SAML 2.0 Configuration for Salesforce

The 10Duke Identity Bridge (IdB) works as a Single Sign-On (SSO) bridge between Consumer applications and an Identity Provider (IdP). In this case Salesforce is the Consumer application and the 10Duke Identity Bridge is configured as the trusted Identity Provider. A pre-requisite is that the 10Duke Identity Bridge is also configured to trust the IdP your organisation is using.

The below steps describe a default configuration that is compatible with the default setup in the 10Duke Identity Bridge Console configuration. Other configuration options are available if you require a different setup.

By completing the steps below, your users will be able to access Salesforce from a single click through from the portal provided through the 10Duke Identity Bridge. This process of logging into Salesforce or other cloud apps from a login portal provided is known as IDP-Initiated SAML.

Before configuring SAML Settings for Single Sign-On for Salesforce please make sure that:

  1. You have configured your identity provider in the 10Duke Identity Bridge Console

  2. You have already started configuring Salesforce as a consumer application in the 10Duke Identity Bridge Console

The following steps contain instructions for configuring SAML 2.0 for Salesforce.

  1. Log in to Salesforce here https://login.salesforce.com/ with your administrator username and password.

  2. Navigate to Setup > Security Controls > Single Sign-On Settings

  3. The first thing you will have to do is to enable “Federated Single Sign-On Using SAML”, so on the Single Sign-On Settings page, click Edit

  4. Check the SAML Enabled box and then click Save

  5. Once SAML is enabled then you will have to create a record for the identity provider. Select New to add a new SAML Single-Sign On configuration.

  6. The SAML Single Sign-On Setting Detail page will open, enter the following information:

    1. Name: Enter a name of your choice.
    2. SAML Version: 2.0 should be enabled by default.
    3. Issuer: The Entity ID—a URL that uniquely identifies your SAML identity provider. SAML assertions sent to Salesforce must match this value exactly in the <saml:Issuer> attribute of SAML assertions. Copy and paste the following:
      • Sign into the 10Duke Identity Bridge Console to generate this value
    4. Request Signing Certificate: Set to “Default Certificate”
    5. Request Signature Method: Set to “RSA-SHA1”
    6. Assertion Decryption Certificate: Leave the default value “Assertion not encrypted”
    7. SAML Identity Type: Leave the default value “Assertion contains User’s Salesforce.com username”
    8. SAML Identity Location: Leave the default value “Identity is in the NameIdentifier element of the Subject statement”
    9. Identity Provider Certificate:
      • Sign into the 10Duke Identity Bridge Console to generate the certificate
    10. Identity Provider Login URL: The URL where Salesforce sends a SAML request to start the login sequence. Copy and paste the following:
      • Sign into the 10Duke Identity Bridge Console to generate this value
    11. Identity Provider Logout URL: The URL to direct the user to when they click the Logout link in Salesforce. The default is http://www.salesforce.com. This is optional. Copy and paste the following:
      • Sign into the 10Duke Identity Bridge Console to generate this value
    12. API Name: the field is populated with the value entered under “Name” but can be changed to a name of your choice
    13. Entity ID:
      1. If you have a custom domain setup, use https://customDomain.my.salesforce.com
      2. If you do not have a custom domain setup,use https://saml.salesforce.com. Click Save. Make note of the Salesforce Login URL that will appear under Endpoints
        1. Go to Setup > Company Profile > Company Information
    14. On this page you will find your Salesforce.com Organisation ID which you will need to copy and paste in the “SAML entity ID” field when setting up Salesforce as a new consumer application in the 10Duke Identity Bridge Console.