What is Salesforce SSO ?
Salesforce SSO or Salesforce Single Sign on is the process that allows all networks users to access all authorized network resources through single username and password with out having different usernames and passwords for every resources in the network.
Suppose in an organization there are different number of systems, applications and resources which are to be accessed by every user. To access those resources in that organization the user must login to that application with that username and password. If he wants to access more number of resources it may be difficult to remember those passwords. To eliminate such type of issues SSO is implemented.
Advantages of Salesforce SSO?
When coming to the benefits of Salesforce SSO,we have number of benefits. The following are the benefits to your organization with Salesforce SSO (Single Sign-On).
- It reduces Administration costs : No need to remember all usernames and passwords. Salesforce provides resources and external applications just logged in without asking to enter username or password.
- Leverage existing Investments : Many of the companies uses LDAP data base to manage their users identities to allow authentication to their systems in their organization. Suppose with the user is removed from LDAP system the user is immediately removed and no longer able to login to their systems.
- Time Saving.
- Increased User adoption : User who uses Salesforce are more comfortable to send email messages that contains links to information to salesforce.com.
- Increased Security.
Different types of Salesforce SSO.
In Salesforce Single Sign On or Salesforce SSO can be implemented by two ways .
- Federated Authentication.
- Delegate authentication.
What is Federated Single Sign on Authentication.
In salesforce, if Federated single sign on Authentication is enabled then the salesforce does not validate user’s password. Instead of validating user’s password salesforce verifies an insertion in the HTTP POST request and allows single sign on if the assertion is TRUE, if assertion is false salesforce does not allows SSO.
What is Delegate Single sign on Authentication.
Delegate Single Sign-On authentication is the second type of Single sign on in salesforce. If this type is enabled in salesforce allows web services to your organization to establish authentication credentials to the users instead of validating the users passwords.
Authentication providers are those who provide authentication credentials to the users from external service providers. Authentication provide credentials to the users with profiles containing login IP range restrictions, Session Id’s
Here we are required to setup new Authentication providers to establish connection. The process of authentication will be like below steps.
- The users tries to login in to Salesforce using third party identity.
- Then login request is redirected to the third party provider.
- Then the user will be approved to access.
- The Authentication provider redirects the user to salesforce.
- Now the user is logged in to salesforce.
How to Enable Salesforce SSO using Saml?
- User must establish Saml Identity Provider : Here we send Single Sign On request to Salesforce.
- Provide information to identity provider : Here we have to give Login, Log out URl’s
- Configuring Salesforce.
How does Salesforce Trust Identity Provider ?
To establish Single Sign on Salesforce must be connected to Identity Provider.In order to establish relation between Salesforce and Identity Providers salesforce must trust the identity provider. Following is the process is done.
- During Configuration, Identity provider gives a digital certificate to salesforce and in run time Salesforce uses the certificate to validate the digital signature given by identity provider.
Enabling Salesforce to be Service Provider.
To enable Salesforce as a Service Provider we must do 2 important things.
- Download digital signature certificate from identity provider(IdP).
- Upload digital signature certificate to salesforce.
- Configure salesforce.
Identity Provider-Initiated SAML Flow during run time.
The user will sign by using Single sign on in to the Idp. The Idp will return a page containing form with saml assertion. Then the user submits SAML assertion to sales force to login. Then the Service Provider (Salesforce) checks the digital signature and grants sessions id.
Service Provider-Initiated SAML Flow.
This is the situation where user clicks on the link where to access something in the salesforce and redirect the user back to Idp Successfully.
The end user requests a page at a custom domain for salesforce. Salesforce says you are not logged in. Then the user is logged in to Idp credentials. Then the Idp redirects the user to salesforce with SAML Assertion. Now Salesforce redirects the requested page with session Id to the end user.
Now we are going to create a new Single Sign On in salesforce.
Go to Setup => Administer = > Security Control = > Single Sign On Settings.
Enable SAMl. By enabling SAML we can create new Single Sign ON. Edit it and check SAMl Enabled.
Now select New button.
Before going to fill SAML Single Sign-On Setting details we should have some data . Go to the following URL and Download the Digital certificate which is to be uploaded .
GO to http://sfdc-tandc-saml-ip.herokuapp.com
Issuer : mockidp.
Entity id : https://saml.salesforce.com
Now go to Configure Section shown below.
Complete all the details as shown below.
Before login Logout From login.salesforce.com