who Has Access To Application accordion.
- From the To which type of actor do you wish to assign access? drop-down, select an actor type. In this example, select the Management Role actor type.
- Click the Add New Assignee (+) button.
- In the Select to whom you wish to grant access dialog that appears, select the specific actor for the actor type. In this example, select the Self-Service User Management Role.
- Select an Access Level from the Access Level drop-down. To let users see the application on their personal applications page, grant them the Viewer Access Level.
- If you want to add a time constraint to the Access Level assignment, such as adding specific times and days when the application is available for use, select the Time constraint box and then select the desired times and days.
- When complete, click the Save button.
- From the Navigation Sidebar, expand Identities and click the link for the actor type you selected above. For example, if you granted access to a Management Role, you click Management Roles.
From the Find page for the actor type, search for the specific actor to whom you granted access. In our example, we are searching for a Management Role.
If you selected a different actor type, such as a Business Role and Location, the steps will vary slightly from those demonstrated below.
- Click the Display Name link for the specific actor.
- From the Details page for the actor that appears, on the Advanced tab, expand the User Interface Access accordion and click the Edit button.
- Search for Applications and then select SSO Applications page. This page displays to users any SSO applications the users may access.
Click Submit. Users with access can view the page and SSO to Salesforce at the next compilation of the RBAC engine.
You can compile RBAC immediately by navigating to theSelf-Service (Workflows)view of the IT Shop and clickingRefresh RBAC and IIS App Pools.
To test the Salesforce SSO application
- Log in to the EmpowerID Web application as a person with a Salesforece account.
- In the Navigation Sidebar of the EmpowerID Web interface, expand Applications and click Login.
- Click the Salesforce tile.
EmpowerID opens a new browser tab and logs you in to your Salesforce account.