Print this page

How can I set up a SP initiated login flow? (aka How to use Salesforce as an IdP?)

Knowledge Article Number 000004317
Description

I would like to set up a SP (Service Provider) initiated login flow using one Salesforce org as the SP and another Salesforce org as the IdP (Identity Provider).

Resolution

The general SP initiated login flow is described in Help & Training under the section "About Identity Providers and Service Providers", but in these notes we will describe how to accomplish it using two Salesforce organizations.

In the IdP organization:
Let's configure the IdP so that it authenticates a user upon receiving a SAML authentication request:

A1) Go to Setup | Security Controls | Identity Provider.
A2) If you have already set up My Domain skip this step. Otherwise click Configure My Domain. Upon entering an available My Domain and saving you will need to wait until an email confirms the operation has finished and the My Domain is available for use.

Note that My Domain is not/cannot be enabled in trial organizations. It is only available in Unlimited, Enterprise and Developer organizations.

A3) Click Enable Identity Provider.
A4) Select an existing certificate or in the drop down select "Create a new certificate..." and fill in all the required fields.
A5) Click Save.
A6) Take a note of the "Issuer" field (which will match your IdP's My Domain)
A7) Click Download Certificate

In the SP organization:
Let's configure the SP so that it listens for SAML responses generated by the IdP:

B1) Go to Setup | Security Controls | Single Sign-On Settings.
B2) Click Edit
B3) Enter the following information:
a) Click "SAML Enabled"
b) Select "2.0" in the "SAML Version" drop down
c) Select the certificate you downloaded in step A7.
d) Select "Assertion contains the Federation ID from the User object" in the "SAML User ID Type" field
e) Select "User ID is in the NameIdentifier element of the Subject statement" in the SAML User ID Location
f) Enter the issuer copied in step A6 into the Issuer field.
B4) Click Save
B5) Take a note of the "Salesforce.com Login URL" field
B6) Take a note of the "Entity Id" field

In the IdP organization:
Let's configure the above org as a SP:

C1) Go to Setup | Security Controls | Identity Provider and click New
C2) Enter the following information:
a) A descriptive name in the Name field.
b) Enter the "Salesforce.com Login URL" value copied in step B5 into "ACS URL"
c) Select "Federation ID" in "Subject Type"
d) Enter the entity id value from step B6 into "Entity Id"
C3) Click Save
C4) Take a note of the "SO-Initiated POST Endpoint" URL

Make sure the user in the IdP and the user in the SP contain the same Federation Id field.

How to start the SP initiated flow:
Once the above configuration steps have been performed to test the flow you should follow the steps below:

D1) Generate the SAML Authentication request:

<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest
    AssertionConsumerServiceURL="https://login.salesforce.com"
    Destination="ACS_URL"
    Version="2.0"
    IssueInstant="2011-05-20T13:01:00.000Z"
    ProviderName="https://saml.salesforce.com"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">ENTITY_ID</saml:Issuer>
</samlp:AuthnRequest>

where

ACS_URL = Value copied in step B5 (i.e. https://login.salesforce.com/?saml=02HKiPoin4xTUIf1nsifyoKpsR4eoZTNDRTDyhAKD7VT2GSOISOPaWabcde)
ENTITY_ID = Value copied in step B6 (i.e. https://saml.salesforce.com)
INSTANT = Valid instant (i.e. 2011-01-01T00:00:00.000Z)

D2) Base64 encode the above request. For this online tools such as http://www.motobit.com/util/base64-decoder-encoder.asp may be of help.

D3) Save the following as a .html file in your desktop:

<html>
<body>
<form method="POST" action="SO_Initiated_POST_Endpoint">

<table>
<tr><td>SAMLRequest:</td>
<td><textarea name="SAMLRequest" rows="10" cols="80">Replace this with your base 64 encoded SAML Authentication Request</textarea><td></tr>
<tr><td>RelayState:</td>
<td><input type="text" name="RelayState" value="/001/o" /></td></tr>
</table>
<input type="submit" value="Submit" />

</form>

</body>
</html>

where

SO_Initiated_POST_Endpoint is the value copied in step C4 (i.e. https://acme.my.salesforce.com/idp/endpoint/HttpPost)
/001/o will refer to the Accounts overview page within the SP organization

D4) Open the previous file in a browser and paste the base 64 encoded SAML authentication request in the SAMLRequest box. Click Submit.

D5) Upon clicking Submit you should be redirected to a Salesforce.com login page. At this point you should enter valid credentials in your IdP. Salesforce will validate them and if they are correct it will generate a SAML response that will be sent to the SP organization. This SP organization will validate the SAML response and show the page requested in the RelayState (/001/o).

 

Some troubleshooting tips:

1) If your SAML Authentication request is correctly built and your credentials are valid you should not see an entry under Manage Users | Identity Provider Error Log. Otherwise an error message should be logged there.

2) Using Firebug or other similar tools you can capture the POST sent to the SP organization upon correct authentication. This SAML request can be validated in the SP organization by going to Setup | Security Controls | Single Sign-On Settings | SAML Assertion Validator.





promote demote