4.10 Example: Using an Existing SAML Connector to Configure an Application

This example describes how to import an existing SAML connector from the Global Catalog into Connector Studio, create a SAML connector, and configure an application based on this connector in the Applications page. Let us use an existing SAML type connector for Salesforce for understanding these tasks.

4.10.1 Importing a SAML 2.0 Connector from the Global Catalog

  1. In Dashboard, click Administrative Tasks > Connector Studio > + > Import connector from Global Catalog.

  2. In the Connector Catalog window, specify salesforce to see existing connectors that have been created for Salesforce, then select the Salesforce SAML connector to import into Connector Studio.

4.10.2 Modifying a SAML Connector

  1. In Connector Studio, click the More Options icon on the Salesforce connector that you have imported in the Importing a SAML 2.0 Connector from the Global Catalog section.

  2. Click Edit.

    Configuration options on each page are as follows. The default configuration values for the Salesforce connector are shown in italics.

    General

    Field

    Value

    Target Name

    Salesforce

    Version

    1.10.1

    Description for Provider

    SAML connector to Salesforce

    Not used with Access Manager.

    Description for Tenant

    SAML connector to Salesforce

    Certificate required for provider

    Not selected

    This option is not selected in the default Salesforce connector because a signing certificate is not required when doing identity provider type single sign-on to Salesforce. For example, when the user clicks the Salesforce appmark in the Access Manager user portal page.

    Change Image

    An image is specified

    Settings

    Field

    Value

    Name

    ssoStartPage

    Where ssoStartPage is a replaceable value represented as ${ssoStartPage} in the connector XML and as shown in the configuration fields on Metadata and Assertion configuration pages when this setting is chosen from the list of settings.

    Display Name

    Login URL

    Where Login URL is the name used to represent this replaceable value in the selection lists shown on the Metadata and Assertion pages while configuring the connector in Connector Studio, and also under the Application Connector Setup section of the Applications page when configuring the application based on this connector. The value entered for Login URL in the Applications page becomes the AssertionConsumerService endpoint in the metadata that gets created for the application.

    Data Owner

    Tenant

    Type

    URL

    Min

    1

    Max

    1024

    Description

    The Login URL is the value of the Salesforce Assertion Consumer Service URL assigned to a particular client. This is the value identified as the Salesforce.com Login URL on the Single Sign-on Settings page.

    Default Value

    https://login.salesforce.com

    Required

    Selected

    Concealed

    Not selected

    Metadata

    Field

    Value

    Method

    Generate

    EntityID

    https://saml.salesforce.com

    Signing Certificate

    Not populated

    Assertion Consumer Service URL

    ${ssoStartPage}

    Logout URL

    Not used by the Salesforce service provider.

    Logout URL Binding

    Not used by the Salesforce service provider.

    Logout Response URL

    Not used by the Salesforce service provider.

    Import from File

    Not used by the Salesforce service provider.

    Import from URL

    Not used by the Salesforce service provider.

    Attributes

    Field

    Value

    Name

    Subject/NameID

    Where Subject/NameID is used to identify the attribute in the SAML assertion sent to the application.

    Display Name

    Salesforce ID

    Where Salesforce ID is the name used to represent this mapping in the Assertion page of Connector Studio and in the Attributes section of the Applications page.

    Data Owner

    Tenant

    Encoding

    None

    Description

    Contains the user's Salesforce ID.

    Default Value

    mail

    Required

    Selected

    Role Attribute

    Not selected

    Assertion

    Field

    Value

    Audience Restriction

    https://saml.salesforce.com

    Name ID

    Salesforce ID

    Where Salesforce ID is the Display Name of the attribute mapping created on the Attributes page. The mapping results in the value of the user’s local LDAP mail attribute being used to populate the value of the NameID element and the remote attribute “Subject/NameID” in the SAML assertion.

    Format

    Email

    Destination URL

    Not specified

    Federation Instructions

    Field

    Description

    ${entityID}

    Represents the value of Identity Server cluster’s Entity ID.

    ${ssoURL}

    Represents the value of the Identity Server cluster’s single sign-on URL.

    ${sloURL}

    Represents the value of the Identity Server cluster’s single logout URL.

    ${sloReturnURL}

    Represents the value of the Identity Server cluster’s logout return URL.

    ${signingCert}

    Represents the value of the Identity Server cluster’s default signing certificate.

  3. Click OK.

  4. Click the More Options icon on the connector > Publish to save the connector into the Local Application Catalog of Access Manager or click More Options > Download to save the connector to a ZIP file in the local file system.

4.10.3 Importing the SAML Connector into the Applications Page

  1. In Dashboard, click Administrative Tasks > Applications > + > Add Application from Local Catalog.

  2. Select the Salesforce connector that you published in Modifying a SAML Connector.

    The connector is imported into the Applications page and opened for editing.

    The following table lists the mapping between fields and respective configuration in the Connector Studio page and the Applications page:

    Connector Studio

    Applications Page

    General > Target Name

    Name

    General > Description for Tenant

    Description

    General > Version

    Created from Connector with version [Version]

    General > Image

    Default image

    Settings

    Application Connector Setup

    Metadata

    Application Connector Setup

    Assertion

    Application Connector Setup

    Attributes

    Attributes

    Federation Instructions

    System Setup

  3. Edit the values based on your requirements.

  4. Click Save to create a Salesforce application.

  5. Update Identity Server.

The following are few important points:

  • The Settings and Attributes sections contain help icons. When you mouse over the icon, help text is displayed that was specified in the Description fields of the connector.

  • Clicking Show in the System Setup section displays the federation instructions that contain substituted actual values for the ${ssoURL}, ${sloURL}, ${entityID}, and other replaceable values that were specified in the connector’s federation instructions.

  • Settings and attribute mappings that are configured as Required in the connector are flagged with a red asterisk. If you remove the default values, a warning symbol is displayed indicating that a required value is not available. If an application is saved without configuring required settings, the application is displayed under Application needs more information on the Applications page.

  • Saving the application creates an associated appmark that, by default, is visible in the user portal page.

  • A SAML 2.0 service provider is created. You can view or edit the details of this service provider by clicking Advanced Settings.