Salesforce.com is pre-configured to establish federation with external service providers.
To integrate Salesforce for idpsend, follow the procedure in Setting Up Google Applications. In Step 3, select Salesforce. The trusted provider is displayed on the protocol page. For example, if you have specified Name as SalesForce, the page displays the trusted service provider as in Figure 5-23, when you click Finish.
Access Manager allows your users to use their existing LDAP credentials for single sign-on access to salesforce.com and for any web applications protected by Access Manager.
Perform the following steps to configure SAML 2.0 for identity provider (IDP) initiated login:
Create domain in Salesforce.
To enable IDP-initiated login in Salesforce.com, you must enable and configure the My Domain option in Salesforce.com. Defining your own domain provides the basis for an IDP-initiated URL.
Log in as administrator.
Go to Administration Setup > Domain Management > My Domain.
Specify the sub-domain name and check the availability.
Agree to the terms and conditions and click Register Domain.
If you have already configured your identity provider for Salesforce.com using the wizard, you must update configuration in the identity provider according to the new domain. Perform the following steps.
Download the metadata from the Salesforce site for your domain. See Step 3. Send and import this metadata into your Identity Server Salesforce configuration. For reimporting metadata in Access Manager Identity Server, see Viewing and Reimporting a Trusted Provider’s Metadata.
Change the Intersite Transfer URL to point to the new domain URL.
Perform Step 4 and Step 5 in Integrating Salesforce With Access Manager By Using SAML 2.0 for Service Provider Initiated Login.
Update Identity Server.
Service provider configuration options offer you more flexibility and control for example, simultaneously federating with more than one Identity Server. Salesforce.com also supports SP-initiated login along with IDP-initiated login. SP-initiated login lets the user use a simple and intuitive URL to access the target application.
Follow the procedure given below to integrate Salesforce with Access Manager by using SAML 2.0 for service provider initiated login. Assume that the user has a Salesforce account.
Create a domain in Salesforce.
To enable SP-initiated login in Salesforce.com, you must enable and configure the My Domain option in Salesforce.com. Defining your own domain provides the basis for an SP-initiated URL.
Login as administrator. Go to Administration Setup > Domain Management > My Domain.
Specify the subdomain name and check the availability.
Agree to the terms and conditions and click Register Domain.
If you have already configured your identity provider for Salesforce.com using wizard, you must update configuration in the identity provider according to the new domain. Perform the following steps.
NOTE:Configure SSO configuration. Perform the following steps to enable the SAML support in Salesforce:
Log in to your Salesforce account.
In the left panel, select Security Control > Single sign setting > Saml Single Sign-on Setting > New and fill the form.
Select Security Control > Single sign setting > Saml Single Sign-on Setting > Federated Single Sign-On Using SAML > Edit > Enable Saml.
Change the Intersite Transfer URL to point to the new domain URL.
Import Salesforce metadata in Access Manager.
As with any other SAML federation you must configure both your Access Manager Identity Server and Salesforce.com Service Provider (SP) to establish a trust. You now have an option to download your metadata from Salesforce.com. To download your specific metadata go to your Salesforce.com instance.
Log in as an administrator.
Go to Administration Setup > Security Controls > Single Sign-On Settings.
Select Name that you have configured and Download Metadata.
Reimport this metadata into your service provider configuration in Access Manager assuming that you have created Salesforce using the wizard.
The metadata file you download will include a certificate. For Access Manager to trust or use this certificate, the trusted root certificate chain that minted the certificate must exist in the Access Manager certificate trust stores.
Import certificate in Access Manager, for example, Salesforce.com.
Open the downloaded metadata XML file with a file editor and search for the certificate in the X509Certificate element (between <ds:X509Certificate> and </ds:X509Certificate>).
Copy the information into its own file and give it a .cer file extension.
Double click and open the file.
Click Certification Path to see the chain of authority for the certificate.
You need the trusted root certificate for every CA in the chain that you see listed.
In the example above, select the VeriSign Class 3 International Server CA – G3 and click View Certificate.
Click Details.
You can now export the CA trusted root certificate.
Click Copy to File.
Select .DER encoded when prompted. Specify a name and save the file.
Repeat this process for every CA in the certificate path chain.
Use the Access Manager Administration Console to import the resulting CA trusted root certificates into your Access Manager keystores.
After importing, add these certificates into Identity Server Keystore. For more information, see Section 17.2, Adding a Certificate to a Keystore.
Ensure to add Root certificate of Salesforce into your OCSP trust store else, OCSP validation fails and Identity Server displays an error.