Introduction
Okta provides single sign-on (SSO) with Salesforce.com using the industry-standard SAML protocol. Users can enjoy one-click access to Salesforce.com and any other cloud application through a graphical home page.
1. Salesforce Federation ID
1.1 Why use Salesforce Federation ID
Using Salesforce Federated ID allows another unique identifier to be used in place of the Salesforce account ID.
2. Deploying Salesforce Federated ID App
Add the Salesforce app in OKTA
• Navigate to the Okta Administrator, click the Applications tab -> Add Applications
• Type in Salesforce in the search bar
• Select the Salesforce.com (Federated ID) application
• Click the Add button.
3 General Settings
Configure General Settings.
• Provide an application label, if the default label is unsuitable
• Select the instance type of Production or Sandbox, depending on the type of salesforce tenant
• Optionally determine the number of seats and application visibility
Click NEXT to Continue
4 Sign-On Options
Select the SAML 2.0 radio button. Then click the View Setup Instructions button.
Configure Salesforce SAML.
• Log into Salesforce
• Navigate to: Setup -> Security Controls -> Single Sign-On Settings
• From the Single Sign-On Settings
Click Edit
Check SAML Enabled
• If you have Multiple End-points enabled, the configuration page will ask to setup
Name
API Name
• Copy and paste the following from the Okta Setup Instructions.
Issuer field
Identity Provider Login URL
Identity Provider Logout URL
• SAML Identity Type - select Assertion contains the Federation ID from the User object
• SAML Identity Location – select Identity is in the NameIdentifier element of the Subject Statement.
• The Entity ID must be configured based on the Salesforce configuration.
If the custom domain, eg companyname.salesforce.com, has been configured, use the domain. EG: https://companyname.mysalesforce.com.
If a custom domain has not been configured, use https://saml.salesforce.com.
• The Service Provider Initiated Request Binding, is set to HTTP Post.
• Once configured, click Save.
After saving, copy and paste the Salesforce Login URL.
Return to OKTA Application
• In the Federated ID SAML Parameter, set the value after ?so=. In this example it is 00d34dfg0000Tz.
• If multiple configs have been enabled in Salesforce, select Yes in the Multiple SAML Config section.
• If a custom Salesforce domain is used, provide that value in the Custom Salesforce domain textbox.
• Once done, click Next.
5 USER Management
User Management must be enabled for the Salesforce.com Federated ID to work.
To enable User Management:
• Check the Enable user management for Salesforce.com (Federated ID) checkbox
• Provide a Salesforce user with access to the Salesforce API and the password+token for that user
• Do not include the + between password and token, simply append the token to the password
Click the Test API Credentials.
• If the credentials are correct, a green check mark will appear or if they are incorrect a red x will appear.
• Once the credentials for the Salesforce API user are correct, click Next.
6 Assign To people
At this point individual assignments can be provisioned or click Next and assign to groups. Then click Done
No comments:
Post a Comment