Tuesday, February 21, 2017

Salesforce SSO with OAM PS3 ( [Part-2]

  • Click on 'Federation' and Go to 'Identity Provider administration'
  • Click on 'Create Service Provider Partner'
  • Click on 'browse' in Service information section and import the sp_metadata.xml file
  • Also provide the name and description of this partner profile
  • This will populate all the below details of service provider
    • providerid (Note: This is required while building this url for sso)
    • signing certificate and validity
  • Scroll down and update NameID format as below
    • NameID Format: Unspecified (SAML Subject NameID policy)
    • NameID value: UserID Store Attribute => mail  (OUD attribute name from which subject has to be populated)
  • Click on Save. This will finish the creation of Service provider partner profile on OAM side as shown below.
Test data setup in IDP and SP:
  • Lets create a test user profile on IDP authentication provider which is OUD in our lab.
  • Similarly create a user profile on salesforce side with same email as username.
  • Finally now let's validate the single sign-on to salesforce
  • Now build the OAM protected federation url as below and access it.
    • http://<ohs_host:ohsport>/oamfed/idp/initiatesso?providerid=<SP_partner_providerid>
  • From my environment, below is the URL
    • http://dev.fed.com/oamfed/idp/initiatesso?providerid=https://saml.salesforce.com
  • Provide the IDP user credentials as given below and click on submit
  •  Hurray... Now you are authenticated against IDP and seamlessly SSO'd into Salesforce
  • During this SSO, OAM will generate a SAML2.0 standards based message including user details and send it to salesforce. On the other end, salesforce will receive this message 
    • validates the sender with details configured in idp partner profile
    • identifies the user information in saml message
    • Redirects user to the home page
  • We can view SAML2.0 message flowing from IDP to SP with the help of browser extensions like 'SAML tracer' in firefox.
  •  Following is the SAML message that is generated from IDP to SP in our scenario which has various details like
    • Issuer information
    • NameID policy
    • subject value
    • validity of assertion  
    • audience
  • Purpose of all these information is very well explained in the link https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
  • That's all folks. In the future posts, I will post about various other features in Federated SSO using SAML2.0
Thanks for visiting..