- Click on 'Federation' and Go to 'Identity Provider administration'
- Click on 'Create Service Provider Partner'
- Click on 'browse' in Service information section and import the sp_metadata.xml file
- Also provide the name and description of this partner profile
- This will populate all the below details of service provider
- providerid (Note: This is required while building this url for sso)
- signing certificate and validity
- Scroll down and update NameID format as below
- NameID Format: Unspecified (SAML Subject NameID policy)
- NameID value: UserID Store Attribute => mail (OUD attribute name from which subject has to be populated)
- Click on Save. This will finish the creation of Service provider partner profile on OAM side as shown below.
- Lets create a test user profile on IDP authentication provider which is OUD in our lab.
- Similarly create a user profile on salesforce side with same email as username.
Validation:
- Finally now let's validate the single sign-on to salesforce
- Now build the OAM protected federation url as below and access it.
- http://<ohs_host:ohsport>/oamfed/idp/initiatesso?providerid=<SP_partner_providerid>
- From my environment, below is the URL
- http://dev.fed.com/oamfed/idp/initiatesso?providerid=https://saml.salesforce.com
- Provide the IDP user credentials as given below and click on submit
- Hurray... Now you are authenticated against IDP and seamlessly SSO'd into Salesforce
- During this SSO, OAM will generate a SAML2.0 standards based message including user details and send it to salesforce. On the other end, salesforce will receive this message
- validates the sender with details configured in idp partner profile
- identifies the user information in saml message
- Redirects user to the home page
- We can view SAML2.0 message flowing from IDP to SP with the help of browser extensions like 'SAML tracer' in firefox.
- Following is the SAML message that is generated from IDP to SP in our scenario which has various details like
- Issuer information
- NameID policy
- subject value
- validity of assertion
- audience
- Purpose of all these information is very well explained in the link https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
- That's all folks. In the future posts, I will post about various other features in Federated SSO using SAML2.0
Thanks for visiting..