This section contains an example of setting up Salesforce as an Identity Provider and then setting up our web application as a Service Provider. With the appropriate changes, the example applies equally to an MVC example identity and service providers.
Setting up Single Sign-on for Salesforce App
Generating a Domain Name and Enabling an Identity Provider
To prepare your Salesforce organization for this example, generate a domain name and enable Salesforce as an IdP.
- Log into Salesforce.
- Generate a domain name for your application
Enable Salesforce as an IdP:
- From Setup, click Domain Management > My Domain, enter a new subdomain name, and click Check Availability
- click the Terms and Conditions checkbox, then click Register Domain
- From Setup, click Security Controls > Identity Provider
- Click Enable.
- Click Download Certificate
Defining a Service Provider
To define your web application acting as Service Provider and Salesforce can recognize it:
- Log into Salesforce
- From Setup, click Security Controls > Identity Provider, click on "Create Service Provider" or "Service Providers are now created via Connected Apps. Click here" link
- Save the self-generated certificate to your application's root folder for later SAML validation. In this example, we saved it as "Salesforce_SelfSignedCert.crt".
- Specify the name as ServiceProvider.
- In the Web App Settings section, check Enable SAML
- Specify the Entity ID as componentpro.com.
- Specify the Assertion Consumer Service (ACS) URL. If you host this web application on your local machine, you can use http://localhost:2422/ConsumerService.aspx. If you host the demo app on http://samldemo.componentpro.com, the URL would be http://samldemo.componentpro.com/ConsumerService.aspx
- Select username as the subject type and select user profiles that have access to the SP.
- If SAML is enabled, you need to disable it (in Administer > Security Controls > Single Sign-On Settings) to have Salesforce act as the IdP.
- Click on Save button to save changes
- From Setup, click Manage Apps > Connected Apps, and click on the newly created Service Provider. Click on Download Metadata to save the XML to your web application's folder. In this example we named it as "SAMLIdP-0sp28000000Kyks.xml".
Configuring your Service Provider
If the SAML Metadata XML is downloaded to your application's root folder, you may only need to specify that file name in the "metadatafilename" web.config file. If you don't want to use metadata XML file for SAML validation, set "usemetadata" to "false".
Running the Example
- Browse to the IdP-Initiated login URL specified under the login information for the SP in the Salesforce configuration. i.e: https://ap1.salesforce.com/idp/login?app=0sp18000000Aycd
- Login to the IdP with the Salesforce credentials
- You will then see the SP Welcome page, meaning that you have logged in at the example SP with your Salesforce credentials and successfully completed a SAML SSO.
Troubleshooting Salesforce issues
Insufficient Privileges issue
- You may get Insufficient Privileges error when browsing to the Salesforce Login URL, to solve this issue you need to add Profiles to the SP.
- In Profiles section of Security Controls > Identity Provider, click on Manage Profiles, and check all the profiles that can access the SP.