How to start with JIT Provisioning in Communities
|Knowledge Article Number||000198728|
|Description||The combination of Just In Time (JIT) Provisioning and Communities is relatively new. We are improving our documentation on the specific requirements in the authentication calls to make this work. Until then, the following knowledge article should help as a Quick Start guide.|
In order to test and troubleshoot SSO configuration you can use Axiom SSO tool hosted on Heroku. http://axiomsso.herokuapp.com/Home.action
1. Create a Community and enable self-registration feature. Salesforce documentation: Getting started with communities.
2. Get the Organization id - Setup >> Administrative Setup >> Company Profile >> Company Information.
3. Download the Identity Provider Certificate - Go to http://axiomsso.herokuapp.com. Click the link for SAML Identity Provider & Tester. Then, download the Identity Provider Certificate .
4. Configure Single Sign-on in Salesforce – Go to Setup >> Administrative Setup >> Security Controls >> Single Sign-On Settings. Click the Edit button and then check the SAML Enable.
5. Create a New SAML Single Sign-On Setting. Use the following settings to be able to test with AXIOM.
6. Generate a SAML Response. Go to http://axiomsso.herokuapp.com/RequestSamlResponse.action and fill in the fields as follows and click “Request SAML Response” button. Many of the values for these fields are found in the SAML Single Sign-On Settings page in your organization.
JIT Provisioning will require either a valid Account ID(use 15 digit id) or both Account.AccountNumber and Account.Name
a. Salesforce attempts to match the Federated ID in the subject of the SAML assertion (e.g. 12345) to the FederationIdentifier field of an existing user record.
b. If a matching user record is found, JIT provisioning uses the attributes to update the fields specified in the attributes.
c. If a user with a matching user record isn't found, then Salesforce searches the contacts for a match based on Contact ID (User.Contact) or email (Contact.Email).
Contact.Email and Contact.LastName are both required properties when User.Contact is not specified. But matching is only based on Contact.Email when both propeties exist.
d. If a matching contact record is found, JIT provisioning uses the attributes to Update the contact fields specified in the attributes and then Inserts the new User record
e. If a matching contact record isn't found, then Salesforce searches for the Accounts for a match based on Contact.Account or AccountNumber and Account Name.
f. If a matching account record is found, JIT provision Inserts a new contact record and Inserts a new User record based on the attributes provided.
g. If a matching account record isn't found, JIT provision Inserts a new account record, Inserts a new contact record, and Inserts a new User record based on the attributes provided.
7. Generate the SAML Assertion - Click the Request SAML Response button.
8. Login - If everything has been configured correctly and login is successful, you should be directed to the Community home page.