Monday, 13 May 2019

Single Sign on Between Two Salesforce Org ( Federated Authentication (SAML) based SSO ) | SSO | SAML | Single sign on salesforce

 
Single sign-on is a process that allows network users to access all authorized network resources without having to log in separately to each resource. Single sign-on allows you to validate usernames and passwords against your corporate user database or other client application rather than having separate user passwords managed by Salesforce. In this post we will talk about Single Sing on Salesforce two orgs.

Options for Implementing SSO on Force.com

 

1) Delegated authentication

Using delegated authentication, Force.com does not validate passwords but instead uses an external Web service to validate user credentials. When a user attempts to login, the platform checks the user's profile to see if they are enabled for SSO. If so, it makes a Web services call to the the endpoint specified for the organization (environment), asking it to validate the username and password. The Web services checks the credentials against an identity store (for example LDAP or OpenID) and either returns "true" or "false". If true, the user is granted access to the application and proceeds normally. If false, the user is informed that their credentials are invalid.

 

2) Federated Authentication

As with delegated authentication, federated authentication does not validate the user's actual password on the Force.com platform either. Instead, the platform receives a SAML assertion in an HTTP POST request. The SAML assertion has a limited validity period, contains a unique identifier, and is digitally signed. If the assertion is still within its validity period, has an identifier that has not been used before, and has a valid signature from a trusted identity provider, the user is granted access to the application. If the assertion fails validation for any reason, the user is informed that their credentials are invalid. The rest of this article shows how to set this up.

 

About SAML

Security Assertion Markup Language (SAML) is an XML-based standard that allows you to
communicate authentication decisions between one service and another. It underlies many Web single sign-on solutions.

 

How to Implement SSO between two Salesforce orgs

 

To setup Single sign on between two Salesforce Org we need to setup one Salesforce Org as Service provider and other one as Identify provider
Identify provider (IDP) :- An identity provider is a trusted provider that lets you use single sign-on (SSO) to access other websites
Service provider (SP):- A service provider is a website that hosts apps.


Configuring Single Sign-On


Step 1 : Enable My Domain in IDP and SP Org

First step is to enable "My Domain" in both Salesforce org. This functionality will provide a unique name to your salesforce org.
  1. Click on “My Domain”

  2. Deploy each 'My Domain' to your users

Step 2: - Enable the Identity Provider in your IDP Org

Login to your IDP org and Navigate to Identity provider. Setup-> Security Controls -> Identity Provider.


In all new developer org your will found "Identity provider" is already enable like below screen

NOTE:- Make a note of Salesforce Identity endpoint URL which we will soon.


If you are using old developer org then you need to enable "Identity provider" and need to create Certificate like below screen



Step 3: Add Remote Site setting in SP Org

Now login to your SP org and add your Identity provider domain URL in SP org like below
Setup -> Security -> Remote Site Setting

 

Step 4: Enable Single Sign On in SP Org

  1. Enable Single Sign on. Navigate to “Setup > Identity > Single Sign-On Settings” and check “SAML Enabled” option.
  2.  Now provide SAML Single Sign on Setting detail. You can also download the certificate from step 2 with download certificate button and upload here with "New from Metadata file" button. But We will use New from Metadata URL here. Now we will use same URL which we coped in step2.
    Dont do any change in below screen. Do only one change that SAML Identity Type as Federation ID
    Make a note of Entity ID and Login URL from here. We will use same in IDP org Connected App



Step 5: Create Connected App in IDP Org

Now go back in your IDP org. And create one connected app with below step
  1. Create connected app, Setup -> App Manager -> New Connected App
  2. Now provide all required detail. Make sure on your connected App you need to perform below step
    1. Enable SAML
    2. Provide Entity Id (Use Entity ID from Step 4)
    3. ACS URL (Login URL from Step 4)
    4. Subject type should be Federation Id. 
    5. IDP Certificate as Identity Provider Label name
    6. Now once Connected app is ready. Click on Manage Button. Then Add the profile from related list.

Step 6: Update Authentication Configuration for my Domain in SP Org

Now go to SP org the navigate to My Domain (Setup -> My Domain). Then edit the Authentication configuration setting and select the IDP org in Authentication service.

Step 7: Test your configuration

Now its time to test our Single sign on.
  1.  Create one user in both org with same "Federation ID". 
  2. Then first login into Identity provider org. Then go your connected app -> Click on Manage . Then click on "IdP-Initiated Login URL" URL to check your Single sign on.
  3. Now all set. I hope Single Sign on is working fine :). But if you want to add a app in app App Launcher then edit your connected app and your IdP-Initiated Login URL in "Start URL" in above screen.
  4.  Now you can check SSO with App Launcher.



We did the same session in ApexHours as well with Atul. Please check below recording for SSO.


Agenda :-
  • Core Concepts
    • Single Sign On
    • Social Sign-On
    • Identity Provider
    • Service Provider
    • Authentication
    • Authorization
  • Advantages of Identity management
    • Centralized Control
    • Security
    • Policy Updates
    • Easy to use
  • Demo 1: Salesforce as Identity Provider
    • Steps to set Salesforce as IP
  • Demo 2: Salesforce as Service Provider
    • Steps to set Salesforce as SP
  • Other IDPs in market





If you want to learn about Azure Active Directory Seamless Single Sign-On with Salesforce please check this post .


Thank
Amit Chaudhary

9 comments:

  1. Awesome! Thanks for sharing. I particularly like the way you write your content.

    ReplyDelete
  2. Awesome, marvelous concept. For past few days was looking for this article.

    ReplyDelete
  3. Hi.
    I followed this steps, but for some reason at the end after trying to login (either from url or by using the login url in the connected app) getting error 'Single-Sign on Error Invalid HTTP method'.. Any idea what can be the cause?

    Thanks,
    Liron

    ReplyDelete
    Replies
    1. Found the problem....
      I setup in the connected app ACS URL the value from 'Identity Provider Login URL' instead the value from 'Login URL'. Change it and it worked!

      Delete
    2. It worked for me as well. I look help from Recording

      Delete
  4. Hi Amit, I tried doing this. I followed all the step to connect one trail-head org and developer org. Dev org is sp org and trail head org is the ip org. The problem is, in the sp org my domain authentication configuration my ip org is not present. Can you please help me on this.

    ReplyDelete
    Replies
    1. This one is resolved. Thanks for this article.

      Delete
  5. Is there any way I can configure multiple orgs to sso my external service provider app? Or do I need to configure it for each org? In that case how to manage the certs and metadata?

    ReplyDelete