function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
RedSalesRedSales 

SAML SSO With Salesforce.Com - A Dummy's Explanation

Hi,

 

I guess what i'm looking for is a dummy's explanation of what I need for an SSO configuration.  I've read the articles on http://wiki.developerforce.com/index.php/How_to_Implement_Single_Sign-On_with_Force.com and http://wiki.developerforce.com/index.php/Single_Sign-On_with_SAML_on_Force.com but still have questions (I'm very new to this).

 

The process I need to setup is as follows:

 

A user click on a link on a 3rd party website which brings them to my salesforce.com ssytem. It authenticates the user (details are passed in the URL) then returns the user to the 3rd party external site (using a returnulr) with some user details from salesforce as part of the url string.

 

My understanding is that SAML authentication on Salesforce.com can be setup for my part of the requirements.

 

On reading the above articles. It specifies "In Salesforce, specify your organization’s Single Sign-On Gateway URL by clicking Setup | Security Controls | Single Sign-On settings."

There are also examples detailed on using an Identity provider & a service provider.  Open source identity providers such as OpenSAML are also detailed.

 

Questions I have:

 

If the authentication is to occur on salesforce.com, Do I need to setup salesforce.com as the identity provider (It would seem to me that the 3rd party company who need authentication from Salesforce would therefore be the service provider?).

Do I need external identity provider software/configurations (such as OpenSAML for example) or can this be built using built in using existing salesforce functionality? 

 

Thanks in advance. Any help would be appreciated!

Best Answer chosen by Admin (Salesforce Developers) 
swestenzweigswestenzweig

Hi RedSales.

 

The SalesForce documentation is great once you're ready to implement a single sign-on solution, but it's best to understand how a federated SSO approach works from a general perspective first. The Shibboleth project offers some great overview at various levels of technical detail on the SSO process (http://switch.ch/aai/demo/2/simple.html). That's a good place to start.

 

To answer your questions, yes, you will need to setup SalesForce as an identity provider (or IdP) with the third-party application as a service provider (or SP). OpenSAML is an open-source library used by many SPs and IdPs for working with SAML assertions, but OpenSAML does not provide an SP or IdP implementation. For that you will need to implement your own custom application to act as a service provider (SP) or use one of the many available SPs on the market (there are open-source SP implementations out there, including Shibboleth).

 

 

All Answers

swestenzweigswestenzweig

Hi RedSales.

 

The SalesForce documentation is great once you're ready to implement a single sign-on solution, but it's best to understand how a federated SSO approach works from a general perspective first. The Shibboleth project offers some great overview at various levels of technical detail on the SSO process (http://switch.ch/aai/demo/2/simple.html). That's a good place to start.

 

To answer your questions, yes, you will need to setup SalesForce as an identity provider (or IdP) with the third-party application as a service provider (or SP). OpenSAML is an open-source library used by many SPs and IdPs for working with SAML assertions, but OpenSAML does not provide an SP or IdP implementation. For that you will need to implement your own custom application to act as a service provider (SP) or use one of the many available SPs on the market (there are open-source SP implementations out there, including Shibboleth).

 

 

This was selected as the best answer
KMeinholdKMeinhold

Hello RedSales,

 

If you are willing to consider a commercial product I encourage you to take a look at Ping Identity. We have established hundreds of connections with Salesforce.com as IdP and SP.  Below is a link to a page that outlines how we can help.

 

http://pingidentity.com/our-solutions/salesforce-crm.cfm

 

Please feel free to reach out to me directly if you have any additional questions.

 

Best Regards,

 

Kyle Meinhold  |  Sales Associate
PingIdentity  |   www.pingidentity.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
O: 720.317.2083  
Email: kmeinhold@pingidentity.com

asinghasingh

Hello,  I need to further understand design and architechure of SAML and suggested software to use.

 

1. We are a SaaS applicaiton and we will have customers who are using our Applicaitons who will also want to have SSO to SalesForce and other 3rd party apps.

I beleive I need to configire my own SAML Identity Provider.

 

2. We are running Windows IIS web servers for our front end.

Do I understand that we need to install some SAML Agent on Windows/IIS servers so it knows who the Identity server is?

 

3. We will have to have the ability to have multi of our Customers be able to access their own virtual instance.  We can't have customers logons crossing.

 

We are a hosting / SaaS company so we would like to install our own infrastucture opposed to using something like PingIdentity.

 

I am just not fully clear how my webservers know about the Identity Provider server.

 

 

THanks for the info

 

RedSalesRedSales

Hi asingh,

 

I'm afraid I'm not the most adviseable on this myself. It ended up that SSO was not required for the project I worked on after my previous post on this. I found the replies to my questions very useful though.

 

Is anyone else out there able to help asingh?

 

Thanks!

KMeinholdKMeinhold

Hello asingh,

 

I think it would be benefitial for us to have a phone conversation regarding your interest in SAML enabling your SaaS offering. Our flagship product PingFederate in an on-premise server that would be housed in your environment. We also have a SaaS Partner Program that focuses on SAML enabling SaaS offerings. 

 

Please feel free to contact me on my direct line below.

 

Best Regards,

 

Kyle

 

Kyle Meinhold  |  Sales Associate
PingIdentity  |   www.pingidentity.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
O: 720.317.2083  
Email: kmeinhold@pingidentity.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Connect with Ping
Twitter: @pingidentity
LinkedIn Group: Ping's Identity Cloud    
Facebook.com/pingidentitypage 

Connect with me
LinkedIn.com/in/kylemeinhold

 

See what customers are saying about PingIdentity!
Don't forget to register for our 2011 Cloud Identity Summit!