How to set Single sign On Using SAML.
- User must establish Saml Identity Provider : Here we send Single Sign On request to Salesforce.
- Provide information to identity provider : Here we have to give Login, Log out URl’s
- Configuring Salesforce.
How does Salesforce Trust Identity Provider ?
To establish Single Sign on Salesforce must be connected to Identity Provider.In order to establish relation between Salesforce and Identity Providers salesforce must trust the identity provider. Following is the process is done.
- During Configuration, Identity provider gives a digital certificate to salesforce and in run time Salesforce uses the certificate to validate the digital signature given by identity provider.
Enabling Salesforce to be Service Provider.
To enable Salesforce as a Service Provider we must do 2 important things.
- Download digital signature certificate from identity provider(IdP).
- Upload digital signature certificate to salesforce.
- Configure salesforce.
Identity Provider-Initiated SAML Flow during run time.
The user will sign by using Single sign on in to the Idp. The Idp will return a page containing form with saml assertion. Then the user submits SAML assertion to sales force to login. Then the Service Provider (Salesforce) checks the digital signature and grants sessions id.
Service Provider-Initiated SAML Flow.
This is the situation where user clicks on the link where to access something in the salesforce and redirect the user back to Idp Successfully.
The end user requests a page at a custom domain for salesforce. Salesforce says you are not logged in. Then the user is logged in to Idp credentials. Then the Idp redirects the user to salesforce with SAML Assertion. Now Salesforce redirects the requested page with session Id to the end user.
Now we are going to create a new Single Sign On in salesforce.
Go to Setup => Administer = > Security Control = > Single Sign On Settings.
Enable SAMl. By enabling SAML we can create new Single Sign ON. Edit it and check SAMl Enabled.
Now select New button.
Before going to fill SAML Single Sign-On Setting details we should have some data . Go to the following URL and Download the Digital certificate which is to be uploaded .
GO to http://sfdc-tandc-saml-ip.herokuapp.com
Issuer : mockidp.
Entity id : https://saml.salesforce.com
Now go to Configure Section shown below.
Complete all the details as shown below.
Before login Logout From login.salesforce.com