Single Sign-On with Salesforce using SAML 2.0 (as of February, 2015)

Introducing the latest procedure for setting Single Sign-On federation with Salesforce as IdP using SAML 2.0

CTO Hatanaka wrote the following previous related article:

Single Sign-On with Salesfroce using SAML 2.0 (Japanese article)

Since Salesforce changed its specifications on February 2015, however, we need to modify it according to the new interface (setting screen or data item setting) which is different from that of the article (written on March 2013).

Here, I’ll show a setting procedure based on the latest specifications of Salesforce by revising and correcting the previous article.

The main changes from the last specifications are as follows.

  • The number of setting items on “Service Provider” in Salesforce increased (You can leave added setting items by default, that is, the items you need to set are the same as those in the previous specifications)
  • You need to set up “Permission Sets” in Salesforce (Connection of User and Service Provider is required)

We did not change the SAML setting of Questetra BPM Suite side this time.

== The whole procedure of setting ==

  1. [Salesforce] Domain Setting
  2. [Salesforce] Enable ID Provider
  3. [Salesforce] Add Service Provider
  4. [Salesforce] Add and Connect Permission Sets
  5. [Questetra BPM Suite] ID Provider Setting

== Details of each setting ==

=== 1. [Salesforce] Domain Setting ===

It appears that this setting has not changed from the one before.
♦Salesforce:[(User Name)]→[Setup]→Menu on the left side of the screen [Domain Management]→[My Domain]

Salesforce Domain Setting

To utilize Salesforce as SAML ID Provider, it is required to enable access to Salesforce with your own domain. Since domain name cannot be modified later, please configure it with great care.
After setting your domain, you need to wait for the approval from Salesforce. Though it can take up to 3 days for the approval, in my case, I received the approval in only a few minutes.

=== 2. [Salesforce] Enable ID Provider ===

It appears that this setting has not changed from before.
♦ Salesforce:[(User Name)]→[Setup]→Menu on the left side of the screen [Security Controls]→[ID Provider]
Click [Enable ID Provider].

=== 3. [Salesforce] Add Service Provider ===

As a preparation, open the SAML setting screen in Questetra BPM Suite. Leave the browser window open for later settings.
♦Questetra:[(User Name)]→[System settings]→Menu in the left side of the screen [SSO (SAML)]

sfdc_QBPMS_SP_en

On the [ID Provider] screen of Salesforce, click on [Service Providers are now created via Connected Apps. Click here.] located next to [Service Provider]. Then setup [New Connected App].

sfdc_newapps_cut

Enter each field as follows:
[Basic Information]

  • [Conncected App Name] : Questetra (Set up freely as long as you can identify it later)
  • [API Name] : Questetra (Set up freely as long as you can identify it later)
  • [Contact Email] : Admistrator’s email address

Then Check [Enable SAML] in [Web App Settings] and enter each field.

  • [Entity Id] : Copy the [Entity ID] of [SP Information] in Questetra BPM Suite, and paste it
  • [ACS URL] : Copy the [ACS URL] of [SP Information] in Questetra BPM Suite, and paste it
  • [Subject Type] : Username (default)
  • [Name ID Format] : [urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified] (default)
  • [Issuer] : Created domain name (default)
  • [Verify Request Signatures] : After checking here, save the [Verification certificate] displayed on [SP Information] in Questetra BPM Suite to a text file, then upload the text file.

Click [Save] at the bottom.

You can change the settings at the following menu.
♦ Salesforce: [(User Name)]→[Setup]→Menu on the left side of the screen [Manage Apps]→[Connected Apps]

=== 4. [Salesforce] Add and Connect Permission Sets ===

First, create Permission Sets.
♦Salesforce: [(User Name)]→[Setup]→Menu in the left side of screen [Manage Useer]→[Permission Sets]
Click [New].

sfdc_new_permissionsets_cut

Enter each field.

  • [Label] : Questetra_PermissionSets (Set up freely as long as you can identify it later)
  • [API name] : Questetra_grant (Set up freely as long as you can identify it later)

Click [Save].

Next, connect Permission Sets with users.
♦Salesforce: [(User Name)]→[Setup]→Menu on the left side of screen [Manage Users]→[User]
Select a user for Single Sign-On, and click [Edit Assignments] of [Permission Set Assignments]
sfdc_connect_user_cut

Add the created Permission Set to the [Enabled Permission Sets] from [Available Permission Sets].
Click [Save].

Finally, connect Permission Sets with Apps.
♦Salesforce:[(User Name)]→[Setup]→Menu on the left side of the screen [Manage Apps]→[Connected Apps]
Click [Manage Permission Sets] of [Permission Sets].

sfdc_connect_apps_cut

Check created Permission Sets and click [Save].

=== 5. [Questetra BPM Suite] ID Provider Setting ===

It appears that this setting has not changed from before.
Set up [IdP Information] in Questetra on the screen you left open earlier.
♦Questetra:[(upper right User Name)]→[System Settings]→Menu on the left side of the screen [SSO (SAML)]

sfdc_QBPMS_IdP_en

First, enter each field as follows
♦Salesforce:[(User Name)]→[Setup]→Menu on the left side of screen [Security Controls]→[Identity Provider]

Salesforce Identity Provide Setting

  • Entity ID: Copy the [Issuer] and paste it
  • Verification certificate: Click [Download certificate] and open the downloaded certificate into a text editor. Copy all the content of the certificate and paste it.

Next, setup Sign-in page URL at
♦Salesforce:[(User Name)]→[Setup]→Menu on the left side of the screen [Manage Apps]→[Connected Apps]

Salesforce Service Provider Setting

  • Sign-in page URL: Copy the [SP-Initiated POST Endpoint] and paste it

Click [Save].

Now setup is complete.
Please try login in with the [Login using Single Sign-On] of Questetra’s login page.

In the case of login failure, you can check the Log at
♦Salesforce: [(User Name)]→[Setup]→[Manage Users]→[Identity Provider Event Log].
And you can handle the failure according to the Log.

If you have questions, please contact us here (Questetra support).

About Kusaka Tsuyoshi

営業をやってますが、もともとエンジニアなので、プログラミングもやります。
View all posts by Kusaka Tsuyoshi

Recommendations
Prev article - 50. Questetra Tips FAQ. Can You Restore a Free SaaS Environment which has been Automatically Suspended?
Next article - 50. Questetra Tips FAQ. What is the Difference between [My Tasks] and [Offered]?
Another article - Kusaka Tsuyoshi Tips When You are in Trouble with kintone’s “Workflow Management” (part 2)

Archive

 RSS