This topic describes how to use the SAML protocol to implement single sign-on for Salesforce in the IDaaS console.
Salesforce is a customer relationship management (CRM) software service provider based in San Francisco, USA. It was founded in 1999 and provides a customer relationship management platform for on-demand applications. Salesforce supports single sign-on with the SAML protocol.
- Log on to the IDaaS console as an IT administrator. For more information, see Logon in Administrator Guide.
- In the left-side navigation pane, choose Applications > Add Application. Find the Salesforce application and click Add Application in the Actions column.
- Find an existing SigningKey. You can add a SigningKey first if there are no existing
SigningKeys. Click Export in the Actions column. Export a .cer certificate locally.
- Log on to Salesforce as an administrator. Click Settings in the upper-right corner.
- In the left-side navigation pane, choose Identity > Single Sign-On Settings. Find
SAML Single Sign-On Settings and click New.
- Go to the SAML Single Sign-On Settings page.
- Name: the name of the SAML single sign-on configuration. You can enter a name as needed.
- Issuer: Note that this value must be the same as that of IDaaS IdentityId in IDaaS.
- Entity ID: Set it to https://SAML.Salesforce.com.
- Identity Provider Certificate: Select the certificate file exported from IDaaS.
- Request Signing Certificate: Use the default value.
- Request Signature Method: Set it to RSA-SHA1.
- Assertion Decryption Certificate: Select Assertion unencrypted.
- SAML Identity Type: Select Assertion contains User's Salesforce username.
- SAML Identity Location: Select Identity is in the NameIdentifier element of the Subject statement.
- Leave Identity Provider Login URL, Customer Logout URL, and Custom Error URL empty. Click Save.
- After you configure the SAML settings, the SAML details will be displayed with the
name that you specified. You must the value of Salesforce Login URL for later use.
Note: You also can click the SAML name to view the value of Salesforce Login URL on the preceding page.
- Find Single Sign-On Settings and click Edit.
- Select the SAML Enabled check box and click Save.
- Return to the Add Application (Salesforce) page of the IDaaS console. Find the target
SingingKey and click Select in the Actions column to configure the SAML parameters.
- Set IDaaS IdentityId to the value of Issue specified in Salesforce.
- Set SP ACS URL(SSO Location) to the Salesforce logon URL.
Note The URL format is https://login.Salesforce.com?so=<Your organization ID>. If you are not sure about your organization ID in Salesforce, go to the Company Profile > Company Information page of Salesforce.
- Enable and authorize the application.
- Add an application account and log on to Salesforce in a single sign-on manner.
If all the preceding steps are successful, you have logged on to Salesforce in a single sign-on manner.