Tuesday, February 28, 2017

SP Initiated SSO to Salesforce

                        In this post we are going to cover the configuration steps on how to enable the Service Provider(SP) initiated Federated SSO to Salesforce with OAM I have covered about Single Sign-on to Salesforce using OAM in IDP initiated mode in one of my earlier posts. This will will be continuation to those posts.
                       Once you finish the steps mentioned in earlier posts, You just have to finish the below steps to configure the SP initiated SSO to Salesforce. As described earlier, I have configured my OAM as IDP and Salesforce as SP. In this example, Request for authentication initiates from Salesforce(SP) and redirects it to OAM(IDP) which is nothing but the SP Initiated Single Sign-On.


  • End-user having accounts on IDP(OAM) and SP(salesforce) side with email as user login.
  • End-user will access salesforce URL directly.
  • End-user will be authenticated with IDP side credentials and will federate the user back to Salesforce.
  • Install and configure OAM
  • Configure Authentication store for OAM. In my lab, I have configured OUD as authentication store
  • Front-end OAM with OHS and protect with OAM

  • OAM BP07
  • RHEL6
  • Salesforce
  • OUD
  • OHS 
  • Make sure a domain created for your salesforce instance. In our example, Let is consider it as "https://devfed.my.salesforce.com
  • If domain is not created, created one by navigating as given below
    • Settings -> Setup -> Company Settings -> My Domain
  • Once the domain is enabled and deployed, Click on Edit to configure the Authentication provider.
  • Select the Single sign-provider  that your imported earlier as authentication provider now.
  • Save the Changes.
  • Now search for Single Sign-On Settings and open the current configured SSO Provider.
  • Configure the Identity Provider Login URL with your IDP Initiated URL. This is the same  OAM protected IDP Initiated Federation URL.
  • That's all folks. Now you finished additional configuration required for SP Initiated SSO to Salesforce.
  • Lets validate this now.
 Validation :
  • Access your Salesforce domain URL directly in the browser.
  • This should redirect you back to your configured IDP URL as shown below.
  • If you look at the above screenshot, you can see SAML Authentication request initiated from Salesforce(SP) and redirected to OAM IDP URL.
  • Enter your IDP credentials and click on Login button.
  • After successful authentication,  OAM responds back with SAML Response and posts it to Salesforce.
  • Similar to IDP initiated SSO, Salesforce will validate the SAML response message and redirect the user to home page.
  • You can view the SAML response highlighted in below screenshot.

  •  You are now landed onto Salesforce with the user you authenticated against IDP.
 Thank you for visiting.

Tuesday, February 21, 2017

Salesforce SSO with OAM PS3 ( [Part-2]

  • Click on 'Federation' and Go to 'Identity Provider administration'
  • Click on 'Create Service Provider Partner'
  • Click on 'browse' in Service information section and import the sp_metadata.xml file
  • Also provide the name and description of this partner profile
  • This will populate all the below details of service provider
    • providerid (Note: This is required while building this url for sso)
    • signing certificate and validity
  • Scroll down and update NameID format as below
    • NameID Format: Unspecified (SAML Subject NameID policy)
    • NameID value: UserID Store Attribute => mail  (OUD attribute name from which subject has to be populated)
  • Click on Save. This will finish the creation of Service provider partner profile on OAM side as shown below.
Test data setup in IDP and SP:
  • Lets create a test user profile on IDP authentication provider which is OUD in our lab.
  • Similarly create a user profile on salesforce side with same email as username.
  • Finally now let's validate the single sign-on to salesforce
  • Now build the OAM protected federation url as below and access it.
    • http://<ohs_host:ohsport>/oamfed/idp/initiatesso?providerid=<SP_partner_providerid>
  • From my environment, below is the URL
    • http://dev.fed.com/oamfed/idp/initiatesso?providerid=https://saml.salesforce.com
  • Provide the IDP user credentials as given below and click on submit
  •  Hurray... Now you are authenticated against IDP and seamlessly SSO'd into Salesforce
  • During this SSO, OAM will generate a SAML2.0 standards based message including user details and send it to salesforce. On the other end, salesforce will receive this message 
    • validates the sender with details configured in idp partner profile
    • identifies the user information in saml message
    • Redirects user to the home page
  • We can view SAML2.0 message flowing from IDP to SP with the help of browser extensions like 'SAML tracer' in firefox.
  •  Following is the SAML message that is generated from IDP to SP in our scenario which has various details like
    • Issuer information
    • NameID policy
    • subject value
    • validity of assertion  
    • audience
  • Purpose of all these information is very well explained in the link https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
  • That's all folks. In the future posts, I will post about various other features in Federated SSO using SAML2.0
Thanks for visiting..