To have single sign-on work, the users must have an account in Salesforce. This means you must manually create the users in Salesforce or configure the Just-In-Time provisioning feature in Salesforce.
Just-in-Time provisioning automatically creates an account for the user the first time they log in to Salesforce by using the SAML 2.0 assertion from Access Manager.
To use Just-in-Time provisioning, you must make configuration changes in both Salesforce and Access Manager. Ensure that you have read the documentation from Salesforce for Just-in-Time provisioning before proceeding. For more information, see About Just-in-Time Provisioning for SAML.
NOTE:User account names in Salesforce are in email form. Ensure that the value for the User.Username attribute in the SAML 2.0 assertion is in the form an email.
Configuring Just-in-Time provisioning:
In the Salesforce, configure the Single Sign-On (SSO) settings.
Configure the following fields:
SAML Identity Type: Select Assertion contains the Federation ID from the User object.
User Provisioning Enable: Select this option.
User Provisioning Type: Select Standard.
Save your changes.
From Salesforce, download the metadata.
Configure the connector for Salesforce. For more information, see Section 9.2, Configuring the Connector for Salesforce.
Create a new attribute set between Access Manager and Salesforce.
In the Administration Console, click Devices > Identity Servers.
Click Shared Settings.
Under Attribute Sets, click New.
Create an attribute set to map attributes between Access Manager and Salesforce.
Specify a name for the attribute set, then click Next.
Click New, then use the following information to create an attribute mapping:
Local attribute: Select Ldap Attribute:mail.
Remote attribute: Specify User.Email.
Leave all of the other fields to the default values, then click OK.
Click New, then use the following information to create an attribute mapping:
Local attribute: Select Ldap Attribute:sn.
Remote attribute: Specify User.LastName.
Leave all of the other fields to the default values, then click OK.
Click New, then use the following information to create an attribute mapping:
Local attribute: Select Ldap Attribute:cn.
Remote attribute: Specify User.Username.
Leave all of the other fields to the default values, then click OK.
Click New, then select Constant.
Use the following information to create a constant defining what type of Salesforce account the users have:
Constant: Specify the profile type for the users account. For example, Chatter Free User.
Remote attribute: Specify User.ProfileId.
Leave all of the other fields to the default values, then click OK.
Click Finish, then Close.
Add the attribute map created in Step 3 to the Service Provider for Salesforce.
In Administration Console, click Devices > Identity Servers, then select the Identity Server running the connector for Salesforce.
Click the Trusted Providers tab.
In the Service Providers list, click the Salesforce service provider.
Click the Attributes.
In the Attributes set field, select the attribute map you created in Step 3.d.a.
Select all of the four attributes in the Available panel, then click the left arrow to add the attribute to the Send with authentication panel.
Click OK twice.
In the Status field next to the Identity Server name, click Update.
With this configuration, the SAML 2.0 assertion sent by Access Manager contains all of the information required to create an account for a user in Salesforce. The first time a user logs in to the User Portal and clicks on the appmark for Salesforce, Salesforce creates an account and the user is authenticated.
IMPORTANT:Ensure that you have populated the local attributes specified in the attribute set in Step 3.d in the Access Manager user store and that these attributes are in the format required by Salesforce.