Single- Sign-On In Salesforce | All You Need to Know
Single Sign On (SSO) Between two Salesforce Orgs
Single Sign-On is an authentication process that allows users to access multiple applications and systems with a single set of credentials. Instead of remembering different usernames and passwords for each application, SSO enables seamless access across various platforms. Salesforce, a leading customer relationship management (CRM) platform, integrates SSO capabilities to help organizations optimize their workflows.
How SSO Works in Salesforce?
Salesforce supports various SSO protocols, such as SAML (Security Assertion Markup Language) and OAuth, to enable SSO integration with other identity providers (IdPs). Here's a brief overview of how SSO works in Salesforce:
- User initiates login: When a user attempts to access Salesforce or any connected application, they are redirected to the IdP's login page.
- IDP authentication: The user enters their credentials (username and password) on the IdP's page.
- Identity Verification: The IdP validates the user's identity and generates a security token.
- Security token sent to Salesforce: The security token is sent back to Salesforce, confirming the user's authentication.
- Access Granted: With successful authentication, the user gains access to Salesforce without having to log in separately.
Don't forget to check out: What is Single Sign On (SSO)? How does it work in Salesforce?
Step to setup Single sign-on between two Salesforce
To setup Single sign on between two Salesforce Org we need to setup one Salesforce Org as Service provider and other one as Identify provider.
Identify provider (IDP) :- An identity provider is a trusted provider that lets you use single sign-on (SSO) to access other websites
Service provider (SP):- A service provider is a website that hosts apps.
Step to setup Single sign-on between two Salesforce org
- Enable My Domain in both Salesforce Orgs. (Both Org): By default my domain should be already activate in new Salesforce orgs. If not then enable it from My Domain.
- Enable Identity providers ( IDP Org ): Enable Identity providers and create Certificate. Login to your IDP org and Navigate to Identity provider. Setup-> Quick Find -> Identity Provider. Then click on Enable Identity provider's button. Then choose the certificate that Salesforce.com uses when communicating with service providers. Create a Identity Provider Certificate.
- Download Certificate: Download the certificate from “Download Certificate” button.
- Download Metadata: Download the certificate from “Download Metadata” button.
- Single Sign-On Setting (SP Org): Enable Single Sign on. Navigate to “Setup > Identity > Single Sign-On Settings” and check “SAML Enabled” option.
- Enable SAML: Now provide SAML Single Sign on Setting detail. You can use downloaded Metadata file and upload here with New from Metadata File button.
- SAML Sigle Sign on Setting and upload Metadata File: Click on New from Metadata File and upload the Metadata file.
- Upload Identity Provider Certificate: Upload Identity Provider Certificate and update setting. Update SAML Single Sign-On Settings and upload the Identity Provider Certificate and select the Assertion contains the Federation ID from the User object. Make a note of Entity ID and Login URL from here. We will use same in IDP org Connected App.
- Create connected app (IDP Org): Now go back in your IDP org. And create one connected app with below step. Create connected app, Setup -> App Manager -> New Connected App. Now provide all required detail. Make sure on your connected App you need to perform below step.
- Enable SAML
- Provide Entity Id (Use Entity ID from SP Org2)
- ACS URL (Login URL from SP Org 2)
- Subject type should be Federation Id.
- IDP Certificate as Identity Provider Label name
- Now once Connected app is ready. Click on Manage Button. Then Add the profile from related list.
- Update Authentication Configuration for my Domain in SP Org: Now go to SP org the navigate to My Domain (Setup -> My Domain). Then edit the Authentication configuration setting and select the IDP org in Authentication service.
- Test your configuration
- Setup Users in both SP and IDP: On clicking on Connected app the app will redirects you to the SP (org2), without login credentials of SP(org2).
Check out another amazing blog by Alok here: Flow Builder in Salesforce - Here's All You Need to Know About
Responses