SAML SSO for Salesforce using WSO2 Identity Server 5.0.0

WSO2 Identity server can be configured as an Identity Provider for Salesforce. In that case Salesforce will be a service provider and you can utilize the account reside inside the Identity Server in order to authenticate with Salesforce.

Step - 01: Configure Salesforce

a. Create an account in http://developer.force.com/ if you already don’t have a account.

b. Go to force.com and login to the above created account and go to Home > Domain Management > My Domain  and create new domain

SalesForce takes some time to register the domain.

Go to Home > Security Controls > Single Sign­On Settings  

Click Edit from Single Sign On settings 

 

Enable SAML

  

 c. Click on new and configure other properties as given below. You can use this command to export certificate from wso2carbon.jks

keytool -export -keystore wso2carbon.jks -alias wso2carbon -file wso2.crt -­storepass wso2carbon

  

Name	SSO
SAML Version	2.0
Issuer API Name Entity Id	https://localhost:9443/samlsso (Issuer of SAML response send from Identity Server to salesforce) SSO https://saml.salesforce.com (Issuer of SAML Request send from salesforce to Identity Server)
Identity Provider Certificate	CN=localhost, O=WSO2, L=Mountain View, ST=CA, C=US Expiration: 13 Feb 2035 07:02:26 GMT (upload wso2.cert exported from wso2carbon.jks)
Request Signing Certificate	Default Certificate
Request Signature Method	RSA-SHA1
Assertion Decryption Certificate	Assertion not encrypted
SAML Identity Type	Username
SAML Identity Location	Subject
Identity Provider Login URL	https://localhost:9443/samlsso
Identity Provider Logout URL	https://localhost:9443/samlsso
Custom Error URL
Service Provider Initiated Request Binding	HTTP POST

d. Goto Home > Domain Management > My Domain.

Click on deploy to users

from Authentication Configuration select SSO

 

e. from My Domain Settings tick Prevent login from https://login.salesforce.com 

f. Create a new user in Salesforce. General Information is enough.

Login to force.com with the initially created account and go to Home > Manage Users > Users and create a New User with email username format (nuwan@wso2.com).

Step - 02: Configure WSO2 Identity Server

 

a. Please follow these steps before starting Identity Server because you need to create users with email username format in Identity Server.

i. Open carbon.xml in IS_HOME/repository/conf and uncomment 

<EnableEmailUserName>true</EnableEmailUserName>

ii. Open usermgt.xml IS_HOME/repository/conf and add the following property under the ReadWriteLDAPUserStoreManager 

<Property name="UsernameWithEmailJavaScriptRegEx">[a­zA­Z0­9@._­|//]{3,30}$</Property>

Start the Identity Server and create a user in Identity Server with ‘Login’ permission.  Salesforce accepts usernames in email format and therefore Identity Server user should have a username in email format like nuwan@wso2.com.

b. Add new service provider Service Provider > Add

c. Configure SAML2 Web SSO Configuration

Issuer                                        https://saml.salesforce.com
Assertion Consumer URL            Use the Salesforce Login URL (found under SSO settings in Salseforce).      Eg :https://gayang-dev-ed.my.salesforce.com?so=00D28000000JPTA

 

d. Change the issuer of Resident Identity Provider from Identity Server 

Resident Identity Provider > Inbound Authentication Configuration > SAML2 Web SSO Configuration 

change Identity Provider Entity id : https://localhost:9443/samlsso

  Step - 03: Test Salesforce SSO with WSO2 Identity Server

Access your domain in salesforce using the Salesforce Login URL like https://gayang-dev-ed.my.salesforce.com?so=00D28000000JPTA. You will be redirected to WSO2 Identity Server Login page.

Login with credentials of the newly created user (nuwan@wso2.com) . Now you will get redirected back to salesforce home page of that user.