Integrating Salesforce with WSO2 Identity Server

This blog post focuses on enabling SAML 2 based Single Sign on for Salesforce, using the WSO2 Identity Server as the identity provider.

Prerequisites

WSO2 Identity Server

The WSO2 Identity Server download link and the installation guide are given below,

Step-by-Step Process

Step 1 : Configuring Salesforce
  1. Go to Salesforce and create an account.
  2. A domain name needs to be registered in order to redirect the login to WSO2 IS Authentication page. For this, login to salesforce with the newly created credentials and click on the Settings tab on the top right corner then select Setup Home.
  3. Expand the Company Settings tag from the left pane, then click on the My Domain link.
  4. Create a domain, for example samlssoexample.my.salesforce.com and deploy it. You will receive an email once the domain has been created.
  5. Expand the Identity tag from the left pane, then click on Single Sign-On Settings.
  6. Under Federated Single Sign-On Using SAML, click on the Edit button and tick the SAML Enabled Checkbox.
  7. Under SAML Single Sign-On Settings, click on the New Button, then fill out the details as below.
Name WSO2IS
API Name WSO2_IS
Issuer https://localhost:9443/samlsso [1]
Entity ID https://saml.salesforce.com
Identity Provider Certificate Download file from here [2]
Request Signing Certificate Default Certificate
Request Signature Method RSA-SHA1
Assertion Decryption Certificate Assertion not encrypted
SAML Identity Type Assertion contains User’s salesforce.com username
SAML Identity Location Identity is in the NameIdentifier element of the Subject statement
Service Provider Initiated HTTP POST
Identity Provider Login URL https://localhost:9443/samlsso
Identity Provider Logout URL https://localhost:9443/samlsso
User Provisioning Enabled Unchecked

[1] The issuer value should be equal to the entity value configured in the Identity Provider of the WSO2 Identity Server.

[2] The certificate file given corresponds to the default certificate used by the WSO2 IS. If a new certificate is used, an Idp with the certificate should be registered in the WSO2 IS.

The final configuration is given below.

config

8. Go back to the Domain Settings as in step 1.3

9. Under Authentication Configuration click on the Edit button then check the WSO2IS tick box and uncheck the Login Page checkbox.

10. Log out and close Salesforce.

Step 2 : Configuring WSO2 IS
  1. Start the WSO2 identity server and login to the server from https://localhost:9443/carbon/admin/login.jsp .
  2. Under Service Providers, click on Add and give a name and then Register.
  3. Then expand the Inbound Authentication Configuration under that expand SAML2 Web SSO Configuration then click on Configure.
  4. Give the configurations as below.
Issuer https://saml.salesforce.com
Assertion Consumer URL Check below
Use fully qualified username in the NameID Check
Enable Response Signing Check
Enable Response Signing Check
Enable Attribute Profile Check
Include Attributes in the Response Always Check
Enable IdP Initiated SSO Check

Leave the rest as default.

The Assertion Consumer URL can be found from the Single Sign-On Settings in Salesforce. Navigate to the SSO settings as shown in step 1.5 then click on WSO2IS. On the bottom of the page is an attribute called Salesforce Login URL. This URL is used as the Assertion Consumer URL.  

Then register the service provider.

The Final Configuration is given below.

IS

5. To check the authentication, a user with the same credentials used to create the Salesforce account is needed in the Identity Server. For this, Click on Configure on the left-most pane of the Identity Server Management Console, then click on Users and Roles from the left pane. Click on Users, then Add a new user, using the same credentials used for the Salesforce account.

Step 3 : Use SSO

Start the WSO2 Identity Server then goto the newly registered domain name url. The page should be redirected to the WSO2 Identity Server authentication page. If the configurations are correct,  when the credentials are given the page should be redirected to the dashboard of the logged in user.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s