Federating a SAML application (Salesforce) with Workspace ONE Access

Workspace ONE SaaS application deployment number 1

This lab is intended to prepare those federating SaaS applications for authentication via Workspace ONE Access. As SAML is a standard authentication type, this example is just one of many documented integrations.

Part 1. Salesforce  Setup

  1. Signing up for a Salesforce developer trial account.
    1. Open your Browser on the ControlCenter2 desktop
    2. Navigate to https://developer.salesforce.com/signup for a free account.
      • Fill in your details using a personal e-mail address. Please ensure this e-mail address has not previously been used with SFDC.
      • If you have then one option might be to create a dummy email address with Outlook and register this.
      • When complete select Sign me up >
  1. Go to your email and confirm your registration. Select Verify Account. This will take you to the Change Your Password Site.
    • Set a password of your choosing  and provide a security question and answer
    • Select Change Password to save and you will be redirected automatically to the Setup Home page.
  1. You should still be automatically logged in with the user that you have created above, if not navigate to https://login.salesforce.com and login with the details for your account.
  • NOTE: Salesforce has two Web Interfaces and this can get quite confusing. Please be sure to use the lightning experience interface rather than the classic interface. You will now register a unique domain name for you SFDC dev account. Click on Lightening experience. From the top right, find the settings icon and select Service Setup from the dropdown menu.
  1. On the Home page Navigate to Settings > Company Settings > My Domain 
  1. Enter a unique domain name under "Choose Your Domain Name" or click Edit if you see an existing Domain name
    • Convention:  Your City and your student number and then add LF to the end to be 100% sure. e.g. - Rotterdam35LF
    • Select Check Availability
    • Select Register Domain
    • Make a note of your Registered Domain
  1. Revert back to your email . You should have received an e-mail to the address specified in your developer's account once it has successfully registered. This could take up to 10 minutes.
    • Click the link provided in the e-mail to confirm your domain registration
      • OR
    • Refresh your My Domain page and select Log in
  1. At this point, you will be prompted for a phone number.
    • You have the option to select I Don't want to register my phone.
      • It will just use your e-mail address as the second factor authentication. 
    • Select Register
    • If you have entered your phone number, enter the token under Verification Code
    • Select Verify
  1. Now Navigate back to Settings > Company Settings > My Domain
    • Select the Deploy to Users 
    • Select OK to confirm the pop-up. 

Part 2. Establish SAML Trust

  1. Now we will download the identity provider Signing certificate from Workspace ONE Access and upload it into SFDC to create the trust relationship for authentication.
    1. Login to your Saas Workspace ONE Access administrator console as sysadmin
    2. Select the Catalog tab and select Settings
    3. Select Settings select SAML Metadata
    4. Right click on Identity Provider (Idp) metadata and select save link as, this will open your Save As window. Leave the Downloads folder as default and the name as idp.xml and select Save
    5. Go to the Signing Certificate area and select Download , you should now have a signingCertificate.cer and a idp.xml in the Downloads folder

 

  1. Navigate back to your SalesForce site where you should now be able to login with your unique registered domain *-dev-ed.lightning.force.com 
    • On the home page for the admin user you will find Settings > Identity > Single Sign-On Settings NOTE: if you can't locate these options on the initials login page select the cog wheel in the top right hand side of the page and select setup and it will take you to the correct configuration page.
    • On the Single Sign-On Settings Page next SAML Assertion Validator select Edit, below Federated Single Sign-on Using SAML, select the SAML Enabled checkbox. Select Save.

 

  1. Now select New From Metadata File just underneath where the SAML settings have been enabled.
    1. This will take you to the SAML Single Sign-On Settings page where it will request the SAML metadata.
    2. Click Choose File that you have downloaded into the Downloads Folder from Workspace ONE Access named idp.xml (created in paragraph 1).
    3. Select the idp.xml and select Open select Create.

 

  1. Notice now that the fields have been auto populated with the correct data from Workspace ONE Access  
    1. Ensure the Following are correct in the settings:
      • Next to NAME: leave as default
      • Next to ISSUER: leave as default, This is the XML that is provided for the Metadata -
      • Next to Provider Certificate: Upload the signingCertificate.cer into this field  (this was downloaded in Part 2 Step 1 from the Workspace ONE Access portal)
      • Next to SAML Identity Type: leave as default "Assertion contains the User's Salesforce username
      • Next to SAML Identity Location: leave as default "Identity is in the NameIdentifier element of the Subject statement
      • Next to API Name: leave as default
      • Next to Entity ID: Change to https://saml.salesforce.com
      • Next to Identity Provider Login URL: leave as default
      • Next to Custom Logout URL: your Workspace ONE Access URL
        • e.g. https://aw-livefireerikcluton.vidmpreview.com
      • Ensure the check box from Single Logout Enabled is removed.
    2. Select Save.
    3. On the SAML Single Sign-On Settings page select Download Metadata.
      • NOTE: Download metadata is not available in the edit view you have to click on the policy This will download an xml file beginning with SAMLSP.....xml

 

  1. On the SalesForce admin console
    1. Navigate to Settings > Company Settings > My Domain  
    2. In the Authentication Configuration section select edit
    3. Under Authentication Configuration page next to Authentication Service select the check box that has "YOUR Saas Workspace ONE Access" and select Save

 

  1. Creating a unique user for your SalesForce environment.

NB! This has to be an Identical account to what you created at the beginning of the course

  1. Navigate to Administration > Users > Users >  click Select New User
  2. Fill in the unique user details,
    • First Name:User xx {your student number + {the first letter of your city and country abbreviation}} eg User35AUK
    • Last Name:{the first letter of your city and country abbreviation
    • Alias:{same as your username}
    • Email:{[email protected] (For Example: [email protected])
    • Username:{FirstName@customsuffix.euc-livefire.com (For Example: [email protected])
    • Nickname: {same as your FirstName}
    • Role: <None Specified >
    • User License: Force.com - Free
    • Profile:Force.com - Free User
  3. Click Save

This will be the user we will use to test the authentication

  1. Navigate back to your Workspace ONE Access console
    1. Select the Catalog tab, select New
    2. On the New Saas Application window, in the search type sales and select Salesforce, select Next,
    3. Under Configuration, under the Single Sign-On section, select the URL/XML radio button.
    4. On your Controlcenter server Open file Explorer window and browse to Downloads. Right click and open the metadata file you downloaded from Sales force that was called SAMLSP....xml
    5. Open in Notepad. In the Notepad select all or press CTRL + A and copy with CTRL + C. Now paste the Metadata in the XML field in Single Sign-On page under URL/XML.
    6. On the Single Sign-On page select Next, on the default Access policies page accept the default select Next and select Save

 

  1. On the Catalog tab, select Salesforce select Edit,
    1. Select Configuration, to the right of configuration, scroll down to Username Value and change ${user.username} to ${user.email}
    2. Select Next, on the Access Policies page, select Next, on the definition page, select Save.
  1. In the Catalog area next to Salesforce, select the check box and then select Assign
    • In the Assign window under Users / User Groups box type marke and select [email protected].
    • Under Deployment Type, change to Automatic from User-Activated and hit Save
  1. Testing your custom account with the Salesforce Federation
    • Open up an Incognito window an alternate browser and navigate to your Workspace ONE access URL.
    • On Select your Domain screen, click on the dropdown and select euc-livefire.com.
    • Login to your SaaS instance of Workspace ONE Access with your custom user account i.e. UserXXRNL
      • In the Workspace ONE Catalog, from the top menu option, navigate to APPS.
      • Click to open your Salesforce Application

If the federation was setup correctly, your custom user UserXXRNL is logged in successfully.

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.