đź“Ł Attention Salesforce Certified Trailblazers! Link your Trailhead and Webassessor accounts and maintain your credentials by December 14th. Learn more.
close
trailhead

Set Up Single Sign-On for Your Internal Users

Learning Objectives

After completing this module, you’ll be able to:
  • Create a Federation ID.
  • Set up single sign-on from an external identity provider.
  • Become familiar with the tools to troubleshoot SAML requests.

Single Sign-On

With a custom domain and login page, you make it easy for employees to log in to your Salesforce org with a secure, easy-to-remember URL.

Do you want to make it even easier so that they don’t have to log in at all? Then set up single sign-on (SSO).

SSO has lots of advantages.

  • You spend less time managing passwords.
  • Your employees save time when they don’t have to manually log in to Salesforce. Did you know that users take 5–20 seconds to log in to an online application? Those seconds add up.
  • More people use Salesforce. Users can send out links to Salesforce records and reports, and their recipients can open them in a single click.
  • You can manage access to sensitive information from one place.

In this unit, we show you how to set up inbound SSO—users log in somewhere else, like an on-premises app, and then access Salesforce without logging in. You can also set up outbound SSO in which users log in to Salesforce and then access other services without logging in again. We’ll save that topic for another module.

Configure Inbound SSO with a Third-Party Identity Provider

Let’s start configuring inbound SSO with a third-party identity provider.

The head of your IT department, Sean Sollo, tells you to set up Salesforce users with SSO so that they can log in to your Salesforce org with their Jedeye network credentials. Here, we walk you through the steps to set up SSO for Jedeye Tech’s new employee, Sia Thripio. You’ll set up inbound SSO using the Axiom Heroku web app as the identity provider.

Is this starting to sound difficult? It’s not, really. Let’s break it down into simple steps.

  1. Create a Federation ID for each user.
  2. Set up SSO settings in Salesforce.
  3. Set up Salesforce settings in the SSO provider.
  4. Make sure it all works.

Remember what the prerequisite is for SSO? That’s right, a custom domain. Because you’ve already completed the unit to set up your custom domain, you’re ready to go.

Step 1: Create a Federation ID

When setting up SSO, you use a unique attribute to identify each user. This attribute is the link that associates the Salesforce user with the external identity provider. You can use a username, user ID, or a Federation ID. We’re going to use a Federation ID.

No, a Federation ID isn’t owned by an interstellar shipping organization with nefarious designs. It’s basically a term that the identity industry uses to refer to a unique user ID.

Typically, you assign a Federation ID when setting up a user account. When you set up SSO on your production environment, you can assign the Federation ID for many users at once with tools like the Salesforce Data Loader. For now, let’s set up an account for Jedeye Tech’s new employee, Sia Thripio.

  1. From Setup, enter Users in the Quick Find box, then select Users.
  2. Click Edit next to Sia’s name.
  3. Under Single Sign On Information, enter the Federation ID: sia@jedeye-tech.com.

    Tip: A Federation ID must be unique for each user in an org. That’s why the username is handy. But if the user belongs to multiple orgs, use the same Federation ID for the user in each org.

    SSO Settings Federation ID

  4. Click Save.

Step 2: Set Up Your SSO Provider in Salesforce

Your service provider needs to know about your identity provider and vice versa. In this step, you’re on the Salesforce side providing information about the identity provider, in this case, Axiom. In the next step, you give Axiom information about Salesforce.

On the Salesforce side, we configure SAML settings. SAML is the protocol that Salesforce Identity uses to implement SSO.

Tip: You’re going to work in both your Salesforce Dev org and the Axiom app. Keep them open in separate browser windows so that you can copy and paste between the two.

  1. In a new browser window, go to http://axiomsso.herokuapp.com.
  2. Click SAML Identity Provider & Tester.
  3. Click Download the Identity Provider Certificate.

    You upload this certificate later to your Salesforce org, so remember where you save it.

  4. In your Salesforce org, from Setup, enter Single in the Quick Find box, then select Single Sign-On Settings.
  5. Click Edit.
  6. Select SAML Enabled.
  7. Click Save.
  8. In SAML Single Sign-On Settings:
    1. Click New.
    2. Enter the following values.
      • Name: Axiom Test App
      • Issuer: http://axiomsso.herokuapp.com
      • Identity Provider Certificate: Choose the file you downloaded in step 3.
      • Request Signature Method: Select RSA-SHA1.
      • SAML Identity Type: Select Assertion contains the Federation ID from the User object.
      • SAML Identity Location: Select Identity is in the NameIdentifier element of the Subject statement.
      • Service Provider Initiated Request Binding: Select HTTP Redirect.
      • Entity ID: Enter your My Domain name, including “https.” Use the subdomain name that you set up in the “Customize Your Login Process with My Domain” unit. Copy and paste it from the browser address bar.

        Before you click Save, confirm that the settings page looks something like: Salesforce SAML SSO settings page before hitting save

  9. Click Save and leave the browser page open.

Step 4: Make Sure It All Works

OK, now that everything’s all configured, let’s make sure that it works. What’s the proof? A successful login, of course.
  1. In the Axiom settings browser window, click Request SAML Response. (It’s way down at the bottom.)
  2. Axiom generates the SAML assertion in XML. Does it look like language used by a robot communicating with desert outpost moisture evaporators? Look again. You can see that it doesn’t look all that bad. To get to the interesting information, scroll through the XML. SAML assertion
  3. Click Login.

If everything’s OK, you’re logged in as Sia at your Salesforce home page. The Axiom application logs you in to your Salesforce org as the user with the assigned Federation ID.

Congratulations! You just configured Salesforce SSO for your users who are accessing Salesforce from another app. Take your place at the top of the stage and receive your badge.

retargeting