Introduction
This article outlines the information and steps you need to take in order to configure Salesforce to use the LogonBox SAML Identity Provider. Once configured your users will be redirected to your LogonBox Server to authenticate.
Step 1 - Create the Resource from the Template
Log into your server as admin and navigate to Identity Services->SAML. Select Search Templates and select the Salesforce SAML template and click Next.
You will be asked for your Salesforce domain if you have one and organization Id.
Enter the domain name of your Salesforce account. If your Salesforce domain is 'logonbox.salesforce.com' then your domain is url, 'logonbox.salesforce.com'.
If you do not have a domain this value must be set to, 'https://saml.salesforce.com'.
Enter your Organization Id, this can be found in your Salesforce configuration under Setup -> Administer -> Company Profile -> Company Information within Salesforce, for example, '00D24000000jWBD'.
Click Next. At this point click close the templates window so that you can return to the list of SAML resources where your Salesforce SAML resource should now be present.
Edit the resource and in the Assignment tab, add users, groups or roles who will have permission to use this resource.
You can add the Everyone role to add all users and click Update.
Step 2 - Download SAML metadata
You will need a couple of things from your server in order to configure Salesforce. First you will need to download the SAML metadata.
In the table of SAML resources locate the Salesforce SAML resource, and click the options icon to activate the dropdown. Select Download Metadata; this is an XML file that contains information about the Identity Provider and its access points.
Next, navigate to Certificates and locate the SAML RSA certificate. Again using the options icon to activate the dropdown, select Download Certificate
Before proceeding to the next step, open the XML file containing the metadata and locate the logon and logoff service URLs. These are located towards the end of the document and will look like
https://demo.logonbox.com/app/api/sso/logon/123456
https://demo.logonbox.com/app/api/sso/logoff/123456
Copy the entire URL as these will be entered into the Salesforce settings.
Also take a copy of your entityId which will be located at the top and look something like,
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://logonbox.salesforce.com">
Step 3 - Configure Salesforce
Once you have setup the SAML resource on your server you will now need to log into your Salesforce account as Administrator so that you can configure Salesforce to use a third party Identity Provider.
First, once logged in, select Setup and from the left navigation open Administer - > Security Control -> Single sign-On settings.
From the Single sign-On Settings page enable SAML.
From the SAML Single Sign-On Settings section select New. This will open a new SAML configuratiion page where you can configure LogonBox SSO as the identity provider.
Configure the following settings:
- Name: a suitable name to identity this configuration
- API Name: this should be automatically generated based on the Name
- Issuer & IdentityId: use the entity Id identified in step 2 for example, 'https://nervepoint.5ocket.net'
- Identity Prpovider Certificate: upload the certificate located in step 2
- SAML Identity Type: this should be, 'Assertion contains User's salesforce.com username'.
- SAML Identity Location: this should be set to, 'Identity is in the NameIdentifier element of the Subject statement'.
- Identity Provider Login URL: Use the login URL identified in step 2
- Identity Provider Logout URL: Use the logout URL identified in step 2
Click Save to commit the settings.
Step 4 - Final Checks
Each user's email address must match their Salesforce logon email as this is the primary link between accounts.
Once access is assigned log out of Salesforce and then access LogonBox as a user with the rights to use the new resource. In My Resources->Browser Resources click the launch icon to access Salesforce.