- 22 Nov 2024
- 10 Minutes to read
- Print
- PDF
SSO Configurations for Salesforce
- Updated on 22 Nov 2024
- 10 Minutes to read
- Print
- PDF
This document provides a step-by-step guide for setting up SSO Configuration to configure Salesforce, allowing users to sign in to Salesforce services using their OneIdP credentials and securely access these services.
Pre-requisites
The Custom Domain for which you are authorising, should be verified through OneIdP.
Users belonging to custom domain should be added to Scalefusion Dashboard and migrated to OneIdP.
IT Admins should have access to Salesforce admin console.
Users should be added to Salesforce portal
Create SSO Configuration for Salesforce
Sign in to Scalefusion Dashboard and navigate to OneIdP > SSO Configuration
Click on New SSO Configuration button on top right.
This opens the SSO Configuration wizard with following tabs on the left panel:
User Facing Messages
Navigate to each tab and enter required details. You can navigate to next tab only after you have entered complete details in the current section. All are explained in detail below.
Application Basics
Configure basic application details by entering the following:
Select Application Type: Select Salesforce as application type from the drop-down.
Enter Application Name: Enter a name for your App which will be an identifier for your configuration. The name must be at-least 5 characters long. The maximum allowed length is 128 characters.
Select Hosting Type: This will be pre-selected as Cloud
Select Domains: All the custom domains you have configured and verified using OneIdP, will be listed here. Select the domain(s) which you want to be SAML SSO enabled.
Enter Login URL: Provide URL that you use to sign in to that service.
Once you have entered all details click Next
SSO Scope Management
With SSO scope management you can configure the procedure for managing the users who will be accessing this application. It basically allows how SAML settings for the users are going to be managed. Following are the settings:
User assignment
SSO Configuration would allow only assigned users to access the app. Choose one from the following options:
Allow all users imported to Scalefusion to access the application: All users (belonging to the domain) imported to Scalefusion and migrated to OneIdP will be allowed to access the application.
Allow only assigned users to access the application: Only the user(s) whom you have assigned the SSO configuration, will be allowed to access the application. With this option, after SSO configuration is created, you need to manually select and assign the users.
Revoke access for all users once when the configuration is saved: If this is checked, the access is revoked from the users who are currently assigned with the configuration. As a result, it will invalidate all user sessions and logout users from their current running session.
Enforcement Rules
From here, you can configure and enforce users that at what point of time SSO Configuration should invalidate the current session and logout users. Following options can be selected:
Immediately on User Assignment and post grace period if applied: Once SSO configuration is assigned to user
Immediately on User Un-Assignment: When user is unassigned the SSO configuration
Immediately on Deleting this configuration: When SSO configuration is deleted from Scalefusion Dashboard
Users will not get logged out in case of Salesforce
Permissions
Here, you do not need to grant any additional permissions. Click Next to go to the next step.
SSO Settings
This section allows admins to configure the Service Provider (Salesforce) settings and obtain the SSO URLs which will be added on the Salesforce portal.
OneIdP SSO Settings
On Salesforce Portal, follow these steps:
Login to salesforce admin console and navigate to Settings > Identity > Single Sign-On Settings and click on New under SAML Single Sign-On Settings
This opens the form for SAML Single-Sign On Settings. Here, enter the following information:
Name: Enter name to identify
API Name: This can be same as name
Issuer: Copy the OneIdP Entity ID/Issuer URL from Scalefusion Dashboard (under SSO Settings) and paste here.
Entity ID: Copy the Current My Domain URL by navigating to Settings > Company Settings > My Domain (as shown below) on Salesforce Admin console and paste it here.
Please ensure that the Entity Id is prefixed with https://
Identity Provider Certificate: Download Verification certificate from Scalefusion Dashboard (SSO Settings) and upload it here.
Identity Provider Login URL: Copy the OneIdP SSO URL from Scalefusion Dashboard and paste it here
Select Assertion contains the User's Salesforce username as the SAML Identity Type.
In the Service Provider Initiated Request Binding, select HTTP Redirect
Select the checkbox in front of Single Logout Enabled
Identity Provider Single Logout URL: Copy the OneIdP SLO URL from Scalefusion Dashboard (SSO Settings) and paste it here.
After entering all details, click Save
Now, navigate back to Scalefusion Dashboard and click Next to go to next step
Conditional Access
From this section you can define the additional conditions on the basis of which users will be allowed/disallowed from accessing the application on device. This is divided into following sections:
Conditional Access Settings
Access Exceptions
Conditional Access Settings
Device Policy
For Android, iOS/iPad OS, Windows & macOS, Linux, Chrome OS: Choose one from the following two conditions:
Only if the device is managed by Scalefusion: The application will be accessible only on devices managed (enrolled) by Scalefusion.
If the device is managed by Scalefusion or an OTP using Scalefusion Authenticator app from a managed device: The application is accessible if any of the following conditions is met:
Device is managed by Scalefusion: If device is managed you will not be asked to enter OTP for authentication, or
If device is unmanaged, OTP is required for authentication. OTP can be taken from Authenticator app installed on a Scalefusion managed device.
Allow users to access by setting up MFA using third party authenticator app or OTP sent on email: This option is activated only when Multi-factor Authentication is enabled in Directory Settings.
Note: The left side panel is for configuring Device Policy on Android & iOS/iPad OS and right side is for Windows & macOS and Linux, ChromeOS below them. Hence, you can configure separate device policies based on platform.
Browser Policy
From here, you can select one or more browsers and specify minimum versions on which you want to allow the access to the application. Following are the options:
All Browsers
Google Chrome with minimum version
Microsoft Edge with minimum version
Safari with minimum version
Mozilla Firefox with minimum version
Important Points on Browser Policy:
By default all browsers are allowed.
Only major versions are validated. For eg. if you mention browser version: 23.5.8.10 then the respective browser with minimum major version(23) will be allowed. After configuring Device Policy and Browser Policy, click Next
Access Exceptions
From this section you can configure the exceptions where the users are allowed to access the applications even if the conditions are not met. In general, these exceptions will be useful or addresses scenarios where :
IT Admins have setup Android Enterprise using Google Workspace Or
IT Admins have setup Apple User Enrollment with ABM/ASM federated to Google Workspace
Following are the exceptions that can be configured:
Enrollment Exceptions
Allow users to access the application till they enroll their first device: Allows users to access the application till they enroll at-least one device. This option is helpful in conditions where the enrollment steps requires them to authenticate with the service provider. With this, you can also configure the following:
Maximum sessions allowed per user: Configure no. of sessions that should be exempted. It can range from 1 to 3. Ideally 1 session per user is recommended.
Configure the OS where the exceptions are applied: Select the platform(s) on which this exemption would be allowed to users.
User Exceptions
Here you can add the users who are always exempted from the conditions and will never be asked to manage their device. Enter comma separated email addresses of users or click on Add Users on the right and in the new window, select the users who should be exempted.
Note: These users still need to sign in with their OneDirectory credentials if they fall under the SSO Scope, however the conditions will not be enforced.
User Facing Messages
User Facing Messages helps admins configure messages that end users may be shown when they are unable to access the application if any of the compliance conditions are not met. You can configure messages under following:
Configure Instructions for a Non-Compliant Device: This message is shown when the device is not compliant and needs to be enrolled to Scalefusion
Configure Instructions for a Non-Compliant Browser: Shown when the browser is not compliant as per configurations
Configure a Message to be displayed when Access is Denied: Any other cases where access to application is denied.
There are some pre-configured messages displayed on Dashboard which you can edit as per requirement.
After configuring user facing messages, click on Save
The SSO configuration is created and listed on SSO Configuration page as a separate card with the name you have defined. You can create multiple SSO configurations in the same manner.
The next document explains how the configurations can be managed and other actions you can perform through SSO configurations.
User Login into Salesforce after SSO Configuration
Pre-requisite
The SSO configuration created should be enabled from Authentication Configuration. To enable,
Navigate to Settings > Company Settings > My Domain on Salesforce Admin console
Scroll down and click on Edit under Authentication Configuration
Put a check on the configuration(s) under Authentication Service and click Save
Please ensure Login Page Type is set to Standard and Login Form (in Authentication Service) is enabled
This completes the process of adding the service to Authentication configuration
Steps to login
Once you have configured SSO for Salesforce, follow these steps:
Go to the Salesforce Customer Secure Login Page
Here, click on Use Custom Domain
Enter the custom domain name to login with your company’s domain name. For Custom Domain,
On Salesforce admin console, Copy the URL from My Domain Name (Settings > Company Settings > My Domain)
Paste it on Salesforce login page and click Continue
On the next page, click on Login with a different provider
Here you will get the list of Single Sign-On Configurations created on Salesforce Admin Console. Choose the one with which you want to log in.
You will get the OneIdP page. Enter the credentials with the user details added in Scalefusion and Salesforce console and Sign In.
Synchronizing Users Between Scalefusion and Salesforce
To ensure integration between Scalefusion and Salesforce, you'll need to synchronize user accounts. With Salesforce’s User Provisioning tools, follow these steps to add any new users added on Scalefusion, to the Salesforce portal:
On Salesforce portal, navigate to Settings > Identity > Single Sign On Settings
Edit the configuration you have created
Under Just-In Time Provisioning, select the checkbox in front of User Provisioning Enabled
Select Assertion contains the Federation ID from the User object as SAML Identity Type
Click Save
Now go to Scalefusion Dashboard. In the SSO Configuration created for Salesforce, navigate to SSO Settings > Custom Attributes and enter the following custom attributes:
Here, ProfileId should be taken from Profiles section (Administration > Users > Profiles) on Salesforce Admin console.
Save the SSO Configuration.
Now, when you try to login to Salesforce with the user credentials, the same user will automatically get added on Salesforce portal.
FAQs
What about users who are already existing on salesforce prior to enabling the Just In Time user provisioning. Will they be able to login via OneIdP?
When JIT provisioning is enabled, Salesforce uses federation id to identify users, so if existing users do not have federation id in that case, it will not be able to identify users. For such users, IT Admins will need to add the Federation Id on Salesforce portal manually.
To add Federation ID,
Navigate to Administration > Users > Users section
Select the user and Edit it
Under Single Sign On Information, add the Federation ID. Federation ID is same as user email
Note: Users created after enabling JIT provisioning, will automatically have their Federation ID populated by default.
On Android devices enrolled as BYOD, if we try to login to Salesforce app it is giving error. What is the solution?
To resolve this, you need to change server details in Salesforce. There are two ways to do so:
Solution 1: Change server details on Salesforce app. To do so, follow these steps on Salesforce app:
Launch Salesforce App on Work Side.
Click on three dots on top right. Click on Change Server → Add New Connection
In Add Connection Pop-Up, please enter below details:
Name: Any name to identify your connection
URL: Enter Salesforce login URL for your domain
Click on Apply
Now, click on Back button on top left.
The URL should get opened in chrome browser and silent login to Salesforce app should work on managed device.
Solution 2: Create App Configuration on Scalefusion Dashboard and push on device. Follow these steps:
Install Salesforce and Google chrome app to the Android device from Play for work section on Scalefusion Dashboard.
On Scalefusion Dashboard, go to App Management → Play for work → Salesforce App
Navigate to App config → Create a new config
In the configuration dialog, enter below details:
Managed configuration: Provide name of config
AppServiceHosts: Enter Salesforce login URL of your domain
AppServiceHostLabels: Enter any name to identify your connection
Click on Save and Publish on device.
Once Config is published then AppServiceHosts get added to Salesforce’s Local server page
Now, launch Salesforce app. Click on three dots on top right and click on Change Server. The server details will display here.
Now, click on Back button on top left.
The URL should get opened in chrome browser and silent login to Salesforce app should work on managed device.