Federated Single Sign-On for Salesforce in OpenSSO

Print-friendly Version

Salesforce CRM software offers on-demand tools for software as a service (SaaS), such as those for automating sales data and processes, customer service and support, and channel management. Now that Salesforce works with Security Assertion Markup Language (SAML) 1.1, you can federate Salesforce for single sign-on (SSO) with OpenSSO, Sun's open-source Web access management project. The setup, which features OpenSSO as the identity provider (IdP) and Salesforce as the service provider (SP), preserves the confidentiality of user login credentials from the latter and eliminates the need for multiple logins by users.

This article guides you through the setup with example settings. It is assumed that you're familiar with the concepts of SSO and federation and with Project OpenSSO.

First, perform three preliminary steps:

1. Download OpenSSO Enterprise 8.0 and then deploy and configure opensso.war, the Web archive (WAR) file. For details, see Chapter 4 of the Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide.
   
   
2. Create a user account in OpenSSO Enterprise. Refer to the procedure in the related documentation.
   
   
3. Create a Salesforce account to access the CRM software. Fill in the required fields in the form, click Submit, and complete the setup in the subsequent screens.

This section describes how to configure OpenSSO Enterprise as an IdP and Salesforce as an SP.

Configuring OpenSSO Enterprise
To configure OpenSSO Enterprise as an IdP:

1. Log in to the OpenSSO Enterprise Administration Console as amadmin.
   
   
2. Click the Federation tab at the top and then click SAML 1.x Configuration.
   
   Note that the local site properties are already set up with OpenSSO Enterprise as an IdP.
   
   
3. Click New under Trusted Partners.
   
   The "Selected trusted partner type and profile" screen is displayed.
   
   
4. Select Post under Destination to specify the Web browser POST profile for Salesforce, as shown in Figure 1. Click Next.
   
   
   

   Figure 1: Web Browser POST Profile Setting for a Trusted Partner
    
   
   The Edit Trusted Partner screen is displayed.
   
   
5. Under Common Settings:
   
   
   1. Type SFDC (for Salesforce dot-com) in the Name field.
   2. Type sQIGVZK2618Wmy8p+CMeKNgFi4I= in the source ID field.
   
   
   
6. Under Destination, type salesforce.com in the Target field and https://login.salesforce.com in the Post URL field, and then choose 1.1 from the Version pull-down menu. See Figure 2. Click Save.
   
   
   

   Figure 2: Properties in the Edit Trusted Partner Screen
    
   
   
7. Click Finish in the confirmation screen.

Finally, export the source site's public key. OpenSSO Enterprise contains a keystore with a test certificate, ready for your use. Do the following:

1. On a terminal, become root and go to the location in which you deployed the opensso.war file:
   
   # cd opensso-install-dir/deployment-dir
   
   where opensso-install-dir is the location in which you installed OpenSSO Enterprise.
   
   
2. Type:
   
   # keytool -export -keystore keystore.jks -alias test -file cert.cer
   
   
3. Type the password when prompted and press Enter.
   
   The default password is changeit.



Configuring Salesforce
To configure Salesforce as an SP:

1. Log in to Salesforce with the credentials for the account you created earlier.
   
   
2. Click Setup at the top. On the left navigation bar, click Security Controls > Single Signon Settings.
   
   The Single Sign-On Settings screen is displayed, confirming SAML Enabled under "Federated single sign-on using SAML." See Figure 3.
   
   
   

   Figure 3: Single Sign-On Settings Screen
    
   
   
3. Optional. If SAML Disabled is shown instead, click Edit to change the setting to SAML Enabled.
   
   
4. Select SAML Enabled for more settings.
   
   
5. Specify the settings, as shown in Figure 4:
   
   
   1. Choose 1.1 from the SAML Version pull-down menu.
      
      
   2. Type sa.idp.com:8080 in the Issuer field.
      
      
   3. Under Identity Provider Certificate, click Browser for the file browser and navigate to the directory to which you exported the certificate.
      
      
   4. Under SAML User ID Type, select "Assertion contains the Federation ID from the User object" to directly map the authenticated user in OpenSSO Enterprise to the Salesforce user.
      
      
   5. Under SAML User ID Location, select "User ID is in the NameIdentifier element of the Subject statement."
      
      
   
   
   

   Figure 4: SAML Settings
    
   
   
6. Click Save.
   
   The new settings are displayed along with a recipient URL at the bottom. Figure 5 is an example.
   
   

Figure 5: Confirmation of SAML Settings Along With Recipient URL
 


7. Copy and save the recipient URL for the step at the end of this section.
   
   
8. Under Administration Setup on the left navigation bar, click Manage Users > Users. Select the default user name and click Edit.
   
   
9. Type the details of the user account that maps to OpenSSO Enterprise in the Federated NameID field and click Save. Here is an example:
   
   

   uid=marina,ou=user,dc=opensso,dc=java,dc=net

    
   The three dc values are the default root suffixes.
   
   The User Details settings are then displayed for confirmation. See Figure 6.
   
   

Figure 6: Confirmation of User Details
 


Finally, specify the POST URL in OpenSSO Enterprise:

1. Switch to the OpenSSO Enterprise Administration Console. Click Common Tasks at the top and then Federation for the Edit Trusted Partner screen (see Figure 2).
   
   
2. Paste the recipient URL from step 7 in the POST URL field. Click Save.



Testing

Now test the setup: Go to http://sa.idp.com:8080/sa/SAMLPOSTProfileServlet?TARGET=http://salesforce.com. In the OpenSSO login screen that is displayed, log in with your Salesforce user name and password. If the setup is successful, you can access Salesforce with SSO in effect.

Enhancements

To further enhance the setup, give these two options a try:

• Rather than specifying Federation ID as the SAML User ID Type (Figure 4) for linking the IdP and SP, specify the SAML Subject or a prearranged attribute in the SAML Attribute statement instead. The alternatives offer more flexibility for specific requirements or constraints.
  
  
• Add the user provisioning capability to Salesforce, the SP, with Sun Identity Manager. See the product page for details.
  
  
Conclusion

Thanks to the wide adoption of the SAML protocol, you can now secure applications with SSO through OpenSSO Enterprise in only a few intuitive steps. We look forward to more prevalence of this open-standards-based approach in the future.

References
• Open SSO Enterprise 8.0
  • Main page
  • Support: Sun OpenSSO Express
  • Documentation
  
  
• Project OpenSSO
  • Main page
  • Resource Center
  
  
• Sun developer services
  • Support
  • Training and certification
  
  

Rate and Review Tell us what you think of the content of this page. Excellent   Good   Fair   Poor   Comments: Your email address (no reply is possible without an address): Sun Privacy Policy Note: We are not able to respond to all submitted comments.