Single Sign-On For Communities Using Salesforce Identity Provider
This Blog post helps you configure SSO for communities between two salesforce Orgs.
1. Create two developer orgs.
4. Create a community here, with some meaningful name at the end.
5. Click "Edit", it takes you to community administrator settings. it looks some thing like this:
Now comes configuring SSO. We are trying to create SSO between two salesforce orgs, out of two- one acts like an identity provider and other is a service provider. Identity provider is the instance where users have an active session. And service provider is the one which identifies the certificate from the identity provider saying the user is coming from the authenticated source. (Salesforce allows SAML to take care of the whole talking. and best part is, it is really really really simplified)7. npr-org is an Identity provider, so let's go and get its certificate.
9. Now, Let's open npr-dev org and create a connected app. (setup-->create-->apps--> new connected app.)i. Enable SAML under Web app setting after giving the basic info.ii. Entity Id: https://sf9-comm-developer-edition.ap1.force.com/employee (it must be same as the one we gave earlier)iii. Now, the ACS, https://sf9-comm-developer-edition.ap1.force.com/employees/login?so=00D90000000uRmn , This is really the fun part in it. It took me awhile to figure it. What we are doing in this implementation is to authenticate users to community, so instead of using the salesforce login url provided to usin step 8, we have to tweak it so that it authenticates the community users and take them to community. So the parameter part of it is taken from the Salesforce login URL, but the main URL,https://sf9-comm-developer-edition.ap1.force.com/employees/login, is the URL that is used for community login.Update: Salesforce is generous enough to provide this link for the communities now.iv. Select Subject Type as 'Federation Id' And Save.10. Go to User records in both the instances and populate exact same string in Federation Id field:
11. Click "Manage" button on the connected app, It should show you the same Identity Provider Login URL "https://npr-dev-ed.my.salesforce.com/idp/endPoint/HttpRedirect" as SP-Initiated Redirect Endpoint. Otherwise, we will have to modify IdP login URL in SSO record in sf9.12. Click on Mange Profiles button in the related list and add your profile there for the testing, Connected app is also an app which goes through your security model.13. Now, We go back to our sf9 community and edit it and change some administrative settings. (setup-->customize-->communities-->Manage communities )Edit/ administration settings, a model window should appear with option for members/branding/tabs login page etc. select "Login Page" , Unselect undefined username and password, and select NPR (It is the SSO setting name that we configured) and save.
14. We can test this with a simple click on: https://sf9-comm-developer-edition.ap1.force.com/employees or clicking on the IdP initiated URL in connected on npr instance.
HTHPrabhan
1. Create two developer orgs.
2. Create two domains for them, SSO is possible when there is dedicated URL (not na1.salesforce.com or ap1.salesforce.com). It needs some thing like these: https://npr-dev-ed.my.salesforce.com, https://sf9-dev-ed.my.salesforce.com.
One of them hosts community, let's just say https://sf9-dev-ed.my.salesforce.com holds the community. And other org, https://npr-dev-ed.my.salesforce.com, users want to use the community, this is where our SSO plays an important role in providing seamless navigation in between orgs.
One of them hosts community, let's just say https://sf9-dev-ed.my.salesforce.com holds the community. And other org, https://npr-dev-ed.my.salesforce.com, users want to use the community, this is where our SSO plays an important role in providing seamless navigation in between orgs.
3. Enable and create a communities in sf9 org. It is required to have a different domain name. In this example the domain name of the community is "sf9-comm-developer-edition.ap1.force.com".
4. Create a community here, with some meaningful name at the end.
5. Click "Edit", it takes you to community administrator settings. it looks some thing like this:
6. Note the URL displayed there, we will have to use that (it is something I learned from the experience. We will use it after some time.)
Now comes configuring SSO. We are trying to create SSO between two salesforce orgs, out of two- one acts like an identity provider and other is a service provider. Identity provider is the instance where users have an active session. And service provider is the one which identifies the certificate from the identity provider saying the user is coming from the authenticated source. (Salesforce allows SAML to take care of the whole talking. and best part is, it is really really really simplified)7. npr-org is an Identity provider, so let's go and get its certificate.
8. Now lets create a single sign-on setting in sf9 org. CHECK "SAML Enabled" TRUE and create NEW SETTING.
- Give it a name : mine is "NPR"
- Issuer is exact same as the issuer name from the Identity provider screen. In my case it is "https://npr-dev-ed.my.salesforce.com"
- Now, the Entity Id: "https://sf9-comm-developer-edition.ap1.force.com/employees", it is the one you noted earlier. Entity Id is Unique in the settings, and to get it authenticated from force.com domain and to get redirected to community, it need two attributes. One is the entity, second is the redirect URL.
- Select the certificate you downloaded from IdP.
- Select Fed Id.
- Identity Provider Login URL is "issuer"+"/idp/endPoint/HttpRedirect" (This will be provided by the system while creating a connected app. But you can still understand the pattern and generate it)
- Select HTTP Redirect.
And Save.
Note the Saleforce Login URL, It is needed if we are configuring the SSO between two saleforce orgs, But what we are doing is little different. We are trying to authenticate the users who has access to Community and it is different domain. We have to tweak it a little to get it working properly.
9. Now, Let's open npr-dev org and create a connected app. (setup-->create-->apps--> new connected app.)i. Enable SAML under Web app setting after giving the basic info.ii. Entity Id: https://sf9-comm-developer-edition.ap1.force.com/employee (it must be same as the one we gave earlier)iii. Now, the ACS, https://sf9-comm-developer-edition.ap1.force.com/employees/login?so=00D90000000uRmn , This is really the fun part in it. It took me awhile to figure it. What we are doing in this implementation is to authenticate users to community, so instead of using the salesforce login url provided to usin step 8, we have to tweak it so that it authenticates the community users and take them to community. So the parameter part of it is taken from the Salesforce login URL, but the main URL,https://sf9-comm-developer-edition.ap1.force.com/employees/login, is the URL that is used for community login.Update: Salesforce is generous enough to provide this link for the communities now.iv. Select Subject Type as 'Federation Id' And Save.10. Go to User records in both the instances and populate exact same string in Federation Id field:
11. Click "Manage" button on the connected app, It should show you the same Identity Provider Login URL "https://npr-dev-ed.my.salesforce.com/idp/endPoint/HttpRedirect" as SP-Initiated Redirect Endpoint. Otherwise, we will have to modify IdP login URL in SSO record in sf9.12. Click on Mange Profiles button in the related list and add your profile there for the testing, Connected app is also an app which goes through your security model.13. Now, We go back to our sf9 community and edit it and change some administrative settings. (setup-->customize-->communities-->Manage communities )Edit/ administration settings, a model window should appear with option for members/branding/tabs login page etc. select "Login Page" , Unselect undefined username and password, and select NPR (It is the SSO setting name that we configured) and save.
14. We can test this with a simple click on: https://sf9-comm-developer-edition.ap1.force.com/employees or clicking on the IdP initiated URL in connected on npr instance.
HTHPrabhan
Great article!! Short and crisp in well defined structure about single sign on solutions.I really got some ideas about SSO. Thanks for sharing this lovely blog with everyone.
ReplyDeleteGreat article, I tried instructions from several implementation guides/articles/blogs none of which helped me implement SSO for a community correctly until I came across this one. Kudos to the steps you've outlined. Very detailed and thank you for that.
ReplyDeleteOne point I'm still struggling with is the use of federation ID in the User object. You've said "Go to User records in both the instances and populate exact same string in Federation Id field:". From your screenshot, I see the user of 'prabhan'. I had to set up unique federation Ids for multiple users so as to map users between orgs. The user case that I'm trying to implement for a customer is similar to the Salesforce partner community. Users from any org can login to that community.
Any thoughts on that?
Say, you got a nice article post.Really thank you! Really Great.
ReplyDeletespring boot online training
spring boot course