Single sign-on is a process that allows network users to access all
authorized network resources without having to log in separately to each
resource. Single sign-on allows you to validate usernames and passwords
against your corporate user database or other client application rather
than having separate user passwords managed by Salesforce. In this post we will talk about Single Sing on Salesforce two orgs.
Options for Implementing SSO on Force.com
1) Delegated authentication
Using
delegated authentication, Force.com does not validate passwords but
instead uses an external Web service to validate user credentials. When a
user attempts to login, the platform checks the user's profile to see
if they are enabled for SSO. If so, it makes a Web services call to the
the endpoint specified for the organization (environment), asking it to
validate the username and password. The Web services checks the
credentials against an identity store (for example LDAP or OpenID) and
either returns "true" or "false". If true, the user is granted access to
the application and proceeds normally. If false, the user is informed
that their credentials are invalid.
2) Federated Authentication
As
with delegated authentication, federated authentication does not
validate the user's actual password on the Force.com platform either.
Instead, the platform receives a SAML assertion in an HTTP POST request.
The SAML assertion has a limited validity period, contains a unique
identifier, and is digitally signed. If the assertion is still within
its validity period, has an identifier that has not been used before,
and has a valid signature from a trusted identity provider, the user is
granted access to the application. If the assertion fails validation for
any reason, the user is informed that their credentials are invalid.
The rest of this article shows how to set this up.
About SAML
Security Assertion Markup Language (SAML) is an XML-based standard that allows you to
communicate authentication decisions between one service and another. It underlies many Web single sign-on solutions.
communicate authentication decisions between one service and another. It underlies many Web single sign-on solutions.
How to Implement SSO between two Salesforce orgs
To setup Single sign on between two Salesforce Org we need to setup one Salesforce Org as Service provider and other one as Identify provider.
Identify provider (IDP) :- An identity provider is a trusted provider that lets you use single sign-on (SSO) to access other websites
Service provider (SP):- A service provider is a website that hosts apps.
Configuring Single Sign-On
Step 1 : Enable My Domain in IDP and SP Org
First
step is to enable "My Domain" in both Salesforce org. This
functionality will provide a unique name to your salesforce org.
- Click on “My Domain”
- Deploy each 'My Domain' to your users
Step 2: - Enable the Identity Provider in your IDP Org
Login to your IDP org and Navigate to Identity provider. Setup-> Security Controls -> Identity Provider.In all new developer org your will found "Identity provider" is already enable like below screen
NOTE:- Make a note of Salesforce Identity endpoint URL which we will soon.
If you are using old developer org then you need to enable "Identity provider" and need to create Certificate like below screen
Step 3: Add Remote Site setting in SP Org
Now login to your SP org and add your Identity provider domain URL in SP org like below
Setup -> Security -> Remote Site Setting
Step 4: Enable Single Sign On in SP Org
- Enable Single Sign on. Navigate to “Setup > Identity > Single Sign-On Settings” and check “SAML Enabled” option.
- Now provide SAML Single Sign on Setting detail. You can also download the certificate from step 2 with download certificate button and upload here with "New from Metadata file" button. But We will use New from Metadata URL here. Now we will use same URL which we coped in step2.
Dont do any change in below screen. Do only one change that SAML Identity Type as Federation IDMake a note of Entity ID and Login URL from here. We will use same in IDP org Connected App
Step 5: Create Connected App in IDP Org
Now go back in your IDP org. And create one connected app with below step
- Create connected app, Setup -> App Manager -> New Connected App
- Now provide all required detail. Make sure on your connected App you need to perform below step
- Enable SAML
- Provide Entity Id (Use Entity ID from Step 4)
- ACS URL (Login URL from Step 4)
- Subject type should be Federation Id.
- IDP Certificate as Identity Provider Label name
- Now once Connected app is ready. Click on Manage Button. Then Add the profile from related list.
Step 6: Update Authentication Configuration for my Domain in SP Org
Now go to SP org the navigate to My Domain (Setup -> My Domain). Then edit the Authentication configuration setting and select the IDP org in Authentication service.
Step 7: Test your configuration
Now its time to test our Single sign on.
- Create one user in both org with same "Federation ID".
- Then first login into Identity provider org. Then go your connected app -> Click on Manage . Then click on "IdP-Initiated Login URL" URL to check your Single sign on.
- Now all set. I hope Single Sign on is working fine :). But if you want to add a app in app App Launcher then edit your connected app and your IdP-Initiated Login URL in "Start URL" in above screen.
- Now you can check SSO with App Launcher.
We did the same session in ApexHours as well with Atul. Please check below recording for SSO.
Agenda :-
- Core Concepts
- Single Sign On
- Social Sign-On
- Identity Provider
- Service Provider
- Authentication
- Authorization
- Advantages of Identity management
- Centralized Control
- Security
- Policy Updates
- Easy to use
- Demo 1: Salesforce as Identity Provider
- Steps to set Salesforce as IP
- Demo 2: Salesforce as Service Provider
- Steps to set Salesforce as SP
- Other IDPs in market
If you want to learn about Azure Active Directory Seamless Single Sign-On with Salesforce please check this post .
Thank
Amit Chaudhary
Awesome! Thanks for sharing. I particularly like the way you write your content.
ReplyDeleteThanks for your feedback
DeleteAwesome, marvelous concept. For past few days was looking for this article.
ReplyDeleteHi.
ReplyDeleteI followed this steps, but for some reason at the end after trying to login (either from url or by using the login url in the connected app) getting error 'Single-Sign on Error Invalid HTTP method'.. Any idea what can be the cause?
Thanks,
Liron
Found the problem....
DeleteI setup in the connected app ACS URL the value from 'Identity Provider Login URL' instead the value from 'Login URL'. Change it and it worked!
It worked for me as well. I look help from Recording
DeleteHi Amit, I tried doing this. I followed all the step to connect one trail-head org and developer org. Dev org is sp org and trail head org is the ip org. The problem is, in the sp org my domain authentication configuration my ip org is not present. Can you please help me on this.
ReplyDeleteThis one is resolved. Thanks for this article.
DeleteIs there any way I can configure multiple orgs to sso my external service provider app? Or do I need to configure it for each org? In that case how to manage the certs and metadata?
ReplyDelete