Set Up Single Sign-On for Your Internal Users
Learning Objectives
- Create a Federation ID.
- Set up single sign-on from an external identity provider.
- Become familiar with the tools to troubleshoot SAML requests.
Single Sign-On
Do you want to make it even easier so that they don’t have to log in at all? Then set up single sign-on (SSO).
SSO has lots of advantages.
- You spend less time managing passwords.
- Your employees save time when they don’t have to manually log in to Salesforce. Did you know that users take 5–20 seconds to log in to an online application? Those seconds add up.
- More people use Salesforce. Users can send out links to Salesforce records and reports, and their recipients can open them in a single click.
- You can manage access to sensitive information from one place.
In this unit, we show you how to set up inbound SSO—users log in somewhere else, like an on-premises app, and then access Salesforce without logging in. You can also set up outbound SSO in which users log in to Salesforce and then access other services without logging in again. We’ll save that topic for another module.
Configure Inbound SSO with a Third-Party Identity Provider
The head of your IT department, Sean Sollo, tells you to set up Salesforce users with SSO so that they can log in to your Salesforce org with their Jedeye network credentials. Here, we walk you through the steps to set up SSO for Jedeye Tech’s new employee, Sia Thripio. You’ll set up inbound SSO using the Axiom Heroku web app as the identity provider.
Is this starting to sound difficult? It’s not, really. Let’s break it down into simple steps.
- Create a Federation ID for each user.
- Set up SSO settings in Salesforce.
- Set up Salesforce settings in the SSO provider.
- Make sure it all works.
Remember what the prerequisite is for SSO? That’s right, a custom domain. Because you’ve already completed the unit to set up your custom domain, you’re ready to go.
Step 1: Create a Federation ID
No, a Federation ID isn’t owned by an interstellar shipping organization with nefarious designs. It’s basically a term that the identity industry uses to refer to a unique user ID.
Typically, you assign a Federation ID when setting up a user account. When you set up SSO on your production environment, you can assign the Federation ID for many users at once with tools like the Salesforce Data Loader. For now, let’s set up an account for Jedeye Tech’s new employee, Sia Thripio.
- From Setup, enter Users in the Quick Find box, then select Users.
- Click Edit next to Sia’s name.
- Under Single Sign On Information, enter the Federation ID:
sia@jedeye-tech.com.
Tip: A Federation ID must be unique for each user in an org. That’s why the username is handy. But if the user belongs to multiple orgs, use the same Federation ID for the user in each org.
- Click Save.
Step 2: Set Up Your SSO Provider in Salesforce
On the Salesforce side, we configure SAML settings. SAML is the protocol that Salesforce Identity uses to implement SSO.
Tip: You’re going to work in both your Salesforce Dev org and the Axiom app. Keep them open in separate browser windows so that you can copy and paste between the two.
- In a new browser window, go to http://axiomsso.herokuapp.com.
- Click SAML Identity Provider & Tester.
- Click Download the Identity Provider Certificate.
You upload this certificate later to your Salesforce org, so remember where you save it.
- In your Salesforce org, from Setup, enter Single in the Quick Find box, then select Single Sign-On Settings.
- Click Edit.
- Select SAML Enabled.
- Click Save.
- In SAML Single Sign-On Settings:
- Click New.
- Enter the following values.
- Name: Axiom Test App
- Issuer: http://axiomsso.herokuapp.com
- Identity Provider Certificate: Choose the file you downloaded in step 3.
- Request Signature Method: Select RSA-SHA1.
- SAML Identity Type: Select Assertion contains the Federation ID from the User object.
- SAML Identity Location: Select Identity is in the NameIdentifier element of the Subject statement.
- Service Provider Initiated Request Binding: Select HTTP Redirect.
- Entity ID: Enter your My Domain name,
including “https.” Use the subdomain name that you
set up in the “Customize Your Login Process with
My Domain” unit. Copy and paste it from the
browser address bar.
Before you click Save, confirm that the settings page looks something like:
- Click Save and leave the browser page open.
Step 3: Link Your Identity Provider to Salesforce
You fill in a few fields in the following Axiom form. Easy peasy. Because you’re supplying Salesforce SSO settings, keep two browser windows open, one for Salesforce and one for Axiom.
- Return to the Axiom web app. If you don’t have the app open in a browser window, go to http://axiomsso.herokuapp.com.
- Click SAML Identity Provider & Tester.
- Click generate a SAML response.
- Enter the following values. Leave the other fields as is.
- SAML Version: 2.0
- Username or Federated ID: sia@jedeye-tech.com
- Issuer: http://axiomsso.herokuapp.com
- Recipient URL: Get the URL from the Salesforce SAML Single Sign-On Settings page. Don’t see it? It’s at the bottom labeled Salesforce Login URL.
- Entity Id: The Entity ID from the Salesforce SAML Single Sign-On Settings page.
When you’re finished, the Axiom settings page looks something like:
Step 4: Make Sure It All Works
- In the Axiom settings browser window, click Request SAML Response. (It’s way down at the bottom.)
- Axiom generates the SAML assertion in XML. Does it look like language
used by a robot communicating with desert outpost moisture
evaporators? Look again. You can see that it doesn’t look all that
bad. To get to the interesting information, scroll through the XML.
- Click Login.
If everything’s OK, you’re logged in as Sia at your Salesforce home page. The Axiom application logs you in to your Salesforce org as the user with the assigned Federation ID.
Congratulations! You just configured Salesforce SSO for your users who are accessing Salesforce from another app. Take your place at the top of the stage and receive your badge.