12.6 Configuring Integration with Salesforce

Perform the following steps to configure the integration of Advanced Authentication appliance with Salesforce using SAML2:

  1. Login to your Salesforce account.

  2. Create a domain, if not created.

    1. In Lightning Experience interface click the Gear button and select Setup Home.

    2. Scroll down the Setup toolbar and navigate to Company Settings.

    3. Click My Domain.

      Enter your own domain name and then click Save. The domain will be activated. Use your domain name to open Salesforce. For example, https://CompanyName.my.salesforce.com/ SAML provider requires the domain name.

  3. Configure SAML provider.

    1. From the Settings menu navigate to Identity > Single Sign-On Settings.

    2. Create a new text file and add the Identity Provider Certificate to it.

      -----BEGIN CERTIFICATE-----
MIIDkzCCAnugAwIBAgIESsmdMzANBgkqhkiG9w0BAQsFADB6MRAwDgYDVQQGEwdVbmtub3duMRAw
DgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMREwDwYDVQQKEwhBdXRoYXNhczESMBAG
A1UECxMJQXV0aGFzYXNhMRswGQYDVQQDExJvc3AuYXV0aGFzYXMubG9jYWwwHhcNMTYwNTI2MDUz
NjI0WhcNMjYwNDA0MDUzNjI0WjB6MRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3du
MRAwDgYDVQQHEwdVbmtub3duMREwDwYDVQQKEwhBdXRoYXNhczESMBAGA1UECxMJQXV0aGFzYXNh
MRswGQYDVQQDExJvc3AuYXV0aGFzYXMubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCw3YLz03qhSZPXjBc/Ws+cZ2/E5oogqKeJ3p4RR6USOoarjnmvQPq+maRfvexriwQjRDgS
OFRb58cert/misqzsHBVmQDnfMwicFVzuuKjDEbWFp9vL1gRkDzIlpCyl3eNmBWuWXM49Z6mm8XS
fIwlAoydNp5DK0o0Yrk6FNOi0nOrnI5kHGVD0bd5SpDtvXSF1WLfc5YT9UBUpfZneKsVPWSkbeBX
F84hYJWBtdzcTEyjdso9Ra7UtxLIUW0UH3LWTgn9zS97nLkmhetmD1I3mEAeAE9SAmqTRyH1FNXZ
ZOfi/BJF4+sz86f6pBbwYM2KTvXaABgzSpZpJ1pQrZKPAgMBAAGjITAfMB0GA1UdDgQWBBTL8PbA
+e6YkBIk4yELTZ+AbfdA6DANBgkqhkiG9w0BAQsFAAOCAQEAm87lNyAO8CtN5jlLe3CupLAAbUWR
NY6av7LpPail1JRIw+uvddMyOz1vOS1IwpDDNtcPtxGXsaZI1CKgNPBpLvSxePVUXNfFgUCtu+bT
cuUtiQbkiDWwFLmAS6KeA+EBFOeqBiudEfkAZZT87DF9gKvM6VWdzJ7BvWi2YPbH/FRM82fLoyAd
RbphF215we3rvsfeWbwXw70UGNyBUTb3zUcAmB3sHbcZiXJZj3pJYgDaN9Ss60sz/yG1ZLEYluvL
R1T2PPEfEcA1Eij0R1A31Z5hJ3zDlXoCeNYLoMg4522QYekTwvQeWkeYejBXEcxdL7VP6F91zmfZ
bm1A4PY5jw==
-----END CERTIFICATE-----

    3. In the Single Sign-On Settings screen, click New and enter the required details.

      1. Name: Advanced Authentication

      2. API Name: AAF

      3. Issuer: https://AdvancedAuthenticationServerAddress/osp/a/TOP/auth/saml2/metadata, where replace AdvancedAuthenticationServerAddress with domain name or IP address of your Advanced Authentication Server.

      4. Entity ID: https://CompanyName.my.salesforce.com/

      5. Click Choose File to open the Identity Provider Certificate.

      6. SAML Identity Type: Select Assertion contains the Federation ID from the User object option.

      7. SAML Identity Location: Select Identity is in an Attribute element option.

      8. Attribute Name: upn.

      9. Service Provider Initiated Request Binding: Select HTTP Redirect option.

      10. Identity Provider Login URL: https://AdvancedAuthenticationServerAddress/osp/a/TOP/auth/saml2/sso

      11. Select User Provisioning Enabled option.

      12. Click Save.

    4. Click Edit for Federated Single Sign-On Using SAML.

    5. Select SAML Enabled option.

    6. Click Save.

    7. From the Settings menu click Users.

    8. Click Edit for the required Salesforce users by adding Federation ID for the user accounts. The Federation ID corresponds to userPrincipalName attribute in Active Directory. For example, pjones@company.com.

      NOTE:The name that you specify in Federation ID is case sensitive. The following error may occur, if you ignore the case:

      We can't log you in. Check for an invalid assertion in the SAML Assertion Validator (available in Single-Sign On Settings) or check the login history for failed logins.

    9. Click your profile icon and then click Switch to Salesforce Classic option. This mode is required to tune domain options.

    10. Click Setup from the top menu and navigate to Administrator > Domain Management > My Domain and then click Edit to access Authentication Configuration screen.

    11. Select Login Page and osp options and then click Save.

  4. Configure Advanced Authentication SAML Event.

    1. Click username and then click Switch to Lightning Experience.

    2. Click the gear button and select Setup Home.

    3. Navigate to Identity - Single Sign-On Settings.

    4. Click the created configuration (not for Edit).

    5. Click Download Metadata.

    6. Open Advanced Authentication > Administrative Portal.

    7. Switch to Server Options.

    8. Enable WebAuth.

    9. Switch to Events section.

    10. Click Add to add a new event.

    11. Create an event with the following parameters.

      Name: Salesforce

      Chains: select the required chains.

      Click Choose File to Upload SP SAML 2.0 metadata file. Open the Salesforce metadata file and then click Save.

  5. Switch to Policies section.

  6. Set External URL to https://AdvancedAuthenticationServerAddress/ and replace AdvancedAuthenticationServerAddress with domain name or IP address of your Advanced Authentication Server.

    IMPORTANT:The server name or IP address used in Issuer field in Salesforce has to be used.

  7. Open your URL https://CompanyName.my.salesforce.com/ and click Advanced Authentication to check the SAML2 authentication.