SSO is a great option specially from user experience point of view. Once the user logs on to a main application, he/she can then logon to all other applications seamlessly without having to type the username and password separately. Or the user just needs to remember one username and password and that will allow him/her to logon to all other different applications. It’s like having a magic key that automatically opens up all the other doors once you enter through one door.
Salesforce provides different options to configure Single Sign On. This includes
- Federated Authentication using SAML
- Delegated Authentication
- OpenID Connect
- The concept of IdP/SP
- The concept of IdP initiated login and SP initiated login.
- IdP/SP: IdP stands for Identity Provider and SP stands for Service Provider. When logging on, IdP is the system that authenticates user by validating his username and password and then subsequently all other applications trust IdP and allow user to access the application if the IdP asserts that the user is a valid user. In such cases, IdP is the system that stores user’s login name and password. You can configure different systems as IdP, for example Microsoft Active Directory, Oracle Internet Directory, Google, Salesforce etc.
- IdP initiated Login and SP initiated Login: When a user needs to access the application, he/she can initiate the access in two different ways. User can logon to IdP and then from there, click on links to access other systems (i.e. SP). This is called IdP initiated login. Or otherwise, the user can go directly to an SP application to access the application. In this case, SP will redirect the user to IdP login page where user will provide his or her username and password, IdP will authenticate the user and pass the control back to SP asserting whether user is authenticated or not. SP will then allow user to access the application
With Salesforce, you can configure Salesforce both ways – as an IdP or as a SP. There are different possible combinations in setting up SSO with Salesforce.
This post will provide you step-by-step guide to setup Single Sign On with Salesforce in different ways, enabling you to actually try it out yourself and understand the nuances of it. It is one thing to read about SSO or watch a video and understand its concepts. However it will be a different experience all together once you have configured it yourself step-by-step.
1. Microsoft Active Directory as IdP and Salesforce as SP
In the first scenario, you will be setting up a Microsoft Active Directory on Amazon Web Services (AWS) as Identify Provider and then use this to allow users to logon to Salesforce. Salesfoce in this scenario will play the role of Service Provider. Don’t worry if you do not know how to setup Microsoft AD and AWS. With this step-by-step guide with screenshots, you just need to follow the instructions. This step-by-step guide includes how to
- Configure Windows 2008 Server on AWS
- Install Microsoft Active Directory
- Install Microsoft ADFS 2.0
- Create self-signed certificate in IIS
- Configure Microsoft ADFS 2.0
- Export Self-Signed Certificate
- Retrieve ADFS 2.0 Details for Salesforce Configuration
- Configure My Domain in Salesforce
- Enable SSO in Salesforce
- Add Salesforce as Trusted Relying Party in ADFS
- Configure AD User for Single Sign On in Salesforce
- Test SSO
- Use Just-In-Time (JIT) Provisioning
- Debug SSO Issues
(We have discontinued our premium membership offering. If you are an existing premium member, you can still download the guides by clicking on “DOWNLOAD PDF [PREMIUM MEMBERS]” button. If you are not a premium member and want to download the guides, please sign up for our “All Access” pass. Complete details about this pass is available at this URL.)
Do let me know if you were able to get SSO to work following this guide with your comments, feedback and suggestions. If you got stuck anywhere and were able to resolve the issue, mention that as a comment so that others can benefit from your experience
15 thoughts on “Step-by-Step Guide to Build Your Own Salesforce Single-Sign On ( SSO ) Test Lab”
Thanks for sharing a useful topic in Salesforce SSO. You have provided SSO configuration in depth. I’m sure everyone will like this blog. There are multiple blogs on SSO where we can log in to Salesforce from an external system(AWS, Facebook, or Gmail), but I don’t see any blog for login to the external system from Salesforce. For example, if I have a website and I want to open this website from Salesforce with SSO implementation. Is this a feasible solution with Salesforce?
Use Case –
Create a quick action button on the Record Detail page, and if the user clicks on the button, the system should open the portal without credential.
Hi Puneet, you can configure Salesforce as an Identity Provider and logon to other apps through Salesforce. I do not yet have a blog post on this (I have added it to my to-do list. 🙂 ). For now, you may want take a look at this help article and see if this helps – https://help.salesforce.com/s/articleView?id=sf.identity_provider_enable.htm&type=5
Thanks for your great post. I follow the same instruction given in your document. But I am receiving some error in ADFS like \adfs\is\IdPinitiatedLogon.aspx does not exists. Am I missing some steps here to configure ADFS? Also SP initiated SSO is not working. Could you please let me know what could be the issues over here
Can we do SSO implementation without letting user redirect to IDP? Currently it redirects to IDP and then come back to Salesforce.
This was simply awesome. I struggled so much setting up ADFS and SSO untill I found your blog. This was too simple and easy to follow.
Thanks a lot, you save lot of our time.
Thanks for your feedback DJ. Glad that it was of help to you.
Thanks for all the help,only one question more ,How i can view the SMAL Assertion or where i can found SMAL Assertion .I will be very thankful to you .
Hi Obaid, Please refer to section ‘Debug SSO Issues’ (Slide 191 onwards) of the step-by-step guide in this blog post to get details on how to view SAML Assertion. SAML Tracer Plugin in Firefox is a great tool to view SAML Responses sent by IdP to the SP.
Thanks for replying,does it possible if you refer me any document that can help me ,because it implement the same rules(through Claims Rule Language in Active Directory Federation Services ) on test environment ,and that is working fine.
I will be much thankful to you .
Hi Obaid, Please refer to the URL https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_interface_Auth_SamlJitHandler.htm for the details and sample code on custom SAML JIT with Apex.
One quick question ,i follow the same step that you mention ,Everything working fine like SSO ,JIT. But i have one issue when i creat a new user through jit and in Send ProfileId is mentioned as “Standard User”,it creat a standard user ,but when we change the profile id from “Standard User” to “Marketing Manager” in Salesforce. When the user Login next time though Federated SSO it again convert it to “Standard User” from ” Marketing Manager ” . Do you have any idea why this happen ?
I will be very thankful to you if you help me out from this issue.
Hi Obaid, I vaguely know why you are having the issue. If I am not wrong, whenever a user is getting authenticated through SSO, Salesforce updates the user’s record wth the details received from IdP. That is why the profile is getting reset o ‘Standard User’. To control this behaviour you will need to use “Custom SAML JIT with Apex handler”, which can be set on the Single Sign On settings page. In the Apex handler you can then control which values should get updated and which shouldn’t.
Really helpful stuff.
Thanks Obaid !
This was an incredibly useful article. Very easy to follow!! The only thing I wasn’t able to get to work was the claim rules for JIT, when I copied the rule syntax you provided, I got the following error
“The custom claim rule syntax is not valid. POLICY0002: Could not parse policy data.
Line number: 3, Column number: 73, Error token: “.Line: ‘ =>issue(store = “Active Directory”, types=(“User.UserName”), query = “;userPrincipalName;’.
Parser error: ‘POLICY0029: Unexpected Input’
Please note that I simply copy/pasted the rule syntax you provided. Any ideas? Thank you very much!