In this blog, i am going to explain the how to configure the Just-in-Time Provisioning for SAML with AXIOM. With just-in-time provisioning, the end user identity is provisioned (created or updated) at the service provider the first time the end user tries to access the service provider’s service—without the need for prior identity provisioning activity between the identity provider and the service provider. With salesforce Just-In-Time provisioning you can create both portal users and regular users.
Step 1: – Enabled My Domain
To enable the custom domain
Go to setup –> Administer ->Domain Management->My Domain –> create your domain and deploy user. If you have already custom domain you can ignore this step.
Step 2: – Download the certification from Idp.
In order to configure the salesforce SSO, you need certificate from the IDP . in Our case Axiom is the IDP go to the below UR
download the Download the Identity Provider Certificate
Step 3: Federated Single Sign-On Using SAML
Navigate to “Setup | Security Controls | Single Sign-On Settings” and check “SAML Enabled” option.
Step 4: – SAML Single Sign-On Settings
Now you need to configure the SAML Single Sign-On Settings. go to setting ->Security Controls ->Single Sign-On Settings->SAML Single Sign-On Settings-> Click New
Complete the details as describes below
1.Name :- < Any Name is fine > . In this example Axiom Just IN
2.API Name :- < Auto populate from Name >
3.SAML Version :- Default 2.0 Salesforce won’t support SAML 1.0
6.Identity Provider Certificate: – Upload the Axiom Certificate which is downloaded in step 2
7.SAML Identity Type: – Select Assertion contains the Federation ID from the User object
8.SAML Identity Location : – Select Identity is in the NameIdentifier element of the Subject statement
9.Service Provider Initiated Request Binding: – Select Http Post
10.Identity Provider Login URL:- http://axiomsso.herokuapp.com/RequestSamlResponse.action
11. Under “Just-in-time User Provisioning” section
Check “User Provisioning Enabled” checkbox and select User Provisioning Type as standard.
After saving the configuration looks below
Step 5: – Configured IDP (Axiom )
go to https://axiomsso.herokuapp.com/Home.action expand “SAML Identity Provider & Tester ” section. Click on the “generate a SAML Response” link to configure the IDP
1.SAML Version:- 2.0
2.Username OR Federated ID: – TestUserforDemo
3.User ID Location: – Subject
5.Entity Id:- https://saml.salesforce.com
6.SSO Start Page:- http://axiomsso.herokuapp.com/RequestSamlResponse.action
8.User Type: – Standard
9. in “Additional Attributes” add the User information to create a salesforce user on the fly.
– If you are creating JIT Provisioning for Comunity you need to pass other “Additional Attributes” like Contact and Account details
After completing its looks as shown below.
Click On “Request SAML response” to see the to generate SAML response. After Click on “Request SAML response,” you will see output as shown below
Now to test the SSO Click on “Login ” Button. It will create a new user in the salesforce upon login on the fly.