Web Application Integration- SFDC

vIDM SaaS application

SFDC Pre-Requisites Setup

This lab is intended to prepare those federating SaaS applications for authentication via vIDM. As SAML is a standard authentication type, this example is just one of many documented integrations. See here for more examples: https://www.vmware.com/support/pubs/vidm_webapp_sso.html

First we will sign up for a SFDC developer trial account.

Open FireFox Browser on the Control Center VM

  1. Navigate to https://developer.salesforce.com/signup for a free account.
  2. Fill in your details using a personal e-mail address. Please ensure this e-mail address has not previously been used with SFDC
  3. Confirm your e-mail address for the free account by going to the link in your e-mail. This will take you to the Change Your Password Site.
  4. Set a password of your choosing  and provide a security question and answer
    1. Select Change Password to save and you will be redirected automatically to the Setup Home page.

5. You should still be automatically logged in with the user that you have created above, if not navigate to https://login.salesforce.com and login with the details for your account.

NOTE: Salesforce has two Web Interfaces and this can get quite confusing. Please be sure to use the lightning experience interface rather than the classic interface.

You will now register a unique domain name for you SFDC dev account

6. On the Home page Navigate to Settings > Company Settings > My Domain 

Enter a unique domain name under "Choose Your Domain Name" - first letter of first name plus last name plus livefire - For example - rbojolivefire

Click check availability, If available select Register Domain. This process usually takes about 5 to 10 minutes. (SalesForce has to publish that unique domain name) You can move on to "Establish SAML Trust" Section below come back to this section once you get asked to login to your unique URL.

7. You will receive an e-mail to the address specified in your developer's account once it has successfully registered.

1. Click the link provided in the e-mail to confirm your domain registration and login using the credentials you created above. NOTE: at this point it might prompt you for a phone number. You can easily select I don't want to register my phone. Then it will just use your e-mail address as the second factor authentication. 

2. Now Navigate back to Settings > Company Settings > My Domain and select the Deploy to users  and confirm the pop-up. 

Establish SAML Trust

Now we will download the identity provider Signing certificate from vIDM and upload it into SFDC to create the trust relationship for authentication.

1. Login to vIDM by navigating to https://workspaceone.euc-livefire.com 

If the system domain is not selected click the "change to a different domain" and select System Domain from the Drop down

User: admin

PW: VMware1!

2. Select the Catalog tab and select Settings

3. Select Settings select SAML Metadata

4. Right click on Identity Provider (Idp) metadata and select save link as, this will open your Save As window. Leave the Downloads folder as default and the name as idp.xml and select Save

5. Go to the Signing Certificate area and select Download , you should now have a signingCertificate.cer and a idp.xml in the Downloads folder

6. Navigate back to your SalesForce site where you should now be able to login with your unique registered domain *-dev-ed.lightning.force.com

7. On the home page for the admin user you will find Settings > Identity > Single Sign-On Settings

NOTE: if you can't locate these options on the initials login page select the cog wheel in the top right hand side of the page and select setup and it will take you to the correct configuration page.

8. On the Single Sign-On Settings Page next SAML Assertion Validator select Edit, below Federated Single Sign-on Using SAML, select the SAML Enabled checkbox. Select Save.

9. Now select New From Metadata File just underneath where the SAML settings have been enabled.

10. This will take you to the SAML Single Sign-On Settings page where it will request the SAML metadata. Click Choose File that you have downloaded into the Downloads Folder from vIDM named idm.xml (created in step 5). select the idp.xml and select Open select Create.

11. Notice now that the fields have been auto populated with the correct data from vIDM  

Ensure the Following are correct in the settings:

Next to NAME: leave as default workspaceone

Next to ISSUER: leave as default, This is the XML that is provided for the Metadata -
 https://workspaceone.euc-livefire.com/SAAS/API/1.0/GET/metadata/idp.xml

Next to Provider Certificate: Upload the signingCertificate.cer into this field  (this was created in step 5)

Next to Identity Type: leave as default "Assertion contains the User's Salesforce username

Next to Identity Location: leave as default "Identity is in the NameIdentifier element of the Subject statement

Next to API Name: leave as default workspaceone

Next to Entity ID: Change to https://saml.salesforce.com

Next to Identity Provider Login URL: leave as default https://workspaceone.euc-livefire.com/SAAS/auth/federation/sso

Next to Custom Logout URL: https://workspaceone.euc-livefire.com

Ensure the check box from Single Logout Enabled is removed.

13. Select Save.

14. On the SAML Single Sign-On Settings page select Download Metadata.

NOTE: Download metadata is not available in the edit view you have to click on the policy known as workspaceone

This will download an xml file beginning with SAMLSP.....xml

 

1. On the SalesForce admin console now navigate to Settings > Company Settings > My Domain  in the Authentication Configuration section select edit, this will open a new tab.
Ensure that you observe Pop-up Blocker in your browser and select the radio button to Always allow pop-ups...., select Done, and then on the Navigate to this page? window select Open

2. Now under Authentication Configuration page next to Authentication Service select the check box that says workspaceone and select Save

NB! Notice that this pop-up window opened up in a new window on a new TAB.

Revert back by selecting the original window Single Sign-On Settings tab to the left of your current window

 

3. Now add your unique user from AD to the SalesForce environment.

Navigate to Administration > Users > Users  > click Select New User

4. Fill in the unique user details, ensuring they match the user your created in AD during the introduction of the lab:

First Name: {FirstName}

Last Name: {LastName}

Alias: {FirstNameInitialLastName} (For Example: rbojo)

Email: {FirstNameInitialLastName@euc-livefire.com (For Example: rbojo@euc-livefire.com) - must match e-mail added to AD user in introduction

Username: {FirstNameInitialLastName@euc-livefire.com (For Example: rbojo@euc-livefire.com)

Nickname: {FirstNameIntialLastName} (For Example: rbojo)

Role: <None Specified >

User License: Force.com - Free

Profile: Force.com - Free User

5. Click Save

This will be the user we will use to test the authentication.

1. Navigate back to your vIDM console https://workspaceone.euc-livefire.com and navigate to Catalog and select New

2. On the New Saas Application window, select or browse from catalog, on the bottom of the Application Catalog page, select option 4 and next to Salesforce select the + icon, select Next,

3.  On the Single Sign-On under Configuration, select the URL/XML radio button.
(Notice Box now appears)

4. On your Controlcenter server Open file Explorer window and browse to Downloads.

Right click the metadata file you downloaded from Sales force that was called SAMLSP....xml

open in Notepad

In the Notepad select all or press CTRL + A and copy with CTRL + C. Now paste the Metadata in the XML field in Single Sign-On page under URL/XML.

5. On the Single Sign-On page select Next, on the default Access policies page accept the default select Next and select Save

1. On the Catalog tab, select Salesforce select Edit, select Configuration, to the right of configuration, scroll down to Username Value and change ${user.username} to ${user.email}.

2. Select Next, on the Access Policies page, select Next, on the definition page, select Save.

  1. In the Catalog area next to Salesforce, select the check box and then select Assign
  2. In the Assign window under Users / User Groups box type marke and select Marketing@euc-livefire.com and select Save

 

1. Now open a incognito windows in your Chrome browser and browse to https://workspaceone.euc-livefire.com now login using your Unique user you created in the introduction to the lab.

2. You should see in the catalog your SalesForce application listed for the user and should now be able to launch this application and SSO.

3. When you are in the WorkSpaceOne catalog click the bookmark button to save it to bookmark and then select open.

4. You will now notice that vIDM will redirect you into your Salesforce account that you created for your unique user.

Without having to re-authenticate the user will be authenticated.

You have now completed the lab for Web Application integration for SalesForce. You have federated your first application into vIDM and are able to SingleSign On without having to ever type a unique password for SFDC.  

EXTRA CURRICULAR - APPENDIX - SP-Initiated vs. IDP-Initiated

In identity management we have two ways to authenticate to the application either by accessing vIDM first which is IDP-Initiated or by accessing the application first which is SP-Initiated (ServiceProvider)

What we did above with accessing SFDC through the Workspace One portal was IDP initiated.

We can see an example of SP-Initiating in our SFDC application when we navigate directly to our unique domain specific SFDC environment.

1. Navigate to your SFDC instance/tenant *-dev-ed.my.salesforce.com

Remember this is the unique domain you registered earlier in the lab and is unique to your organisation.

2. notice now you have the option to still use username and password as we kept this enabled in our settings above.

3. Notice however that it also gives you the option below log in using: Workspace or vIDM

4. Now select vIDM or Workspace notice you are redirected to vIDM to authenticate

5. If you then authenticate using your Unique User

6. Notice you are re-directed back to SFDC and you have access to the application

You have successfully completed both IDP-Initiated authentication as well as SP-Initiated authentication.

 

0 Comments

Add your comment

E-Mail me when someone replies to this comment