In this blog, I am going to explain how to set up SSO(Single Sign-on ) with Salesforce using Federated SAML-based Authentication
What is SAML?
Security Assertion Markup Language (SAML) is an XML-based framework for authentication and authorization between two entities: a Service Provider and an Identity Provider. The Service Provider agrees to trust the Identity Provider to authenticate users. In return, the Identity provider generates an authentication assertion, which indicates that a user has been authenticated.
SAML is a standard single sign-on (SSO) format. Authentication information is exchanged through digitally signed XML documents. It’s a complex single sign-on (SSO) implementation that enables seamless authentication, mostly between businesses and enterprises.
How does SAML Authentication Work?
SAML for Web browser SSO involves three parties. There is a user, an identity provider (IdP), and a service provider (SP). The IdP stores information about the user in a database like Active Directory. The user connects to the SP and attempts to authenticate. If the SP recognizes the username, it delegates authentication to the IdP. The IdP validates the user against its identity database. It then sends a SAML assertion about that user to the service provider. The SP then gives the user access to the application.
Consider that we have three parties are involved implementing SSO.
2 . Identity provider (Axiom)
3.service provider (Salesforce)
AXIOM is java based Heroku application which is used to test SSO with to Salesforce Federated Authentication. It’s not for production usages .its only for testing
Now let’s go to through each setup by step by step to set up single sign-on
Step 1: – Enabled My Domain
To enable the custom domain
Go to setup –> Administer ->Domain Management->My Domain –> create your domain and deploy user. If you have already custom domain you can ignore this step.
Step 2: – Download the certification from Idp.
In order to configure the salesforce SSO, you need certificate from the IDP . in Our case Axiom is the IDP go to the below UR
download the Download the Identity Provider Certificate
Step 3: Federated Single Sign-On Using SAML
Navigate to “Setup | Security Controls | Single Sign-On Settings” and check “SAML Enabled” option.
Step 4: – SAML Single Sign-On Settings
Now you need to configure the SAML Single Sign-On Settings. go to setting ->Security Controls ->Single Sign-On Settings->SAML Single Sign-On Settings-> Click New and create as shown below
1.Name :- < Any Name is fine > . In this example Axiom SSO
2.API Name :- < Auto populate from Name >
3.SAML Version :- Default 2.0 Salesforce wont suport SAML 1.0
4.Issuer :- https://axiomsso.herokuapp.com
5.Entity Id :-https://saml.salesforce.com
6.Identity Provider Certificate:- Upload the Axiom Certificate which is downloaded in step 2
7.SAML Identity Type :- Select Assertion contains the Federation ID from the User object
8.SAML Identity Location :- Select Identity is in the NameIdentifier element of the Subject statement
9.Service Provider Initiated Request Binding :- Select Http Post
10.Identity Provider Login URL:- http://axiomsso.herokuapp.com/RequestSamlResponse.action
After saving the configuration looks below
Step 5: – Update the Federation ID on the user.
Now go to any user record and update the Federation ID with 1234567 for testing.
Step 6: – Configured IDP (Axiom )
go to https://axiomsso.herokuapp.com/Home.action expand “SAML Identity Provider & Tester ” section. Click on the “generate a SAML Response” link to configure the IDP
1.SAML Version:- 2.0
2.Username OR Federated ID:- 1234567
3.User ID Location:- Subject
5.Entity Id:- https://saml.salesforce.com
6.SSO Start Page:- http://axiomsso.herokuapp.com/RequestSamlResponse.action
8.User Type: – Standard
After completeing its looks as shown below .
Click On “Request SAML response” to see the to generate SAML response. After Click on “Request SAML response,” you will see output as shown below
Now to test the SSO Click on “Login ” Button. If there are no errors it will direct to salesforce home page directly