Loading

Use Experience Cloud Endpoints for Single Sign-On with External Users

Publiceringsdatum: Aug 21, 2024
Beskrivning

With Salesforce as the Service Provider in a SAML Single Sign-on implementation, the endpoints used for Login and Logout are different for each of your Experience Cloud Sites. Customers, partners and other external users use the corresponding endpoint for their site to login and logout.
 

When implementing SAML Single Sign-on for Experience Cloud, make sure to use your Community endpoints for all External Users. Users who are not directed to the correct site may encounter errors and will not be able to access the site. Ensure that all relevant XML elements in the SAML response contain the correct community endpoint.

Lösning

To access your SAML Single Sign-On endpoints please review View and Edit Single Sign-On Settings.

To see your Community Endpoints, go to Setup → Single sign-on settings page and expand the For Experience Cloud dropdown below Your Organization

When external users need to log in using SSO, make sure they are directed from your Identity Provider to the specific endpoint for their Experience Cloud Site. Endpoints listed will use your Site’s Primary URL. If your organization has multiple custom URLs for a single site, select the SSO option for each domain from Force.com. A situation that meets this criteria is if multiple custom domains serve the same site. Go to All Sites->Workspaces->Administration->Pages->Go to Force.com->select Login Settings for the non-primary custom URL and adjust the login options for that URL

If your site has the permission “Allow employees to log in directly to an Experience Cloud site” enabled under Login and Registration in Workspaces, the employees should be directed to the Experience Cloud site endpoint to login to their site using Single Sign-on. If this permission is not enabled, employees can access Experience Cloud Sites through the App Launcher


Below is an example SAML assertion that is directed to an Experience Cloud Site. Note that the Response and SubjectConfirmationData elements contain the my.site.com URL for their appropriate attributes for where the payload should be sent:

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema" Destination="https://<mydomainvalue>.my.site.com/login" ID="_6aaedcfc-110ed330" IssueInstant="2023-05-16T21:53:41.040Z" Version="2.0">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">IssuerValue</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        Signature omitted for brevity
    </ds:Signature>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </saml2p:Status>
    <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_187bec3f-3542a4eb" IssueInstant="2023-05-16T21:53:41.040Z" Version="2.0">
        <saml2:Issuer>IssuerValue</saml2:Issuer>
        <saml2:Subject>
            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">user@example.com</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData NotOnOrAfter="2023-05-16T21:54:41.040Z" Recipient="https://<mydomainvalue>.my.site.com/login"/>
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2023-05-16T21:53:41.040Z" NotOnOrAfter="2023-05-16T21:54:41.040Z">
            <saml2:AudienceRestriction>
                <saml2:Audience>EntityIDValue</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement AuthnInstant="2023-05-16T21:53:41.040Z">
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
    </saml2:Assertion>
</saml2p:Response>
Knowledge-artikelnummer

000395455

 
Laddar
Salesforce Help | Article