Salesforce Single Sign-On
How to Configure Single Sign-On (SSO) to Salesforce With Gluu+WWPass Identity Provider
This tutorial guides you through the steps you need to take to integrate Gluu+WWPass Single Sign-On (SSO) with Salesforce. WWPass provides secure and convenient authentication technology and Gluu makes it easy to perform tasks related to user management.
Step 1: Implement Gluu+WWPass Server
You can find the software modules and instructions for Gluu+WWPass server implementation in our GitHub project.
Step 2: Set Up Salesforce.com
First, you need to prepare Salesforce.com
Log in to Saleforce.com;
Click Setup;
Click Company Settings, then My Domain;
Add your domain or use Salesforce test domain;
Please, stand by... It takes time to register a domain;
Note: you need to add a custom domain to your Salesforce.com account or
you can use a test domain name provided by Salesforce.Enter your Gluu server information to Salesforce.com;
Go to Identity > Single Sign-On Settings;
Click New;
Add following information to your Gluu Server:
- Name: add anything for you to recognize this this setup, i.e. My SSO Server;
- API Name: My_SSO_Server;
- Issuer: EntityID of your Gluu Server, i.e. https://iam.example.com/idp/shibboleth;
- EntityID: Your Salesforce.com custom domain name;
- Identity Provider Certificate: Assign your Gluu Server "idp-signing" certificate (you need to save and upload SAML certificate from your Gluu Server metadata or /etc/certs location);
- Request Signing Certificate: Default certificate;
- Request Signature Method: RSA-SHA256;
- Assertion Decryption Certificate: not encrypted;
- SAML Identity Type: Assertion contains your Salesforce.com username;
- SAML Identity Location: Identity is in an Attribute element;
- Attribute Name: Provide SAML2 URI of your attribute. For our test case we use the URN value of Gluu Server Email attribute. You can check your attribute information here;
- NameID Format: Leave it empty;
- Identity Provider Login URL: https://iam.example.com/idp/profile/SAML2/Redirect/SSO;
- Service Provider Initiated Request Binding: HTTP-Redirect;
Your setup should look similar to:
Confirm. If you did it right, you will see the page like the following:
Step 3. The Gluu Server
Now you are ready to prepare the Gluu Server:
Note: More about Creating SAML Trust Relationship
- Use the Download Metadata option on the Salesforce.com website;
- Create Trust Relationship:
- Display Name: insert anything for yourself to recognize this trust relationship later;
- Description: insert anything for yourself to recognize this trust relationship later;
- Metadata Type: ’File’;
- Upload the Salesforce metadata;
- Releases attributes: TransientID and Email;
- Add it;
- Configure Specific Relying (you can use the Gluu Server GUI named:oxTrust);
- Select SAML2SSO:
- includeAttributeStatement: Enabled;
- assertionLifetime: default;
- assertionProxyCount: default;
- signResponses: conditional;
- signAssertions: never;
- signRequests: conditional;
- encryptAssertions: never;
- encryptNameIds: never;
- Save it;
- Select SAML2SSO:
- Update your relationship;
It should look like the picture below:
- Relying party configuration:
Step 4. Testing Your SSO
Final step. It is time to check if your SSO was configured properly.
- Log in to Salesforce.com;
- At the top right, click Settings icon > Open Advanced Setup;
- Create your test user; it should also exist on the Gluu Server;
- Click Identity > Single Sign-On Settings;
- Enable Federated Single Sign-On Using SAML :
- Click Company Settings > My Domain;
- Set the Authentication Configuration;
- Click Edit;
- Select Gluu Server;
- Save the configuration;
If all steps were done properly, your Authentication Configuration should look similar to:
Summary
You have successfully сonfigured SSO to Salesforce with Gluu+WWPass Identity Provider. If you have any questions, please contact us at support@wwpass.com