function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
OpenStreetMapOpenStreetMap 

Federated SAML SSO

HI All,

 

we are using ping identity provider for SSO . it would be great if you can answer some of my question :

 

1.)    For SAML SSO configurations, which SAML profiles and bindings will be used (e.g. SP-Initiated-SSO-Post-Post etc.)

2.)    Does SFDC integration needs any back-channel communication ? (e.g. Artifact resolution or other SOAP communication)

3.)   Need set of user attributes that  IdP need to send in an assertion to SFDC .

4.)  How sandbox SSO configuration is defined - Does it rely on PROD Federation setup or do we need to configure new dedicated Federation setup with each QA, Test, Dev sandbox .

5.) In identity provider side do we have to  set up IDP Role and SP role both for SSO outlook integration ?

 

Regards,

Neha

Vinita_SFDCVinita_SFDC

Hello Neha,

 

This is big list of questions :) I would suggest you to first refer following help documents and come back if you have any questions:

 

http://wiki.developerforce.com/page/Single_Sign-On_with_SAML_on_Force.com

 

http://ap1.salesforce.com/help/doc/en/sso_saml.htm

 
OpenStreetMapOpenStreetMap

Thnks for your reply .

 

I have checked these links and all the doubts are clear , only one question is left . Actually we are using ping identity provider and

 

1.) In below link from sales force documentation it is mentioned that for sales force for outlook SSO is not supported in case of online identity management server :

https://login.salesforce.com/help/doc/en/outlookcrm_sys_req.htm

 

So can we use ping in this senerio .

 

2.) In below document we have two use cases , secondary use case include outlook case. But in the configuration set up which includes outlook case they provided only delegated authentication only (below is the document from ping identity): Page No : 6-8

https://documentation.pingidentity.com/download/attachments/6755157/Salesforce_Quick_Connection_Guide.pdf?version=1&modificationDate=1307041290700

 

Can we use federated for outlook sso integration ?
Vinita_SFDCVinita_SFDC

Hello,

Ans1. Yes you can use any other identity provider like Ping.

Ans2. Yes you can use federated for outlook sso integration. Salesforce.com supports both delegated authentication and Security Assertion Markup Language (SAML) requirements for Salesforce for Outlook. When using delegated authentication, users need to log into Salesforce the first time they use Salesforce for Outlook. When using SAML for Salesforce for Outlook, My Domain is required.


You can also refer: http://developer.force.com/cookbook/recipe/implementing-single-sign-on-for-clients
SidSidnerSidSidner
One of the Ping support engineers, Bart Zaino, looked at this and had this response: 

>we are using ping identity provider for SSO . it would be great if you can answer some of >my question :
 
 
>1.)    For SAML SSO configurations, which SAML profiles and bindings will be used (e.g. >SP-Initiated-SSO-Post-Post etc.)
 
We support the following profiles: 
SP initiated SSO (direct login & deep linking)
IdP initiated SSO (SAML2 & delegated Auth*)
SP initiated IdP logout (SLO)
Using the Post, Redirect and SOAP bindings
 
*Using delegated Auth requires both an Idp & SP connection and must be enabled in SFDC
 
>2.)    Does SFDC integration needs any back-channel communication ? (e.g. Artifact >resolution or other SOAP communication)
 
It depends on your implementation, we have a pure SAML 2 solution that will do basic SSO, without any backchannel. However, the use of Delegated Auth, Outlook, SP initiates Direct Login or deep linking will require SOAP over the backchannel. 
 
>3.)   Need set of user attributes that  IdP need to send in an assertion to SFDC .
 
This is setup in the saleforce SAML/SSO configuration, typically people map email or userid (which may also be email) and then configured on PingFederate as the SAML_SUBJECT.
 
>4.)  How sandbox SSO configuration is defined - Does it rely on PROD Federation setup or >do we need to configure new dedicated Federation setup with each QA, Test, Dev sandbox .
 
I personally use a private SFDC test account and test all my federation settings, adapters and connections, then migrate into production. Your company may have a dedicated SFDC test environment. I'd check with your SalesForce admin.
 
>5.) In identity provider side do we have to  set up IDP Role and SP role both for SSO >outlook integration ?
 
Both are required, the Outlook integration uses the delegated AUth module with requires
the SP connection.
 
OpenStreetMapOpenStreetMap

Thanks for your help !!

 

Regards,

Neha
OpenStreetMapOpenStreetMap

We want our user to logged in into salesforce from inside or outside of network .  In this senerio which Profile will be used . 

 

Our customer wants (owners of a license in SFDC application)  to access seamlessly CRM application from:

  •  Network  (whether they are accessing network from internal connection or via VPN ) and
  •  from Extranet in  case of users .

What is the concept of Kerberos . Do we have to set up this also ?

 

For outlook integration do we need to set up delegated authentication(web service at SFDC side) or it would be automaticaly use delegated authentication ?

Regards,

Neha