13.3 Configuring the Connector for Salesforce

The phone icon that CloudAccess displays on each configured instance of the connector for Salesforce indicates that Delegated Authentication can be used with Salesforce. All of the configuration required for using Delegated Authentication with the appliance is done at Salesforce. For more information, see Section 13.7, Configuring Delegated Authentication in Salesforce.

You must go back and forth between the CloudAccess Admin page and the Salesforce administration page to configure the connector.

To configure the connector for Salesforce:

  1. Do one of the following:

    • Configure Salesforce to trust CloudAccess.

    • Obtain a security token from Salesforce.

    For more information, see Section 13.2, Configuring Salesforce to Trust CloudAccess.

  2. (Optional) Log in to Salesforce as the account administrator, then enable and configure Salesforce Delegated Authentication single sign-on for your Salesforce organization.

    For more information, see Section 13.7, Configuring Delegated Authentication in Salesforce.

  3. Log in with an appliance administrator account to the CloudAccess administration console at 

    https://appliance_dns_name/appliance/index.html

  4. Drag the connector for Salesforce from the Applications palette to the Applications panel.

  5. Specify a unique display name for the connector to appear on the Admin page.

  6. Specify the login credentials for the Salesforce administrator user.

    NOTE:If you opted not to have CloudAccess as a trusted source for Salesforce in Step 1, you must append the security token to the Salesforce administrator’s password.

  7. In the Environment field, specify whether you have a Production, Development, or Sandbox Salesforce environment. The login URL that is used to verify your Salesforce credentials can be different for each of these environments.

  8. Select or deselect Delegated Authentication single sign-on is disabled in Salesforce, according to your action for Step 2.

  9. (Conditional) If delegated authentication is disabled and if you want to give users control of when their accounts are provisioned, select Prompt users for an existing Salesforce account before provisioning.

    For more information about account provisioning, see Section 2.4, How CloudAccess Provisions User Accounts.

  10. Click Advanced Settings, and then specify whether the Federation attribute should use a GUID or the user’s network identity retrieved from the identity source. The Federation attribute stores the user’s Salesforce federation ID.

    For more information, see Section 13.8, Configuring the Salesforce Federation Identifier.

  11. Expand the Federation Instructions, then copy and paste the instructions into a text file to use during the Salesforce configuration for single sign-on.

    NOTE:You must use a text editor that does not introduce hard returns or additional white space. For example, use Notepad instead of Wordpad.

  12. Click OK to save the configuration so far while you configure Salesforce to work with CloudAccess.

    The configuration for the connector for Salesforce is not yet complete.

  13. Log in to Salesforce as the account administrator, then configure the SAML 2.0 federation for CloudAccess in the Salesforce administration console.

    Use the information from the Federation Instructions in Step 11 to complete the setup.

    NOTE:When you copy the appliance’s signing certificate, ensure that you include all leading and trailing hyphens in the certificate’s Begin and End tags.

  14. After you configure federation for CloudAccess in Salesforce, generate and download the Salesforce metadata file.

  15. On the CloudAccess Admin page, click the connector for Salesforce, then click Configure.

  16. Upload the Salesforce metadata file that you downloaded in Step 14 to the connector for Salesforce.

  17. Click the Appmarks tab, then review and edit the default settings for the appmark.

    For more information, see Section 13.4, Configuring Appmarks for Salesforce.

  18. Click OK to save the configuration.

  19. On the Admin page, click Apply to commit the changes to the appliance.

  20. Wait until the configuration changes have been applied on each node of the CloudAccess cluster.

  21. Click Policy in the toolbar, then perform policy mapping to specify entitlements for identity source roles (groups).

    For more information, see Mapping Authorizations in the NetIQ CloudAccess and MobileAccess Installation and Configuration Guide.

  22. After you complete the configuration, users can log in through CloudAccess to single sign-on to Salesforce. The CloudAccess login page URL is:

    https://appliance_dns_name

    For information about single sign-on through the Salesforce mobile app, see Section 13.6, Using SSO to Salesforce on Mobile Devices.