SAML 2.0 SSO with Salesforce.com CRM


SAML 2 support is available since Winter 09 Release. OpenSSO console team is in the process of building a cool task flow for this, which will significantly reduce the number of steps listed here. Look out for it in Build 12.

Prerequisites:
  • For each OpenSSO user that needs to access Saleforce.com, choose a user profile attribute to map to a Saleforce.com user. We will call this the "federationID". Note that this value should be unique for each user. As an example we will use the OpenSSO email profile attribute (mail). Also note that for obvious security reasons the identified profile attribute must be changeable by authorized administrators only, ie it should not be changeable by the user. Please refer to OpenSSO Delegated Admin feature to set up appropriate privileges.
  • Decide the exact SAML attribute name the IDP will populate the "federationID" with.
  • Setup up OpenSSO IDP with xml signing turned on. Note the provider id of the IDP configuration. In my setup it is : http://sa.idp.com:8080/sa
  • Export the OpenSSO (IDP) public key to a file
    For example, if your OpenSSO IDP uses the out-of-the-box test certificate, execute the following in a terminal on the box hosting the OpenSSO server:
    $ cd <openssoconfig_dir>
    $ keytool -export -keystore keystore.jks -alias test -file cert.cer
    <openssoconfig_dir> is the base bootstrap directory you specified during OpenSSO installation.
Salesforce.com end :
  • Login to http://www.saleforce.com as admin user.
  • Navigate to Setup->Security Controls->SingleSignOn Settings. Enable SAML and fill up the dialog presented.
    • Select version 2.0
    • Import the IDP certificate - in my setup I entered cert.cer file saved in Prerequisites steps above.
    • Enter fields that tell Salesforce.com how the authenticated user is identified in the SAML assertion from the IDP. In my example I specified mail saml attribute. Note that this must match exactly the OpenSSO setup described in "OpenSSO end" steps below.
    Saving the configuration displays a generated Salesforce.com login url such as the following :
    Save this url string - it will be needed while configuring OpenSSO service provider.
  • Navigate to Setup->Manage Users->Users For each user enter the FederationID value corresponding to the OpenSSO profile attribute chosen. In my setup chose a user setup its FederationID to "demo@example.com" :

Configuring OpenSSO end
  • If not already created, login to OpenSSO console and create a Hosted Identity Provider either via the Task flow or other means. Make sure you choose the "Sign Assertion" option and specify a certificate to use for signing. OpenSSO comes with a default "test" certificate.
  • Provision the "federationID" value for each user that needs access to Salesforce.com. As an example - login to OpenSSO console as amadmin, navigate to RootRealm->Subjects->demo and setup the demo user's Email attribute as demo@example.com:
  • Create a new Service provider representing Saleforce.com
    • Login to OpenSSO console as amadmin
    • Download enclosed salesforceSPMetadata.xml
    • >Start "Create hosted SP" task flow
    • Import salesforceSPMetadata.xml metadata (Optionally : specify the URL from this blog :
      http://blogs.sun.com/rangal/resource/salesforceSPMetadata.xml
      directly in the task flow field)
    • Navigate to Saleforce.com service provider created in the last step, select Services tab and enter the salesforce.com URL obtained earlier in the "Salesforce.com end" steps.

    • Setup saml attribute to be sent as part of the Assertion to identify Salesforce.com user. This is done by configuring the attribute mapper either on IDP configuration or SP configuration. If IDP attribute mapper is configured, all SPs will receive the attribute and if only Salesforce.com SP configuration is setup - that attribute will only be sent to Salesforce.com. In my setup I changed SP attribute mappper to map OpenSSO user profile attribute mail to SAML attribute mail.

Test :
  • Start browser and invoke IDP initiated SSO :
    <protocol>://<idphostname>/<port>/<deployuri>/idpssoinit?NameIDFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:transient&metaAlias=/idp&spEntityID=https://saml.salesforce.com&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

    In my setup I used: http://sa.idp.com:8080/sa/idpssoinit?NameIDFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:transient&metaAlias=/idp&spEntityID=https://saml.salesforce.com&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
    If things work correcly, OpenSSO in IDP role should prompt for user credentials and seamlessly Single SignON to Salesforce.com as the user mapped to the authenticated user.
  • Troubleshooting : Both OpenSSO and Salesforce.com provide excellent online facilities to test SSO.
    • Visit OpenSSO Test Connection Connectivity task flow.
    • Salesforce.com provides a SAML assertion Validator where you can cut and paste a SAML assertion to report errors.
    • Both OpenSSO and Salesforce.com provide error logs - SFDC user logs are under Setup->Manage Users->Login History.
Comments:

Dear Rajeev
i tryed the nice tutorial that u wrote and unfortunatly it didnt work for me
i tryed to test the connection from the opensso and the login was unsuccessful and for the salesforce i was not able to find from where to get the information for the saml Assertion validator to validate.
when i tested it under the opensso i got a tip under to try with demo and changeit as password i tryed that as well but it didnt work
could you give me an advice of how can i resolve the problem
thanks a lot

Posted by Alex on July 03, 2009 at 12:12 AM PDT #

Alex:

Did you contact Salesforce and have them enable SSO for you?

I have a tiny question as well to Rajeev. It seems salesforceSPMetadata.xml links to your blog resources. I am just curious if there is a way to obtain it directly from salesforce.

thanks

Posted by Peter on July 22, 2009 at 01:14 AM PDT #

Rajeev,

When trying to create the hosted service provider it asks me for metadata, which provide it the salesforceSPMetadata.xml that you link to. It also asks for "extended data" which I cannot locate. Can you outline where to get this from, or how to create it - what information does this file contain.

thanks

--
Damien

Posted by Damien on August 16, 2009 at 11:52 AM PDT #

Does Salesforce.com support Service Provider Initiated SSO? Your tutorial only mentioned IDP initiated SSO.

Thank you very much for your help.

Posted by John Du on October 19, 2009 at 10:08 AM PDT #

Thanks for your instructions. It really helped me fill in the Gaps from the SF docs out there. Thanks for the metadata link too.

Lucas

Posted by Lucas Garza on March 03, 2010 at 02:30 PM PST #

Nice post. Thanks.

Do you have any clue on how to migrate the FederationID using Apex Data Loader?
I didn't find any reference to the field.

Thanks a lot for your help.

Posted by Martin Hubert on August 05, 2010 at 08:14 PM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

rajeev

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today