After successfully installing the UltimateSaml setup package you will see a web sample project in folder Samples\Saml\Web\CS\Saml2Salesforce for C# and Samples\Saml\Web\VB\Saml2Salesforce for VB.NET. This sample demonstrates Single Sign-on (SSO) with Salesforce. It acts as the Identity Provider while Salesforce is the Service Provider. To run this web sample project, open the solution file Saml2Salesforce_XXXX.sln, and then press F5 in the Visual Studio IDE.
Configuring the Salesforce Identify Provider Web Application
You can easily configure the ID Provider web application by modifying the settings within its web.config file's <appSettings> section:
- SalesforceUserId: The Salesforce account.
- SalesforceLoginUrl: The Salesforce login URL.
- ServiceProviderUrl: The target URL of the service provider web application.
- Issuer: The Issuer name. This value must match the Issuer name in Salesforce SAML settings.
- EntityId: Used to create an audience for a SAML response.
Configuring Salesforce to work with your Identity Provider
To enable and configure single sign-on in Salesforce, you can follow the following steps:
- Login to Salesforce.
- Click on the Setup link, you should then be redirected to the Setup page.
- Expand the Security Controls in the Administer Setup menu, and select Single Sign-On Settings. or just type "single" in the Quick Find search box
- Click on the Edit button. Check "SAML Enabled" if not checked then click on Save.
- Click on the New button in SAML Single Sign-On Settings section
- Upload the Identity Provider Certificate if needed. If you wish to test the Identity Provider sample app, you will need to upload the certificate file named SP_X509Certificate_ForSalesforce.cer.
- You should select Assertion contains User's salesforce.com username for the SAML User ID Type option, and User ID is in the NameIdentifier element of the Subject statement for the SAML User ID Location.
- Fill in the Identity Provider Certificate Name.
- Click on the Save button.
Testing the Identify Provider Web Application
This sample is configured to run on port 33181 (you can easily change the port number in the project property page). The identity provider web application, in conjunction with Salesforce, demonstrates IdP initiated single sign-on. Firstly, you can log in to the local system with the username salesforce and a password of password:
- Before testing the application, make sure the Issuer and EntityId settings in web.config matches the Issuer and EntityId in the SAML settings above. Also, the SalesforceUserId must match the user account on Salesforce system. Your SalesforceLoginUrl setting must match the Endpoints' Salesforce Login URL which is shown when you view your SAML Single Sign-On Settings in Salesforce.
- Click on the Login button.
- Click on the link "here". You should then be presented with the Salesforce Choose a Username page.
- Choose a Username, you will then see the Salesforce application dashboard page:
You have successfully completed a SAML 2.0 Single Sign-On and are logged in at the Service Provider with your Salesforce username.
Trouble shooting Salesforce issues
Insufficient Privileges issue
- You may get Insufficient Privileges error when browsing to the Salesforce Login URL, to solve this issue your settings in web.config must match the settings in your Salesforce SAML settings.