Salesforce: Configure SSO to Simpplr using Microsoft ADFS as the Identity Provider

Table of Contents

Install ADFS Software

Enable and Deploy My Domain on your Salesforce Org

Configure SAML 2.0

Configure ADFS 2.0

User Provisioning from Active Directory to Salesforce

Control User Access

 

Install ADFS Software

Back to top

  1. Start by installing Windows Server 2008 R2/Windows Server 2012/Windows Server 2012 R2 (the ADFS server must be a member of an Active Directory domain).
  2. Create a friendly DNS name for ADFS such as adfs.testzone.local (replace testzone with your domain name) and point it to your ADFS 2.0 server.
  3. Simpplr requires the certificate from CA Authority for your ADFS server.
  4. Run through the ADS Server configuration wizard.
  5. create a federation service.
  6. Select Stand-alone Server.
  7. Select the certificate you created for your friendly DNS name and click Finish.

Enable and Deploy My Domain on your Salesforce Org

Back to top

The Salesforce My Domain feature allows you to select a custom domain name for your application. A My Domain URL looks like https://customer.my.salesforce.com.

  1. In your Salesforce org, click Setup, and search Domain in the Quick Find box.
  2. Click Domains > Add a Domain.
    Add_a_domain_SF_1.gif
  3. Enter your custom domain name in the Domain Name field and click Save.

Configure SAML 2.0

Back to top

  1. In the ADFS 2.0 MMC snap-in, select the certificates node and double-click the token-signing certificate to view it. click the Details tab and select Copy to File. Save the certificate in DER format.Screen_Shot_2021-09-14_at_8.20.40_AM.png
  2. From the ADFS server, browse to the federation metadata URL located in the ADFS MMC at Service > Endpoints > Metadata > Type: Federation Metadata. In this example, the url is https://adfs.testzone.local/FederationMetadata/2007-06/FederationMetadata.xml (Replace adfs.testzone.local with your own domain).Screen_Shot_2021-09-14_at_8.23.59_AM.png
  3. Copy the value of the entityID attribute. In this example, it is http://adfs.testzone.local.

    Note

    To check if your ADFS is working, open this link: https://<ADFSFQDN>/adfs/ls/IdpInitiatedSignon.aspx (replace <ADFS FQDN> with the URL of your ADFS server). You will be prompted to enter your credentials. After successfully logging in, you will see a success message.
  4. Back in Salesforce, from Setup, enter Single sign-on in the Quick Find box and select Single Sign-On Settings
  5. Choose SAML Enabled > New. then configure your settings using the instructions below.SSO_SAML_enabled.gif
  • Issuer - Paste your entityID here.
  • Identity Provider Certificate - Browse and select the token-signing certificate you exported earlier.
  • Request Signing Certificate - Select a self-signed certificate you created earlier.
  • Request Signature Method - Set this setting to RSA-SHA-1.
  • SAML Identity Type - To log in a user, you can match against either the Salesforce username or the federation ID. If matching the federation ID, it must be populated in the profile of every user.
  • SAML Identity Location - To log in the user, you can use either the NameID in the SAML assertion or another attribute. You can use NameID, because ADFS populates NameID in the SAML assertion.
  • Service Provider Initiated Request Binding - It’s recommended that you choose HTTP Post.
  • Identity Provider Login URL (This will redirect user to their Simpplr Homepage) 
  • Save the settings and download the metadata XML file.

Configure ADFS 2.0

Back to top

Now that you have salesforce metadata, create the ADFS side of the trust relationship. Open the ADFS 2.0 MMC snap-in and add a new Relaying Party Trust.

  1. Select Data Source - Import data about a relying party from the XML file you downloaded from Salesforce.
    Screen_Shot_2021-09-14_at_9.06.24_AM.png
  2. Specify Display Name - Give the trust a display name such as Salesforce Test.
  3. Choose Insurance Authorization Rules - Permit all users to access this relying party.
  4. Open Edit Claim Rules Dialog - Select.
  5. In the claim rules editor, click the Issuance Transform Rules tab. Add a rule using the Claim Rule Template set to Send LDAP Attributes as claims.Screen_Shot_2021-09-14_at_9.09.16_AM.png
  6. Claim Rule Name - For testing, set the attribute User-Principal-Name as NameID, and call the rule Send UPN as NameID. In production, it’s common to send the user’s email address or employee ID. It’s important to use an attribute with a value that is unlikely to change over time, because any change invalidates SSO for that user.
  7. LDAP Attribute - Select User Principal Name.
  8. Outgoing Claim Type - select Name ID.

We will add more claims when we are doing User Provisioning (see instructions below). The above setup is to test our SSO configuration. Create a user in Active Directory, then create same user in Salesforce. Try opening the url https://customer.my.salesforce.com (replace customer with your own domain). You'll be redirected to the login page of ADFS, or if group policy has been configured for your domain, you will be redirected to the Simpplr Home Dashboard.

 

User Provisioning from Active Directory to Salesforce

Back to top

To enable User Provisioning, open your Salesforce org, then from Setup, enter Single Sign-On in the Quick Find box and select Single Sign-On Settings. Edit the SSO Configuration and check User Provisioning Enabled as shown below.

Select Custom SAML JIT with Apex handler in User Provisioning Type. Then select the Salesforce administrator user account in Execute Handler As Field.Screen_Shot_2021-09-14_at_9.17.40_AM.png

 

Control User Access

Back to top

We can control the access for the Users and Administrators from Active Directory. Create two security groups in Active Directory with the names Salesforce_Users and Salesforce_Administrators.

 

ADFS 2.0 Configuration

Back to top

Once user access is enabled, go back to the ADFS Server to add additional claims for the Provisioning to work.

  1. Open ADFS Management Console.
  2. Highlight Relying Party Trusts, and on the right-hand side Column, select your Relying Party Trust you created. Then click Edit Claim Issuance Policy.
    Screen_Shot_2021-09-14_at_9.26.07_AM.png
  3. Click Add Rule.
  4. In Select Template Rule, use the dropdown menu to select Send Claims Using a Custom Rule.
  5. Type the name as Send User.ProfileId for Salesforce Standard Users.
  6. In the Custom Rule window, add the following syntax:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =="S-1-5-21-373943257-4269953572-2958693216-1131", Issuer == "AD AUTHORITY"]=> issue(Type = "User.ProfileId", Value = "00e1N000001kqJ9", Issuer = c.Issuer, OriginalIssuer =c.OriginalIssuer, ValueType = c.ValueType); 

 

Note:

You need to replace the SID of the Group in the above syntax.
  1. Add another rule and name it as Send User.ProfileId for Salesforce Admin Users.
  2. In the Custom Rule window, add the following syntax:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =="S-1-5-21-373943257-4269953572-2958693216-1132", Issuer == "AD AUTHORITY"]=> issue(Type = "User.ProfileId", Value = "00e1N000001kqIY", Issuer = c.Issuer, OriginalIssuer =c.OriginalIssuer, ValueType = c.ValueType); 

 

Note:

You need to replace the SID of the Group in the above syntax.
  1. Now add the rule for passing User attributes in claim and name the claim as Send claim for Simpplr User.
  2. In the Custom Rule window, add the following syntax:
 c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types =("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", "User.Email","User.FirstName", "User.LastName", "User.Username", "User.Department", "User.City", "User.Street", "User.Country", "User.Zip", "User.Phone"), query = ";userPrincipalName,mail,givenName,sn,userPrincipalName,department,l, streetAddress,co,postalCode,mobile;{0}", param = c.Value);

 

To test the above settings, add a user in Security group and ask the user to open
https://customer.my.salesforce.com (replace customer with your own domain). The user should be redirected to Simpplr Home page.

 

Note:

Deprovisioning is a manual process. For instructions on deactivating users in Salesforce, click here.
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.

Articles in this section

See more