Configure SSO from Salesforce to SpringCM

Set Up Your Salesforce Org as an Identity Provider

With the My Domain feature, your Salesforce org is enabled as an identity provider. My Domain is required for all orgs. If you don’t like your org’s My Domain name, you can change it.

The My Domain feature also creates a certificate and key pair. The certificate establishes trust between your Salesforce org and ADP. Optionally, you can use another self-signed certificate or import a CA-signed certificate.

To download the Salesforce self-signed certificate:

1. From Setup, enter Identity Provider in the Quick Find box, and select Identity Provider.
2. Click Download Certificate.

Configure SAML Settings in SpringCM

1. Log in to your SpringCM account as a SAML-enabled administrator.
2. To upload your Salesforce identity provider certificate, click Upload.
3. Under Preferences, Account Preferences, and SAML SSO, click Identity Provider Configuration.
4. Select the Salesforce certificate that you uploaded.
5. For Issuer, enter the SAML IdP issuer using the format https://MyDomainName.my.salesforce.com. For example, https://identitydemo.my.salesforce.com.
6. For Service Provider (SP) Initiated Endpoint, enter https://MyDomainName.my.salesforce.com/idp/endoint/HttpPost.
7. Under SAML Enabled, select Enable.
8. Save the settings.

Create a Connected App in Salesforce

1. In Salesforce, create a connected app.
   • In Lightning Experience, from Setup, enter App in the Quick Find box, and select App Manager. Click New Connected App.
   • In Salesforce Classic, from Setup, enter Apps in the Quick Find box, and select Apps. Under Connected Apps, click New.
2. Configure the connected app Basic Information settings.
   1. Enter a name for the SpringCM connected app. Salesforce uses this name to populate the API name.
   2. Enter your email address in case Salesforce needs to contact you or your support team.
   3. Optionally, upload or specify a logo and icon to represent your SpringCM application in the Salesforce App Launcher.

   

3. Configure the connected app Web App Settings.
   1. Select Enable SAML.
   2. For Entity Id, enter https://www.springcm.com/atlas/sso/Prod.
   3. For ACS URL, enter https://www.springcm.com/atlas/sso/SSOEndpoint.ashx.
   4. For Subject Type, select the method attribute by which a username in SpringCM maps to a unique Salesforce user identity. For example, select Username.
   5. For Name ID Format, keep the default value.
   6. For Issuer, keep the default value, which is your My Domain login URL.
   7. For IdP Certificate, keep the default (Default IdP Certificate).

   

4. Save the settings.
5. Configure profiles and permission sets for the connected app.
   1. From Setup, enter Apps in the Quick Find box.
      • If you’re using Lightning Experience, select Manage Connected Apps.
      • If you’re using Salesforce Classic, under Manage Apps, select Connected Apps.
   2. Click the name of your connected app for SpringCM. The connected app detail page appears.
   3. Click Manage Profiles or Manage Permission Sets, and add profiles or permission sets for the users who can access this app.
6. Enter the Start URL for the connected app.
   1. On the connected app detail page, under SAML Login Information, copy the IdP-initiated login URL.
   2. On the connected app detail page, click Edit Policies.
   3. For Start URL, paste the IdP-initiated login URL.
   4. Save the settings.

Test the SSO Configuration

1. In Salesforce, from the App Launcher, find and open the SpringCM app. If you configured the SpringCM logo and icon for the connected app, the App Launcher displays them. If identity provider–initiated SSO is configured properly, Salesforce creates an application session.

   

2. To test service provider–initiated SSO, append your account ID to the ACS URL in a browser. For example, https://www.springcm.com/atlas/sso/SSOEndpoint.ashx?aid=12062. If SSO is configured properly, you’re prompted to log in to your Salesforce org. After you enter your credentials successfully, you’re logged in to your SpringCM account.