You are here:
Enable Single Sign-On
Own from Salesforce supports single sign on using SAML 2.0. Instead of relying on local authentication for password and security policies, you can set your own authentication using your managed Identity Provider.
Single sign-on is supported using SAML 2.0 and IdP-initiated flows. The IdP must allow the SAML Assertion to be used in order to authenticate. The SSO application needs to be created in your IdP provider before enabling SSO in the platform.
Single sign-on settings can only be accessed by Admin and Master Admin users. These settings are hidden from all other users. Admin users have read-only access while Master Admins can edit settings. It is recommended to limit Master Admin access to a single user.
- Click the Security icon at the bottom left corner of the screen.
- Scroll down to the Authentication Method section and click Change to Single Sign On (SSO). The SSO Settings will open on the right of the screen.
- Enter the Identity Provider Issuer: A unique identifier of the IdP (Usually an https:// URL). The SAML issuer is typically the Entity ID, which can be verified in the IdP’s metadata xml.
- Upload the IdP Signature Certificate. Your certificate should be an X.509 PEM encoded file.
- (Optional) Enter a Logout URL for where to direct users after signing out.
-
Click Next. The process may take a few minutes to verify the settings.
After the settings are saved and your unique parameters are created, the IdP Parameters are displayed.
- Copy the values into the relevant fields in your identity provider. If you want all users to be logged in to a specific region on sign in, click Show advanced access and select the region-specific Direct RelayState, rather than the Default RelayState.
- The RelayState must be defined in your IdP provider. RelayState is sometimes also referred to as a "Start URL", "Target URL", "Target application URL", among other names. Refer to your IdP provider's SAML application documentation for their name for this variable.
- In your IdP, make sure that the unique user identifier (also known as name ID) points to the email address.
-
In the Own Data Platform, click Close. A message appears informing you that to activate
SSO you must complete the setup and sign in with your IdP.
Until setup is completed, the sign in method in the Security page displays a “Not Activated” warning:
- To complete the setup, log out and log back in to the Own Data Platform with your IdP. This will verify your settings and activate them across your account. Until this is done, users can still log in with their email and password.
If there was an issue with the SSO setup, the Master Admin user can still log in with their email and password to debug.
Once SSO is activated, logging in with email and password is disabled for all accounts.
If no users in your account have logged in within 48 hours, SSO is not activated and your account is locked. Please contact support for assistance.
- Implications of Enabling Single Sign-on
Understand the changes in password policies and security measures when single sign-on is enabled in Own. - Update SSO Credentials
When you update your identity provider issuer and/or certificate, the new credentials won’t be active until a user logs in with IdP. - Disable Single Sign-On (SSO)
Disabling Single Sign-On (SSO) requires a shift to password authentication. Upon disabling SSO, you must configure password expiration settings, the number of previous passwords to deny, and whether to enable MFA.
