In this post we are going to cover the configuration steps on how to enable the Service Provider(SP) initiated Federated SSO to Salesforce with OAM 11.1.2.3. I have covered about Single Sign-on to Salesforce using OAM 11.1.2.3 in IDP initiated mode in one of my earlier posts. This will will be continuation to those posts.
Once you finish the steps mentioned in earlier posts, You just have to finish the below steps to configure the SP initiated SSO to Salesforce. As described earlier, I have configured my OAM as IDP and Salesforce as SP. In this example, Request for authentication initiates from Salesforce(SP) and redirects it to OAM(IDP) which is nothing but the SP Initiated Single Sign-On.
Example:
Once you finish the steps mentioned in earlier posts, You just have to finish the below steps to configure the SP initiated SSO to Salesforce. As described earlier, I have configured my OAM as IDP and Salesforce as SP. In this example, Request for authentication initiates from Salesforce(SP) and redirects it to OAM(IDP) which is nothing but the SP Initiated Single Sign-On.
Example:
- End-user having accounts on IDP(OAM) and SP(salesforce) side with email as user login.
- End-user will access salesforce URL directly.
- End-user will be authenticated with IDP side credentials and will federate the user back to Salesforce.
- Install and configure OAM 11.1.2.3
- Configure Authentication store for OAM. In my lab, I have configured OUD as authentication store
- Front-end OAM with OHS and protect with OAM
Environment:
- OAM 11.1.2.3 BP07
- RHEL6
- Salesforce
- OUD 11.1.2.3
- OHS 11.1.1.7
- Make sure a domain created for your salesforce instance. In our example, Let is consider it as "https://devfed.my.salesforce.com"
- If domain is not created, created one by navigating as given below
- Settings -> Setup -> Company Settings -> My Domain
- Once the domain is enabled and deployed, Click on Edit to configure the Authentication provider.
- Select the Single sign-provider that your imported earlier as authentication provider now.
- Save the Changes.
- Now search for Single Sign-On Settings and open the current configured SSO Provider.
- Configure the Identity Provider Login URL with your IDP Initiated URL. This is the same OAM protected IDP Initiated Federation URL.
- That's all folks. Now you finished additional configuration required for SP Initiated SSO to Salesforce.
- Lets validate this now.
- Access your Salesforce domain URL directly in the browser.
- This should redirect you back to your configured IDP URL as shown below.
- If you look at the above screenshot, you can see SAML Authentication request initiated from Salesforce(SP) and redirected to OAM IDP URL.
- Enter your IDP credentials and click on Login button.
- After successful authentication, OAM responds back with SAML Response and posts it to Salesforce.
- Similar to IDP initiated SSO, Salesforce will validate the SAML response message and redirect the user to home page.
- You can view the SAML response highlighted in below screenshot.
- You are now landed onto Salesforce with the user you authenticated against IDP.
Thank you for visiting.
