Federated Authentication Using SAML to Log in to Salesforce Org
Federated Authentication is one of the SSO(Single Sign On) Methods that uses SAML(Security Assertion Markup Language) assertion sent to the Salesforce endpoint and if everything goes fine, user will be redirected to the Home page of Salesforce org. We use a SAML response generator tool that we call Identity Provider.
For making this happen we need to follow the following steps:
1) Set up SAML Settings in Salesforce – To Set up SAML in Salesforce, search for ‘single sign on settings’ and select that. Click Edit and check the “SAML Enabled” checkbox and click save. Click on New under SAML Single Sign-On Settings and enter the values as follow:
a) Name – SSOServiceProvider (you can give your own name)
b) API Name – SSOServiceProvider(you can give any valid name)
c) Issuer – AXIOM (you can give your own issuer name but keep in mind it will be used later on)
d) Identity Provider Certificate – For identity provider certificate click on http://axiomsso.herokuapp.com/Home.action and click ‘SAML Identity Provider & Tester’ link and download the certificate. Upload it in identity provider certificate.
e) Entity Id – saml.salesforce.com
f) Request Signing Certificate – Default Certificate
g) Request Signature Method – RSA-SHA1
h) Assertion Decryption Certificate – Assertion not encrypted
i) SAML Identity Type – Assertion contains the Federation ID from the User object
j) SAML Identity Location – Identity is in the NameIdentifier element of the Subject statement
k) Identity Provider Login URL – http://axiomsso.herokuapp.com/RequestSamlResponse.action
l) Service Provider Initiated Request Binding – HTTP POST Refer below image to verify entries.
2) Establish a Federation Id on user object in salesforce org – To establish a Federation Id, go to user object and edit current user logged in. In single sign on section enter the federation id. Refer below image.
3) Use open source SAML response generator tool – To generate SAML response, go to https://axiomsso.herokuapp.com/RequestSamlResponse.action and enter the values like below:
a) SAML Version – 2
b) Username OR Federated ID – For me it is naman.algoworks (Enter your federation id what you have set up on user object in salesforce.)
c) User id location – Subject
d) Issuer – For me it is AXIOM (Give your issuer name what you have set up in SAML setting in salesforce)
e) Recipient Url – For me it is https://login.salesforce.com?so=00D90000000tt6D (Enter your Salesforce login url what it appears on SAML Setting. Refer image)
f) Entity Id – saml.salesforce.com
g) SSO Start Page – http://axiomsso.herokuapp.com/RequestSamlResponse.action
h) User Type – Standard
Click on ‘Request SAML Response’ button and see the SAML Response. No need to change anything on this page just click on Login button and if everything goes right you will be redirected to the Home page of salesforce org. Troubleshooting the SAML Assertion: On SAML single sign on setting, a button appears ‘SAML Assertion Validator’. If your are failing to login to Salesforce, Click this button and see your last assertion failure with details why it was failed. You can also test the AXIOM generated SAML response, to do so copy the formatted SAML response from AXIOM and paste it to SAML response box and click on validate button.