Tuesday, February 7, 2017

Salesforce SSO with OAM PS3 (11.1.2.3) [Part-1]

This post covers the steps for enabling IDP Initiated SSO to Salesforce using SAML2.0 and OAM 11.1.2.3 as IDP. Lets understand the scenario before we jump into the configurations for SSO


Example: 
  • End-user having accounts on IDP(OAM) and SP(salesforce) side with email as user login.
  • End-user will access OAM protected IDP initiated federated URL.
  • End-user will be authenticated with IDP side credentials and will federate the user to Salesforce.

Pre-requisites:
  • Install and configure OAM 11.1.2.3
  • Configure Authentication store for OAM. In my lab, I have configured OUD as authentication store
  • Front-end OAM with OHS and protect with OAM
Environment: 
  • OAM 11.1.2.3
  • RHEL6
  • Salesforce
  • OUD 11.1.2.3
  • OHS 11.1.1.7
Steps:
Lets configure this integration in three stages as shown below:
  • OAM (Identity provider configuration)
  • Salesforce (Service provider configuration)
  • Test data setup in IDP and SP
  • Validation 
OAM  (Identity provider configuration):
  • Access the following URL and login to OAM Console as administrator
    • http://<oam_host:7001>/oamconsole
  • Navigate to 'Configuration' ==>  'Available Services'
  • Make sure 'Identity Federation' is enabled
 
  • Go back to 'Launch Pad' and click on Settings ==> View ==> Federation
  • Make sure the ProviderId is updated with OHS front-end url
    • http://<ohs_host:ohs_port>/oam/fed/

  • Click on 'Export SAML 2.0 Metadata' and save the xml as "oam_idp_metadata.xml"


Salesforce (Service provider configuration):
  •  Login to salesforce as administrator and navigate to Single Sign-On settings
 
  • Click on Edit and check 'SAML Enabled'
 
  • Click on 'New from Metadata File' and import the oam_idp_metadata.xml file 
  • Click on save. This will create an 'Identity provider profile' on salesforce side
  • Click on 'Download Metadata' and save the file as 'sp_metadata.xml'
  • This will export the service provider metadata.
 
  • We need to import this sp_metadata.xml file on Identity provider side which will create a service provider partner profile on OAM side
To be continued in Part-2....