Single sign-on (SSO) is an authentication method that enables users to access multiple applications with one login and one set of credentials. The below artcile covers the fundamentals of Salesforce Single Sign-On (SSO), exploring implementation steps to configure in your organization to enable third parties as authentication providers to login to Salesforce. For example, logging into your organization as a single sign-on user (using DUO, Pingfed or Microsoft Azure) allows you to login to salesforce without entering the Salesforce org-specific username and password.
It’s always recommended to implement the single sign-on in the lower sandbox before implementing it in the production environment. There are two key steps in this configuration: SAML is an open-standard authentication protocol that Salesforce uses for single sign-on (SSO) into a Salesforce organization from a third-party identity provider.
- Single Sign on Settings configuration (Setup –> Identity –> Single Sign ON Settings)
- Allow Users to Login Using SSO (Setup -> My Domain -> Authentication Configuration)
- Single Sign-On Settings:
- From Setup, in the Quick Find box, enter Single, and then select Single Sign-On Settings. If SAML isn’t enabled, turn it on.
- Click Edit.
- Select SAML Enabled.
- Save the change.
- From Setup, in the Quick Find box, enter Single, and then select Single Sign-On Settings. If SAML isn’t enabled, turn it on.
- After navigating to Setup—Single Sign on Settings—click New and populate all the required fields or select the metadata file provided by the identity provider (example, pingfed, Azure, etc). Though most of the fields get populated by the metadata file or self-explanatory. Some of these fields drive the key working mechanism of SSO.
- In the required fields – Request Signing Certificate is the self signed certificate created in Salesforce (Setup – > Certificates and Key Management) and shared with the Identity Provider team.
- Another important field is the SAML Identify type, which provides three options (Salesforce username, Federation Id, and UserID). The SAML Identity Type field tells the service provider how to match a user’s identity in the XML to data in the SFDC User record. The option to select depends on how the identity provider identifies Salesforce users in SAML assertions. For example, if the identity provider passes the user’s Salesforce username, select Assertion contains the user’s Salesforce username.
- Name—Enter a name for the SAML SSO settings.
- SAML Version—This setting is set to 2.0.
- Issuer—Paste your entityID here.
- Identity Provider Certificate—Browse and select the token-signing certificate you exported earlier.
- Request Signing Certificate—Select a self-signed certificate you created earlier. (See the procedure for generating a self-signed certificate.)
- Request Signature Method—Set this setting to RSA-SHA-1.
- SAML Identity Type—To log in a user, you can match against either the Salesforce username or the federation ID. If matching the federation ID, it must be populated in the profile of every user. For testing, select federation ID. If users use their email address as their Salesforce username, a production deployment can switch to matching against the username.
- SAML Identity Location—To log in the user, you can use either the NameID in the SAML assertion or another attribute. You can use NameID, because AD FS populates NameID in the SAML assertion.
- Service Provider Initiated Request Binding—It’s recommended that you choose HTTP Redirect.
- Identity Provider Login URL—Enter the URL of your AD FS SAML endpoint, to which Salesforce sends SAML requests for SP-initiated login.You can find the URL in the AD FS MMC at Endpoints | Token Issuance | Type:SAML 2.0/WS-Federation.
- Custom Logout URL—You can configure a URL to which the user is sent after logging out, for example, http://intranet.mycompany.com/.
- Entity ID—This setting specifies how the AD FS IdP identifies the Salesforce SP. To enable SP-initiated SSO, enter the entity ID from your configured My Domain.
After populating all the required fields – Save the record .
2. Allow Users to Login Using SSO (Setup -> My Domain -> Authentication Configuration)
To Allow Users to Login Using SSO – need to make the below updates as shown in below screenshot.
Setup –> My Domain –> Edit > Authentication Configuration
After doing the necessary updates – the SSO can be validated by clicking SAML Validator button on Identity =>Single Sign-On Settings
We can select a configuration to use to validate the response, or can automatically detect the config from the response. If the page is unable to detect a configuration, you may be able to get more information by manually selecting the appropriate config. The validator will try to continue validation even if it finds an error. However, the validator cannot recover from some errors. More errors may be revealed after you fix the initial problem. Additionally, errors not related to the assertion itself will not be detected by this validator. Please refer to the login history for more information on such failures.