Salesforce SSO JIT with AXIOM

In this blog, i am going to explain the how to configure the Just-in-Time Provisioning for SAML with AXIOM. With just-in-time provisioning, the end user identity is provisioned (created or updated) at the service provider the first time the end user tries to access the service provider’s service—without the need for prior identity provisioning activity between the identity provider and the service provider. With salesforce Just-In-Time provisioning you can create both portal users and regular users.

Step 1: – Enabled My Domain

To enable the custom domain
Go to setup –> Administer ->Domain Management->My Domain –> create your domain and deploy user. If you have already custom domain you can ignore this step.

Step 2: – Download the certification from Idp.

In order to configure the salesforce SSO, you need certificate from the IDP . in Our case Axiom is the IDP go to the below UR

https://axiomsso.herokuapp.com/SamlIdpHome.action

download the Download the Identity Provider Certificate

Step 3: Federated Single Sign-On Using SAML

Navigate to “Setup | Security Controls | Single Sign-On Settings” and check “SAML Enabled” option.

Step 4: – SAML Single Sign-On Settings

Now you need to configure the SAML Single Sign-On Settings. go to setting ->Security Controls ->Single Sign-On Settings->SAML Single Sign-On Settings-> Click New

Complete the details as describes below

1.Name :- < Any Name is fine > . In this example Axiom Just IN
2.API Name :- < Auto populate from Name >
3.SAML Version :- Default 2.0 Salesforce won’t support SAML 1.0
4.Issuer:- https://axiomsso.herokuapp.com
5.Entity Id:-https://saml.salesforce.com
6.Identity Provider Certificate: – Upload the Axiom Certificate which is downloaded in step 2
7.SAML Identity Type: – Select Assertion contains the Federation ID from the User object
8.SAML Identity Location : – Select Identity is in the NameIdentifier element of the Subject statement
9.Service Provider Initiated Request Binding: – Select Http Post
10.Identity Provider Login URL:- http://axiomsso.herokuapp.com/RequestSamlResponse.action

11. Under “Just-in-time User Provisioning” section

Check “User Provisioning Enabled” checkbox and select User Provisioning Type as standard.

After saving the configuration looks below

10

 

 

Step 5: – Configured IDP (Axiom )
go to https://axiomsso.herokuapp.com/Home.action expand “SAML Identity Provider & Tester ” section. Click on the “generate a SAML Response” link to configure the IDP

1.SAML Version:- 2.0
2.Username OR Federated ID: – TestUserforDemo
3.User ID Location: – Subject
4.Issuer:- https://axiomsso.herokuapp.com
5.Entity Id:- https://saml.salesforce.com
6.SSO Start Page:- http://axiomsso.herokuapp.com/RequestSamlResponse.action

7.Recipient URL:-
https://ltngdev-dev-ed.my.salesforce.com?so=00D41000000F5pm
8.User Type: – Standard

9. in “Additional Attributes” add the User information to create a salesforce user on the fly.

Note :

– If you are creating JIT Provisioning for Comunity you need to pass other “Additional Attributes” like Contact and Account details

After completing its looks as shown below.

1112

Click On “Request SAML response” to see the to generate SAML response. After Click on “Request SAML response,”  you will see output as shown below

13.PNG

Now to test the SSO Click on “Login ” Button. It will create a new user in the salesforce upon login on the fly.