Salesforce to Salesforce Single Sign-On (SAML)

Hi guys!
Today we gonna talk about Salesforce Single Sign-On and Salesforce SAML.
At the beginning, I should explain a few definitions.

Single Sign-On (SSO)
It is a mechanism, that allows you to grant access to related products using only one set of credentials (login, password). e.g Google Account’s login and password guarantee access to Gmail, YouTube, Drive, etc .

Security Assertion Markup Language (SAML)
“is an XML-based protocol that uses security tokens containing assertions to pass information about a principal (usually an end user) between a SAML authority, named an Identity Provider, and a SAML consumer named a Service Provider”[2]

Identity Provider (IdP)
“is a system entity that creates, maintains, and manages identity information for principals while providing authentication services to relying applications within a federation or distributed network”[3]

Service Provider (SP)
“is a system entity that receives and accepts authentication assertions in conjunction with a single sign-on (SSO) profile of the Security Assertion Markup Language (SAML)” [4]

Why we should use SAML? [5]
– Not needed multiple authentication credentials (logins, passwords)
– Increase security (fewer opportunities for phishing attack)
– Increase application access
– Elimination administration timing cost by maintaining multiple credentials
– Better user experience (Click the link and that’s all!)

Overview

Configuration

1. Set Custom Domain (IdP org and SP org)

Setup > My Domain
Register a New Domain. It can take some time.

2. Set up Identity Provider (IdP org)

  1. Setup > Identity Provider > Enable Security Provider
  2. Create a new Certificate or select the default one.
  3. Download Certificate for future use. Copy and save an Issuer URL.

3. Create a Connected App (IdP org)

  1. Setup > App Manager > New Connected App
  2. Set Connected App Name, Contact Email and check Enable SAML
  3. Fulfill:
    Start URL – Page to open after log in. You can use just SP environment main page URL.
    Entity Id – For Salesforce IdP always: https://saml.salesforce.com
    ASC URL – The assertion consumer service. The value is provided by SP, temporary I am using placeholder: https://www.google.com
    Subject Type – [Username, Federation ID, User ID, Custom Attribute, Persistent ID].
    “Indicates whether the service provider (SP) requires the user’s name, a federation ID (an ID internal to the SP), a user ID (an ID external to the SP), the value of a custom field on the user or a persistent ID. Ask your SP which one they require.”.
    In this tutorial as a SAML Identity Type, I used: Federation ID
    Name ID Format – urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
    Issuer – Issuer provided by Identity Provider (IdP – step 1)
  4. Save
  5. Click Manage button and add Profiles in the Profiles section, which should have access to Connected App. (I used System Administrator)

4. Configure Service Provider (SP org)

  1. Setup > Single Sign-On Settings > Edit > Check SAML Enabled
  2. SAML Single Sign-On Settings section > New
  3. Fulfill Name and API Name
    Issuer – Issuer is provided by Identity Provider (IdP). Copy and Paste it. (Step 1)
    Entity ID – For Salesforce – https://saml.salesforce.com
    Identity Provider Certificate – Certificate from Identity Provider (IdP). (Step 1)
    SAML Identity Type – I chose Federation ID. Basically, it up to you and your requirements.
    Identity Provider Login URL – URL is provided by our Connected App. (Setup > App Manager > My Specific App > Manage > SAML Login Information section > IdP-Initiated Login URL)
  4. Save
  5. After Save, you can find a Login URL in Endpoints section. Copy it and paste as ACS URL in your Connected App (IdP org). Replace the placeholder.

5. Enable new authorization method (SP org)

  1. Setup > My Domain > Authentication Configuration > Edit
  2. Enable Another Salesforce Org (This is the name of SAML Single Sign-On Setting)

6. Set Federation ID (IdP org, SP org)

  1. Go to Setup > Users > Select your user > Edit
  2. Find the Federation ID and set some ID (It is case sensitive). It need to be the same.
  3. Do it for IdP and SP environments.

Check it!

  1. Log out for your SP environment.
  2. Now you should able to see new authorization method.

Resource

  1. https://help.salesforce.com/articleView?id=sso_saml.htm&type=5
  2. https://en.wikipedia.org/wiki/SAML_2.0
  3. https://en.wikipedia.org/wiki/Identity_provider
  4. https://en.wikipedia.org/wiki/Service_provider_(SAML)
  5. https://www.youtube.com/watch?v=0fmNoqz6Urw
  6. https://help.salesforce.com/articleView?id=sso_saml.htm&type=5

Was it helpful? Check out our other great articles here.

5 5 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Close Menu
0
Would love your thoughts, please comment.x
()
x