12.7 Configuring Integration with Salesforce

This section provides the configuration information on integrating Advanced Authentication with Salesforce. This integration secures the Salesforce connection.

The following diagram represents Advanced Authentication in Salesforce.

To configure the Advanced Authentication integration with Salesforce, perform the following configuration tasks:

12.7.1 Configuring the Salesforce Domain Name

  1. Login to your Salesforce account.

  2. Create a domain. If the domain is not created, then perform the following tasks:

    1. Click Gear and select Setup Home in the Lightning Experience interface.

    2. Scroll down the setup toolbar and navigate to Company Settings.

    3. Click My Domain.

    4. Specify your domain name and click Save.

      The domain is activated. Use your domain name to open Salesforce. For example, https://CompanyName.my.salesforce.com/. SAML provider requires the domain name.

12.7.2 Configuring the SAML Provider

  1. Click Settings > Identity > Single Sign-On Settings.

  2. Create a text file and add the following Identity Provider certificate to the file.

    -----BEGIN CERTIFICATE-----
 MIIDczCCAlugAwIBAgIEHfhpIDANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJ1czENMAsGA1UE
 CBMEdXRhaDEOMAwGA1UEBxMFcHJvdm8xFzAVBgNVBAoTDk1pY3JvZm9jdXMgSW5jMREwDwYDVQQL
 EwhzZWN1cml0eTEQMA4GA1UEAxMHd2ViYXV0aDAeFw0xOTAyMDUxMzQzNDhaFw0yOTAyMDIxMzQz
 NDhaMGoxCzAJBgNVBAYTAnVzMQ0wCwYDVQQIEwR1dGFoMQ4wDAYDVQQHEwVwcm92bzEXMBUGA1UE
 ChMOTWljcm9mb2N1cyBJbmMxETAPBgNVBAsTCHNlY3VyaXR5MRAwDgYDVQQDEwd3ZWJhdXRoMIIB
 IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmQ89L/qZAvdSxvVERU9O6g54nRkFVJaZ5sxd
 rNsckAkqy7k1hzCnEOejWxFepmj0ul6cAHxcMWX1TfnljRNy/OpP4+TJnMhSbKBHY6Png4S7UEfN
 r1Djqvq9XDCa6OZrxZXpdDpZAA42tX3sb565I33MsmTKeryiFN0GD4KxyqxiRIahjFtAMT9osHrg
 3RcxmyOSCev2gCjuiT3Bk2GvCtsNcgFlV7bqQmtV5ERW16dqRdR9/i/L1MSrWB+QkatE/gczWHGz
 M+drT01cQkwauEo1yK3S/DFHNSYgtV4uc3yKZwzn/1dHKYuX8BDRg04bCCKse2hqd/m4CP0G695a
 aQIDAQABoyEwHzAdBgNVHQ4EFgQUQJNrW+25YWx6oIG+p9xsREpEYWcwDQYJKoZIhvcNAQELBQAD
 ggEBAGQ8/KA7XSxfjK4WdU1HZMn8w7kYLtjMTYEY9D1vpSEmsw8si+uH3ZEfIcxkkpnvq7GKLtmE
 rXPJ6j6a9esJjHc0I3LMMRK0xg5tjdh2sXbJm2MForiQvzoonHK2Uf72ODgbCdhqPN3kkgwPBxXJ
 xhdncALOT/h1IVTp/aop/UZmvJQkcbgRvSZaptz2r/waOLaOCeladPvdQKsMTZMmPdfjW1xWVMa6
 CX7ERCcxeKFWWcCcceepoZd+BPHB9Vuzr+59o2cydCU0x/OlnHrcsvUx4Wl1GmB3r6NdpvEJszdb
 sNkV+rczAz0rlhcKTJq3mQzKSMRZXeB9SQ1GorEoEy0=
-----END CERTIFICATE-----

  3. In Single Sign-On Settings, click New and specify the following details:

    1. Name: Advanced Authentication.

    2. API Name: AAF.

    3. Issuer: https://AdvancedAuthenticationServerAddress/osp/a/TOP/auth/saml2/metadata, where you must replace AdvancedAuthenticationServerAddress with the domain name or IP address of your Advanced Authentication server.

    4. Entity ID: https://CompanyName.my.salesforce.com/.

    5. Click Browse to open the Identity Provider certificate.

    6. SAML Identity Type: Select Assertion contains the Federation ID from the User object.

    7. SAML Identity Location: Select Identity is in an Attribute element.

    8. Attribute Name: upn.

    9. Service Provider Initiated Request Binding: Select HTTP Redirect.

    10. Identity Provider Login URL: https://AdvancedAuthenticationServerAddress/osp/a/TOP/auth/saml2/sso.

    11. Select User Provisioning Enabled.

    12. Click Save.

  4. Click Edit for Federated Single Sign-On Using SAML.

  5. Select SAML Enabled.

  6. Click Save.

  7. Click Settings > Users.

  8. Click Edit for the required Salesforce users by adding Federation ID for the user accounts. The Federation ID corresponds to userPrincipalName attribute in Active Directory. For example, pjones@company.com.

    NOTE:The name that you specify in Federation ID is case sensitive. The following error may occur, if you ignore the case:

    We can't log you in. Check for an invalid assertion in the SAML Assertion Validator (available in Single-Sign On Settings) or check the login history for failed logins.

  9. Click your profile icon and click Switch to Salesforce Classic.

    This mode is required to tune the domain options.

  10. Click Setup Administrator > Domain Management > My Domain > Edit to access the Authentication Configuration screen.

  11. Select Login Page and osp options.

  12. Click Save.

12.7.3 Configuring the Advanced Authentication SAML 2.0 Event

  1. Click username > Switch to Lightning Experience.

  2. Click Gear and select Setup Home.

  3. Navigate to Identity > Single Sign-On Settings.

  4. Click the created configuration (not for Edit).

  5. Click Download Metadata.

  6. Open the Advanced Authentication Administration portal.

  7. Click Events > Add to add a new event.

  8. Create an event with the following parameters.

    • Name: Salesforce

    • Chains: select the required chains.

    • Click Browse to Upload SP SAML 2.0 metadata file. Open the Salesforce metadata file and click Save.

12.7.4 Configuring to Authenticate on Salesforce with SAML 2.0

  1. Click Policies > Web Authentication.

  2. Set Identity provider URL to https://AdvancedAuthenticationServerAddress/ and replace AdvancedAuthenticationServerAddress with domain name or IP address of your Advanced Authentication server.

    NOTE:To use multiple Advanced Authentication servers with SAML 2.0, you must do the following:

    1. Configure an external load balancer.

    2. Specify the address with port number in Identity provider URL instead of specifying an address of a single Advanced Authentication server.

    IMPORTANT:You must use the server name or IP address specified in the Issuer field of Salesforce.

  3. Open the URL https://CompanyName.my.salesforce.com/ and click Advanced Authentication to check the SAML 2.0 authentication.