Sunday, August 20, 2023

How to configure a Connected App for SAML 2.0 Flow in Salesforce for integration service provider?

Security Assertion Markup Language (SAML) is the protocol that enables single sign on between applications. This is helpful when we do not want to remember the credentials of both systems and want to login to other system using credentials of first system.

Let us understand some key terms in SAML flow using the below example:

Identity Provider: The system whose credentials will be used to login is Identity provider.

Service Provider: The system where we will finally land after successful authentication is Service Provider.

Now, let us try to understand complete SAML process by taking example of two Salesforce orgs.

Let say first Salesforce org as IDTYORG 1 which will be our identity provider.

Let say second Salesforce org as SERVORG 2 which will be our service provider.

Enabling Salesforce org IDTYORG 1 as a SAML Identity Provider

You can enable your Salesforce org as a single sign-on (SSO) SAML identity provider to external service providers. When your org acts as a SAML identity provider, your users can access multiple apps with a single login of identity provider. 

From Setup, in the Quick Find box, enter Identity Provider, then select Identity Provider.

Click Enable Identity Provider.

Select a certificate from the dropdown menu.

Note: Determine which certificate you want to use to enable your org to communicate with the service provider. You can use the default certificate or create your own. By default, a Salesforce identity provider uses a self-signed certificate generated with the SHA-256 signature algorithm.

Save your changes.

Now, we need to give our service provider org i.e Salesforce org SERVORG 2 information about our identity provider. Depending on what format your service provider supports, you can share this information as metadata in an XML file or as a certificate. Access the information as shown below.

From Setup, in the Quick Find box, enter Identity Provider, and then select Identity Provider.

If your service provider supports metadata, click Download Metadata. If your service provider supports certificates, click Download Certificate.

After you enable Salesforce org IDTYORG 1 as an identity provider, go to SERVORG 2 and enable SAML as shown below.

Setup > Single Sign-On Settings and then check the “SAML Enabled” flag to True and then click on “New from Metadata File” it will ask you to select Metadata File.

Image 1:

Image 2:

Now, upload the Metadata file which we have downloaded after setting up identity provider in Salesforce org IDTYORG 1 and click create. After you click create it will auto populate all the information in the screen shown below.

Couple of important information about the fields displayed above are as below.

1) You can change the “SAML Identity Type” to do assertion based on how you want to do assertion. In this example we are doing assertion using “Federation ID” on user object. Assertion here simply means we will validate the user username or Federation ID or user ID if it is same in both orgs or not.

2) In Identity provider certificate upload the certificate which we have downloaded after setting up identity provider in Salesforce org IDTYORG 1

3) Under “Request Signing Certificate”, service provider can also create its own self signed certificate and select it under “Request Signing Certificate” which will be used to sign SAML assertion. This can be done by creating a self-signed certificate under Setup > Certificate and Key Management, once you create the certificate it will be available for selection under “Request Signing Certificate”.

4) As we are doing SAML assertion based on Federation ID, let say if user does not exist in SERVORG 2 with the same Federation ID we won’t be able to login SERVORG 2. In this case we can make use of Just-in-Time Provisioning to create a user in runtime in SERVORG 2.

Use Just-in-Time (JIT) provisioning to automatically create a user account in your Salesforce org the first time a user logs in with a SAML identity provider. JIT provisioning can reduce your workload and save time because you don’t provision users or create user accounts in advance.
With JIT provisioning, an identity provider passes user information to Salesforce in a SAML 2.0 assertion, which is processed by an Apex JIT handler class. The JIT handler does the heavy lifting of creating and updating user accounts. To let Salesforce manage the JIT handler for you, configure standard JIT provisioning. If you want more control, configure JIT provisioning with a custom handler.

As of now we are not enabling JIT for our case.

Now, we are done with SAML setup in Service Provider org SERVORG 2. Now it’s time to create a Connected APP in Identity Provider org IDTYORG 1.

Go to Setup > App > Create a Connected APP as shown below.

Couple of important information about the fields displayed above are as below.

Entity Id the globally unique ID of the service provider. If you’re accessing multiple apps from your service provider, define the service provider. Then use the RelayState parameter to append the URL values to direct the user to the correct app after signing in.

ACS URL (Assertion Consumer Service) the service provider’s endpoint that receives SAML assertions. Copy paste the login URL from Service Provider in ACS URL under Connected App in Identity Provider org.

Enable Single Logout under Connected App in Identity Provider org and under Single Sign On settings in Service Provider org. Copy paste the Logout URL from Service Provider in Single Logout URL under Connected App in Identity Provider org. Single Logout Binding in Connected App in Identity Provider org should be same as Single Logout Request Binding in Service Provider org.

Subject Type under Identity Provider org should be same as SAML Identity Type under Service Provider org.
IdP Certificate should be your Identity provider certificate.

If we want to enforce additional security we can check the checkbox Verify Request Signatures, it will ask you to upload certificate. This certificate is nothing but the self-signed certificate in Service Provider org under Single Sign On setting as shown below. Download it from Service Provider org and upload it under Connected App in Identity Provider org. The certificate is only necessary if you plan to initiate logging in to Salesforce from the service provider and the service provider signs its SAML requests.

Now, it’s time to test our integration.
Give user profile access to Connected App with whom we want to test the integration.
Note: Even if the user is System Administrator, the access to Connected App is not given by default. 

Now, go to Connected App click on Manage and click on “IdP-Initiated Login URL” in the below image. You will be able to see we are getting redirected to Service Provider org i.e SERVORG 2.

No comments:

Post a Comment