I know the POST to my identify provider (Corporate Ping Instance) is working. Now, the team who managed our Ping config are having trouble figuring out how to configure Ping to pass the RelayState back through to Salesforce. Does anyone have any experience doing that with Ping or with other provider software? Since I've never worked with it and don't have access, I'm having trouble giving them some direction on how they can give me what I need.
I'm trying to get SSO working with mobile and the Outlook plugin. We're using Ping Federate for our idp. The wiki documentation states that all Salesforce needs is to be passed the RelayState parameter. Does anyone know what's involved to get this working? For whatever reason, RelayState is not coming back as a parameter with the SAML assertion. I have our idp URL set in the "IDP Login URL" field in the Salesforce SSO settings, and I can tell during the redirect that RelayState is getting passed from Salesforce.
Using My Domain, you can define a custom Salesforce domain name for your organization that highlights your brand, or a different term that represents your business. Using a custom domain name provides important advantages, such as increased security and better support for single sign-on. My Domain is also available for sandbox environments. You can only define a custom domain name one time.
------
This is from Salesforce.com Help & Training - would like to know more about the advantages advantages mentioned INCREASED security and BETTER SUPPORT for SSO.
I know the POST to my identify provider (Corporate Ping Instance) is working. Now, the team who managed our Ping config are having trouble figuring out how to configure Ping to pass the RelayState back through to Salesforce. Does anyone have any experience doing that with Ping or with other provider software? Since I've never worked with it and don't have access, I'm having trouble giving them some direction on how they can give me what I need.
We have had Federated SSO set up for awhile now in our production org. I would like to set it up in at least one of our sandboxes as well. Is there any way to do this without having our IDP admins maintain separate endpoints for each sandbox? We are using My Domain, so it seems like the SAML Assertion would need to be pretty specific to each one and as far as I can tell does not have a way to dynamically forward users to the desired sandbox. It would be even better if production and sandbox orgs could point to the same SSO url, but it seems like that is even less likely.
Any thoughts on this? Is anyone else using SSO across multiple environments?
In preperation for intergrating with salesforce, I'm using the saml validator tool to verify the xml response that we'll be generating. The response itself is generated via .Net code and I can verify that the certificate in the reponse is valid using the .Net SignedXML class. However the saml validator keeps spitting out:
Signature or certificate problems
The signature in the response is not valid
Is the correct certificate supplied in the keyinfo? false
I've already tried re-uploading my certificate. Has anyone else experienced this issue or has a suggestion on what I should try next? Also the saml validator seems to be stuck in the past - all the validation time stamps it is using are 7 hours in the past (maybe thats the problem). I've read on some older posts (like 2008) that the CanonicalizationMethod may not be supported but I've seen other posts where others are using it.
