Close Menu
    Trending
    Subscribe
    Tuesday, May 20

    Configure SAML Single Sign-on between two Salesforce Orgs

    Dhanik Lal SahniBy Updated:No Comments5 Mins Read
    Configure SAML Single Sign-on between two Salesforce Orgs

    Single Sign-On is authentication mechanism that enable users to securely authenticate with multiple applications and websites by using one set of credentials.

    SSO works based upon a trust relationship set up between an application, known as the service provider (in this case Salesforce system), and an identity provider, like Salesforce, Gmail, Microsoft etc.

    Identity Providers:

    An identity provider (abbreviated IdP or IDP) is a system entity that creates, maintains, and manages identity information for principals and also provides authentication services to relying applications within a federation or distributed network. Identity providers offer user authentication as a service.

    In our use case, Salesforce will be used as Identity provider.

    Service Providers

    service provider is a vendor that provides IT solutions and/or services to end users and organizations. In our case, Salesforce is Service provider which gives CRM as a service.

    Salesforce offers following ways to use Single Sign-on.

    • Federated authentication using Security Assertion Markup Language (SAML)
      1. Federated authentication uses SAML, an industry standard for secure integrations.
      2. Federated Authentication lets us send authentication and authorization data between affiliated but unruled web services.
      3. User credential is not validated at service provider, it is validate at identity provider. Identity provider gives detail about user auth detail to service provider.
      4. Service provider will load data based on auth detail.
      5. This can be used by enterprise to login into different sub sytem using one set of credential. This reduced lot of time and it is more secure.
    Salesforce SAML Process | SAML Request
    • Delegated authentication SSO:
      1. In delegate authentication, one system is relying on another system to validate user credential. Like we can configure Salesforce org to rely on LDAP (Lightweight Directory Access Protocol).
      2. This can be used where organization system is access from less secure areas like public system, mobiles etc.
      3. Username and password is still being sent over internet so it is less secure than Federated authentication.

    Single Sign-on Benefits:

    1. Reduces password fatigue
    2. Reduces security risks for your customers, vendors, and partner entities
    3. Simplifies username and password management
    4. Improves identity protection
    5. Increases speed where it is most needed
    6. Relieves help desk workloads

    Setting Up Single Sign-on between two Salesforce Orgs:

    Many organization has multiple orgs to handle business. There we can setup single-on between those Salesforce Orgs. One Salesforce orgs will be service provider (SP) and second Salesforce Orgs will be identity provider (IP).

    Let us setup single sign-on between two Salesforce orgs. Below steps will be required to setup single sign-on.

    1. Set up My Domain in both Salesforce Orgs
    2. IP -> Enable Identity providers and create Certificate
    3. IP->Create connected app
    4. SP->Single Sign-On Setting based on certificate metadata URL
    5. SP->Add Single Sign-on setting in my domain
    6. Setup Users in both SP and IP

    1. Set up My Domain in both Salesforce Orgs

    My domain will help us in branding our Salesforce orgs. Enabling my domain is also required for

    1. for working in multiple Salesforce orgs in the same browser
    2. setting up single sign-on for external identity vendors
    3. setting up authentication providers like google, facebook etc
    4. setting up lighting components as tab or standalone apps

    By default my domain is already activate in new Salesforce orgs. In case, it is not enabled then go to Setup->My Domain and enable it.

    Save both Salesforce orgs domain url. We required these in next steps.

    2. IP -> Enable Identity providers and Create Certificate

    Enable Salesforce.com as identity provider so that we can use as single sign-on with other sites or Salesforce orgs.

    To enable it go to Setup->Identity Provider- Click on Enable Identity Provider button.

    Once identity provider is enabled for Identity Provider Salesforce org, create certificate on same screen. Select SelfSignedCert in drop down and save it.

    Salesforce IDP

    It will create a certificate like below. Generated metadata URL will be used create single sign-on setting in service provider.

    Salesforce Certificate

    3. IP->Create connected app

    Create connected app in Identity Provider Salesforce org so that this can be used in service provider org for integration. Use below setting for connected app. We have to setup these information in web app settings section of connected app.

    1. Connected app name : Salesforce SSO Test
    2. Entity Id – Add Service provide Salesforce org domain URL
    3. ACS URL : Add Service provide Salesforce org domain URL
    4. Subject Type : Federation Id
    5. Issuer : Add Identity provider Salesforce Org domain URL

    Rest setting will be default setting.

    Salesforce Connected App

    4. SP->Single Sign-On Setting based on metadata URL

    Now setup single sign-on setting in service provide Salesforce Org. To setup single sign-on go to Setup->Single Sign-On Settings. Click New from Metadata URL to create single sign-on setting for identity provider.

    Provide metadata URL which we got while creating certificate in step2 (highlighted in image). Based on metadata URL, it will automatically create single sign-on setting.

    SAML In Salesforce

    Just change SAML identity type, it should be Assertion contains the Federation Id the user objects ( as highlighted).

    5. SP->Add Single Sign-on setting in my domain

    Once single sign-on is setup. Now setup generated single sign-on setting in service provider login screen. As we have setup single sign-on name as gmailcomidentity-dev-ed, it will appear in authentication configuration screen. Select gmailcomidentity-dev-ed and save it, now this single sign-on option will appear on login screen of service provider Salesforce org.

    Single Sign-on in Salesforce

    6. Setup Users in both SP and IP

    Now setup user in both identity provider Salesforce org and service provider Salesforce org. Setup Federation Id in both Salesforce orgs. I have setup my user email ‘salesforcecodex@*****.com’ in both org’s user records. Similar to below image, setup Federation id in your orgs.

    Test Video:

    Single Sign-on| SAML in Salesforce

    Session Video:

    References:

    https://help.salesforce.com/articleView?id=connected_app_overview.htm&type=0

    Related Posts

    1. Automating data synchronization between Salesforce and Amazon Seller
    2. AWS Signature 4 Signing in Salesforce
    3. Download the S3 File in Salesforce using AWS Signature Version 4.0
    4. Use Named Credential to Upload File in S3

    Share.

    With over 18 years of experience in web-based application development, I specialize in Salesforce technology and its ecosystem. My journey has equipped me with expertise in a diverse range of technologies including .NET, .NET Core, MS Dynamics CRM, Azure, Oracle, and SQL Server. I am dedicated to staying at the forefront of technological advancements and continuously researching new developments in the Salesforce realm. My focus remains on leveraging technology to create innovative solutions that drive business success.

    Related Posts

    Add A Comment
    Leave A Reply