Table of Contents

Salesforce SSO with PhenixID Authentication Services

Warning

Please note, this document is using the legacy authenticators - in order to use the new protocol agnostic authenticators, you need to apply relevant modifications to the configuration examples outlined in this article.

Summary

This document will guide you through the steps to provide Single-Sign-On to Salesforce using SAML with PhenixID Authentication Services as SAML IdP.

System Requirements

  • PhenixID Authentication Services 2.0 or higher
  • Salesforce corporate domain
  • Users provisioned to Salesforce

Instruction

  1. Setup PhenixID Authentication Services as a SAML IdP.

  2. Download the SAML IdP Metadata as a file.

  3. Logon to your Salesforce domain as an admin

    1. In the left-hand menu, select Administer->Security controls->Single Sign-On Settings.

    2. Click Edit

    3. Select “SAML Enabled”

    4. Click Save.

    5. To the right of SAML Single Sign-On Settings, Click New

    6. Fill out the form. These values must be fetched from the SAML IdP metadata:

      • Issuer (entityID from IdP Metadata)
      • Identity Provider Login URL (SingleSignOnService -> Location URL from IdP Metadata)
      • Identity Provider Logout URL (SingleLogoutService -> Location URL from IdP Metadata)
      • Identity Provider Certificate (Follow these instructions on how to extract identity provider signing certificate to a file from the IdP Metadata)

    7. “Name” and “API Name” can be set to any value of your choice.

    8. The other values in the form can be leaved as default.

    9. Save the form

    10. In the left-hand menu, select Administer->Domain Management->My Domain

    11. Click “Edit” next to Authentication Configuration

    12. Select the newly added IDP next to Authentication Service

    13. Click Save.

    14. In the left-hand menu, select Administer->Security controls->Single Sign-On Settings.

    15. Click the IDP link

    16. Click Download metadata. (This is the Salesforce SAML SP Metadata) Rename the downloaded file to salesforce_meta_sp.xml

  4. Add the Salesforce SP metadata file to the <PhenixID_Authentication_Services>/resources folder

  5. Restart PhenixID Authentication Services.

  6. Logon to PhenixID Authentication Services Configuration Manager

  7. Click on the Configuration tab

  8. Click “SAML Meta loading”

  9. Add Salesforce SAML SP metadata by adding this configuration snippet:

    {
  "id": "https://saml.salesforce.com",
  "resource": "salesforce_meta_sp.xml"
}

  10. Click “Stage changes” and then “Commit changes”

  11. Configure the authentication method(s) to be used for the Salesforce federation.

    Agnostic vs Legacy Authenticators

  12. Click on the Configuration tab

  13. Click on Pipes

  14. Modify the pipe(s) connected to the authenticators.

    1. Fetch email from the user data source:

      {
  "name": "LDAPSearchValve",
  "config": {
    "connection_ref": "MyAD",
    "base_dn": "ou=demo,DC=demo,DC=phenixid,DC=net",
    "scope": "SUB",
    "size_limit": "0",
    "filter_template": "(&(objectClass=user)(samaccountname={{request.username}}))",
    "attributes": "mail"
  }
}

    2. Configure SAML assertion. Change “targetEntityID” to the id of your SAML Identity Provider.

      {
  "name": "AssertionProvider",
  "config": {
    "targetEntityID": "PhenixID_IdP",
    "nameIDAttribute": "mail",
    "misc": {
      "excludeSubjectNotBefore": "true"
    },
    "sourceID": "https://saml.salesforce.com",
    "audienceRestriction": "https://saml.salesforce.com"
  }
}

  15. Click “Stage changes” and then “Commit changes”

Just-in-time Provisioning

By default, Salesforce requires pre-provisioned users. If you would like to provision (create and update) users when they log in to Salesforce, pls follow these steps:

  1. Login to Salesforce as a Salesforce admin

  2. Enable JIT in the Single-Sign-On-Settings.

  3. Login to PhenixID Server (/config) as an administrator.

  4. Edit the pipe that creates the assertion targeted for Salesforce. Add additional attributes to the assertion. Example here:

    {
  "id": "pipe_JIT_SF",
  "valves": [
    {
      "name": "LDAPSearchValve",
      "config": {
        "connection_ref": "MyAD",
        "base_dn": "DC=demo,DC=phenixid,DC=net",
        "scope": "SUB",
        "size_limit": "0",
        "filter_template": "(&(objectclass=*)(sAMAccountName={{request.username}}))",
        "attributes": "mail,givenName,sn"
      }
    },
    {
      "name": "LDAPBindValve",
      "config": {
        "connection_ref": "MyAD",
        "password_param_name": "password"
      }
    },
    {
      "name": "PropertyCopyValve",
      "config": {
        "source": "mail",
        "dest": "User.Username"
      }
    },
    {
      "name": "PropertyCopyValve",
      "config": {
        "source": "mail",
        "dest": "User.Email"
      }
    },
    {
      "name": "PropertyCopyValve",
      "config": {
        "source": "givenName",
        "dest": "User.FirstName"
      }
    },
    {
      "name": "PropertyCopyValve",
      "config": {
        "source": "sn",
        "dest": "User.LastName"
      }
    },
    {
      "name": "PropertyAddValve",
      "config": {
        "name": "User.ProfileId",
        "value": "Chatter Free User"
      }
    },
    {
      "name": "AssertionProvider",
      "config": {
        "targetEntityID": "PhenixID_IdP_LAB",
        "nameIDAttribute": "mail",
        "misc": {
          "excludeSubjectNotBefore": "true"
        },
        "sourceID": "https://saml.salesforce.com",
        "additionalAttributes": "User.Username,User.Email,User.LastName,User.FirstName,User.ProfileId"
      }
    }
  ]
}

For more information about Salesforce Just-in-time provisioning, please view https://help.salesforce.com/s/articleView?id=sf.sso_about.htm&type=5

SAML 2 Single Sign-On Identity Provider Use Case: Federation of web services Use Case: Integrate with external systems Federation Step by Step