Set Up Single Sign-On for Your Internal Users

• You spend less time managing passwords.
• Your employees save time when they don’t have to manually log in to Salesforce. Did you know that users take 5–20 seconds to log in to an online application? Those seconds add up.
• More people use Salesforce. Users can send out links to Salesforce records and reports, and their recipients can open them in a single click.
• You can manage access to sensitive information from one place.

In this unit, we show you how to set up inbound SSO—users log in somewhere else, like an on-premises app, and then access Salesforce without logging in. You can also set up outbound SSO in which users log in to Salesforce and then access other services without logging in again. We’ll save that topic for another module.

The head of your IT department, Sean Sollo, tells you to set up Salesforce users with SSO so that they can log in to your Salesforce org with their Jedeye network credentials. Here, we walk you through the steps to set up SSO for Jedeye Tech’s new employee, Sia Thripio. You’ll set up inbound SSO using the Axiom Heroku web app as the identity provider.

Is this starting to sound difficult? It’s not, really. Let’s break it down into simple steps.

1. Create a Federation ID for each user.
2. Set up SSO settings in Salesforce.
3. Set up Salesforce settings in the SSO provider.
4. Make sure it all works.

Remember what the prerequisite is for SSO? That’s right, a My Domain. Because you’ve already completed the unit to customize your login page with My Domain login policies, you’re ready to go.

No, a Federation ID isn’t owned by an interstellar shipping organization with nefarious designs. It’s basically a term that the identity industry uses to refer to a unique user ID.

Typically, you assign a Federation ID when setting up a user account. When you set up SSO on your production environment, you can assign the Federation ID for many users at once with tools like the Salesforce Data Loader. For now, let’s set up an account for Jedeye Tech’s new employee, Sia Thripio.

1. From Setup, enter Users in the Quick Find box, then select Users.
2. Click Edit next to Sia’s name.
3. Under Single Sign On Information, enter the Federation ID: sia@jedeye-tech.com. Tip : A Federation ID must be unique for each user in an org. That’s why the username is handy. But if the user belongs to multiple orgs, use the same Federation ID for the user in each org. 
4. Click Save.

On the Salesforce side, we configure SAML settings. SAML is the protocol that Salesforce Identity uses to implement SSO.

Tip : You’re going to work in both your Salesforce Dev org and the Axiom app. Keep them open in separate browser windows so that you can copy and paste between the two.

1. In a new browser window, go to http://axiomsso.herokuapp.com.
2. Click SAML Identity Provider & Tester.
3. Click Download the Identity Provider Certificate. You upload this certificate later to your Salesforce org, so remember where you save it.
4. In your Salesforce org, from Setup, enter Single in the Quick Find box, and then select Single Sign-On Settings.
5. Click Edit.
6. Select SAML Enabled.
7. Click Save.
8. In SAML Single Sign-On Settings:
   1. Click New.
   2. Enter the following values.
      • Name: Axiom Test App
      • Issuer: http://axiomsso.herokuapp.com
      • Identity Provider Certificate: Choose the file you downloaded in step 3.
      • Request Signature Method: Select RSA-SHA1.
      • SAML Identity Type: Select Assertion contains the Federation ID from the User object.
      • SAML Identity Location: Select Identity is in the NameIdentifier element of the Subject statement.
      • Service Provider Initiated Request Binding: Select HTTP Redirect.
      • Entity ID: Enter your My Domain URL, which is displayed on your org's My Domain Setup page. Make sure that entity ID includes "https" and references the Salesforce domain. It should look something like this: https://mydomain-dev-ed.my.salesforce.com.
9. Click Save and leave the browser page open.

You fill in a few fields in the following Axiom form. Easy peasy. Because you’re supplying Salesforce SSO settings, keep two browser windows open, one for Salesforce and one for Axiom.

1. Return to the Axiom web app. If you don’t have the app open in a browser window, go to http://axiomsso.herokuapp.com.
2. Click SAML Identity Provider & Tester.
3. Click generate a SAML response.
4. Enter the following values. Leave the other fields as is.
   • SAML Version: 2.0
   • Username or Federated ID: The Federation ID from the Sia's Salesforce User page
   • Issuer: http://axiomsso.herokuapp.com
   • Recipient URL: The URL from the Salesforce SAML Single Sign-On Settings page. Don’t see it? It’s at the bottom of the page (in the Endpoints section) labeled Login URL.
   • Entity Id: The Entity ID from the Salesforce SAML Single Sign-On Settings page.

When you’re finished, the Axiom settings page looks something like:

1. In the Axiom settings browser window, click Request SAML Response. (It’s way down at the bottom.)
2. Axiom generates the SAML assertion in XML. Does it look like language used by a robot communicating with desert outpost moisture evaporators? Look again. You can see that it doesn’t look all that bad. To get to the interesting information, scroll through the XML. 
3. Click Login.

If everything’s OK, you’re logged in as Sia at your Salesforce home page. The Axiom application logs you in to your Salesforce org as the user with the assigned Federation ID.

Congratulations! You just configured Salesforce SSO for your users who are accessing Salesforce from another app. Take your place at the top of the stage and receive your badge.

• Salesforce Help: Identity Providers and Service Providers
• Salesforce Help: Configure SAML Settings for Single Sign-On
• Salesforce Video: SAML SSO with a Salesforce Identity Provider