How I Configured Single Sign-On for Salesforce Users

Configuring Single Sign-On (SSO) is my last step toward unlocking the Security Specialist Superbadge on Trailhead. If you're following me here on LinkedIn and wondering why I'm spending my entire Saturday sprinting toward the security superbadge, it's because I applied to join Salesforce Consulting Select by Deloitte Digital, and if I get accepted, they say on their website that they would want me to complete Admin Superset with 3 superbadges in order to meet with their leadership team. To be clear: I haven’t yet heard if I made it into the program. But I am preparing for the best possible outcome. I envision that I am already accepted! I want to be a Salesforce Consultant .

My Goals for SSO:

• Create a Federation ID
• Set up single sign-on from a third-party identity provider
• Become familiar with the tools to troubleshoot SAML requests

Why SSO?

• SSO allows the Admin to spend less time managing passwords for Salesforce users
• The org's employees save time when they don’t have to manually log in to Salesforce
• Users are able to easily send out links to Salesforce records and reports, and their recipients can open them with a single click
• The Admin can manage access to sensitive information from one-stop-shop

Inbound SSO vs Outbound SSO:

In this Salesforce Playground Challenge , I am asked to set up?inbound?SSO. This means the kind of SSO that implies that users log in somewhere else (an on-premises app, for example) and then the users access Salesforce without logging in.

I can also set up outbound SSO, which implies that the users log in to Salesforce and then access other services without logging in again.

Configuring Inbound SSO with a Third-Party Identity Provider

Below is my Trailhead task:

Let’s start configuring inbound SSO with a third-party identity provider.

The head of your IT department, Sean Sollo, tells you to set up Salesforce users with SSO so that they can log in to your Salesforce org with their Jedeye network credentials. Here, we walk you through the steps to set up SSO for Jedeye Tech’s new employee, Sia Thripio. You’ll set up inbound SSO using the?Axiom Heroku web app ?as the identity provider.

I already created a user for Sia today. Also, earlier today, I wrote an article showing how I set up MFA for Sia. I'll be continuing in the same playground when I work on this challenge.

My Immediate Tasks

1. Create a Federation ID for each user.
2. Set up SSO settings in Salesforce.
3. Set up Salesforce settings in the SSO provider.
4. Make sure it all works.

Step 1: Creating a Federation ID

Instructions from Trailhead: "When setting up SSO, you use a unique attribute to identify each user. This attribute is the link that associates the Salesforce user with the third-party identity provider. You can use a username, user ID, or a Federation ID. We’re going to use a Federation ID. A Federation ID is a term that the identity industry uses to refer to a unique user ID. Typically, you assign a Federation ID when setting up a user account. When you set up SSO on your production environment, you can assign the Federation ID for many users at once with tools like the Salesforce Data Loader. For now, let’s set up an account for Jedeye Tech’s new employee, Sia Thripio."

As I am reading this, Sia has been set up already, so I just need to assign a Federation ID to Sia. So, I head over to Settings/Users and find Sia. I scroll to the SSO section of the user setup and I enter a Federation ID

Step 2: Configuring SSO Provider in Salesforce

Salesforce Trailhead instruction: "Your service provider needs to know about your identity provider and vice versa. In this step, you’re on the Salesforce side providing information about the identity provider, in this case, Axiom. In the next step, you give Axiom information about Salesforce. On the Salesforce side, we configure SAML settings. SAML is the protocol that Salesforce Identity uses to implement SSO. You’re going to work in both your Salesforce Dev org and the Axiom app. Keep them open in separate browser windows."

In a new browser window, I go to?https://axiomsso.herokuapp.com , and there, I click?SAML Identity Provider & Tester. I?select Download the Identity Provider Certificate.?

In my Salesforce org, from Setup, I enter "Single" in the Quick Find box, and then select?Single Sign-On Settings; I click?Edit and select?SAML Enabled, then?Save. Here's my screenshot.

In my SAML Single Sign-On Settings, I click?New and set up everything in accordance with project requirements. Here's my resulting screenshot.

Step 3: Linking Identity Provider to Salesforce

I have configured Salesforce to know about the identity provider (Axiom). It's time to teach my identity provider about my service provider (Salesforce). Because I'm supplying Salesforce SSO settings, I'll keep two browser windows open: one for Salesforce and one for Axiom. Here's my first step in this part of the challenge: click?SAML Identity Provider & Tester and then click?generate a SAML response. Here's my screenshot.

... and at 1:27 am doing all this, I ran into an issue with my playground: it's missing endpoints completely, so Axiom can't be setup... This means only one thing: I must create a new playground and start over from scratch...

I did all the work again in a new playground and here are my endpoints showing! Persistence and fortitude are essential with Salesforce. I was able to complete the challenge successfully and unlock the security superbadge, so my goal is accomplished. It's 2 am, and I am going to bed ready to rest, then, conquer the superbadge in the morning.