Loading

Set up a Service Provider initiated login flow

Date de publication: Oct 13, 2022
Description
This article provides details around using Salesforce as an Identity Provider (IdP). The general Service Provider (SP) initiated login flow is described in Help & Training under the section "About Identity Providers and Service Providers", but in these notes we will describe how to accomplish it using two Salesforce organizations.
Résolution

In the IdP organization

Let's configure the IdP so that it authenticates a user upon receiving a SAML authentication request:
A1) In the IdP Org:
- For Classic: Go to Setup | Security Controls | Identity Provider.
- For Lightning: Go to Setup | Identity | Identity Provider
A2) If your org doesn't have My Domain enabled, see My Domain in Salesforce Help.
A3) Click Enable Identity Provider.
A4) Select an existing certificate or in the drop down select "Create a new certificate..." and fill in all the required fields.
A5) Click Save.
A6) Take a note of the "Issuer" field (which will match your IdP's My Domain)
A7) Click Download Certificate
 
Note : Starting Summer '20, My Domain name length requirement has changed. My Domain name must be at least 3 characters long. 

In the SP organization:
Let's configure the SP so that it listens for SAML responses generated by the IdP:
 
B1) In the SP Org:
- For Classic: Go to Setup | Security Controls | Single Sign On Settings
- For Lightning: Go to Setup | Identity | Single Sign On Settings
B2) Click Edit
B3) Enter the following information:
1. Click "SAML Enabled"
2. Select "2.0" in the "SAML Version" drop down
3. Select the certificate you downloaded in step A7.
4. Select "Assertion contains the Federation ID from the User object" in the "SAML User ID Type" field
5. Select "User ID is in the NameIdentifier element of the Subject statement" in the SAML User ID Location
6. Enter the issuer copied in step A6 into the Issuer field.
B4) Click Save
B5) Take a note of the "Salesforce.com Login URL" field
B6) Take a note of the "Entity Id" field
 
In the IdP organization:
Let's configure the above org as a SP:
 
C1) Go back to the IdP Org: 
- For Classic: Go to Setup | Security Controls | Identity Provider and click Service Providers are now created via Connected Apps. Click here. 
- For Lightning: Go to Setup | Identity | Identity Provider and click Service Providers are now created via Connected Apps. Click here. 
C2) Enter the following information:
1. A descriptive name in the Name field, API Name. Check Enable SAML Checkbox
2. Enter the "Salesforce.com Login URL" value copied in step B5 into "ACS URL"
3. Select "Federation ID" in "Subject Type"
4. Enter the entity id value from step B6 into "Entity Id"
C3) Click Save
C4) Take a note of the "SP-Initiated POST Endpoint" URL
Make sure the user in the IdP and the user in the SP contain the same Federation Id field.
C5) Make sure to provide the correct Profiles access for the App.
 
How to start the SP initiated flow:
Once the above configuration steps have been performed to test the flow you should follow the steps below:


D1) Generate the SAML Authentication request: 
<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest
    AssertionConsumerServiceURL="https://login.salesforce.com"
    Destination="ACS_URL"
    Version="2.0"
    IssueInstant="2011-05-20T13:01:00.000Z"
    ProviderName="https://saml.salesforce.com"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">ENTITY_ID</saml:Issuer>
</samlp:AuthnRequest>


where 
ACS_URL = Value copied in step B5 (i.e. https://login.salesforce.com/?saml=02HKiPoin4xTUIf1nsifyoKpsR4eoZTNDRTDyhAKD7VT2GSOISOPaWabcde)
ENTITY_ID = Value copied in step B6 (i.e. https://saml.salesforce.com)
INSTANT = Valid instant (i.e. 2011-01-01T00:00:00.000Z)
D2) Base64 encode the above request. For this online tools such as http://www.motobit.com/util/base64-decoder-encoder.asp may be of help.
D3) Save the following as a .html file in your desktop:
<html>
<body>
<form method="POST" action="SO_Initiated_POST_Endpoint">
<table>
<tr><td>SAMLRequest:</td>
<td><textarea name="SAMLRequest" rows="10" cols="80">Replace this with your base 64 encoded SAML Authentication Request</textarea><td></tr>
<tr><td>RelayState:</td>
<td><input type="text" name="RelayState" value="/001/o" /></td></tr>
</table>
<input type="submit" value="Submit" />
</form>
</body>
</html>


where
SO_Initiated_POST_Endpoint is the value copied in step C4 (i.e. https://acme.my.salesforce.com/idp/endpoint/HttpPost)
/001/o will refer to the Accounts overview page within the SP organization
D4) Open the previous file in a browser and paste the base 64 encoded SAML authentication request in the SAMLRequest box. Click Submit.
D5) Upon clicking Submit you should be redirected to a Salesforce.com login page. At this point you should enter valid credentials in your IdP. Salesforce will validate them and if they are correct it will generate a SAML response that will be sent to the SP organization. This SP organization will validate the SAML response and show the page requested in the RelayState (/001/o).
 

Troubleshooting tips

1. If your SAML Authentication request is correctly built and your credentials are valid you should not see an entry under Manage Users | Identity Provider Error Log. Otherwise an error message should be logged there.
2. Using SAML Tracer(Mozilla Firefox)or other similar tools you can capture the POST sent to the SP organization upon correct authentication. This SAML request can be validated in the SP organization by going to Setup | Security Controls | Single Sign-On Settings | SAML Assertion Validator.
Numéro d’article de la base de connaissances

000385324

 
Chargement
Salesforce Help | Article