This article describes how to configure OneLogin to provide single sign-on (SSO) for your Salesforce users using SAML.
For an overview, check out this video training series:
Setting Up OneLogin
Starting in the OneLogin admin dashboard portal, do the following:
- Go to Apps > Add Apps.
- Search for Salesforce that is a SAML 2.0 connector and select it.
Edit the Display Name, if necessary.
- Click Save.
- Select the Configuration tab.
- In the "Salesforce Login URL" field, enter your Salesforce login URL.
The URL will take the form of https://login.salesforce.com?so=<Your Organization ID>. If you are unsure of your Salesforce Organization ID, go to Company Profile > Company Information within Salesforce to find it.
To set up an API for Salesforce, please see Provisioning for Salesforce.
- Click Save.
- Select the Parameters tab.
- Ensure that Credentials are Configured by admin and that the mappings are as follows:
User ID -> Email
Locale, Permission Sets, Profile, Role, and Time Zone are set by Salesforce and will be mapped based on your organization's configuration.
- Click Save.
- Select the SSO tab.
- Copy down the SAML2.0 Endpoint (HTTP) URL.
- Copy down the Issuer URL.
- Select View Details.
- Select X.509 PEM as the certificate type.
- Click Download to download the X.509 PEM certificate file.
In the next task, you'll input the Issuer URL, SAML Endpoint, and X.509 Certificate into Salesforce to confirm the SAML SSO connection.
Setting Up Salesforce
Starting in the Salesforce admin dashboard, do the following:
- In the Settings menu, navigate to Identity > Single Sign-On Settings
- Under Federated Single Sign-On Using SAML, select Edit, then the checkbox SAML Enabled, then Save.
- Select New to create a Salesforce SSO profile.
- On the SAML Single Sign-On Setting page, complete the form as follows:
Name: OneLogin
API Name: OneLogin
Issuer: Issuer URL copied from your app's SSO tab in OneLogin
Entity ID: https://saml.salesforce.com
Identity Provider Certificate: Click Choose File and upload the X.509 PEM file you downloaded from your app's SSO tab in OneLogin.
Request Signing Certificate: Default Certificate
Request Signature Method: SHA-256
Assertion Decryption Certificate: Assertion not encrypted
SAML Identity Type: Username
SAML Identity Location: Subject
Identity Provider Login URL: SAML Endpoint URL copied from your app's SSO tab in OneLogin
Identity Provider Logout URL: -blank-
Custom Error URL: -blank-
Service Provider Initiated Request Binding: HTTP POST
- Click Save.
With OneLogin and Salesforce setup complete, OneLogin and Salesforce are connected through SAML.
Troubleshooting an Email Mismatch
In some cases, the Salesforce account admin email may not match the OneLogin admin email. This can be remedied by doing the following:
- In OneLogin, go to Users and select the account owner.
- Select the Applications tab.
- Select the Salesforce app to open the Edit Salesforce Login pane.
Here you may overwrite the default fields for your Salesforce login and insert the correct information to match your OneLogin credentials with your Salesforce credentials.
User ID's
By default, a user is authenticated in Salesforce using the email address she is registered with in OneLogin. However, in some cases it is not practical or even possible to use the email address as the user ID. For example, the user mght have access to multiple Salesforce accounts.
You can specify another ID for a user by editing the user's login record in OneLogin. Go to Users > All Users and select the relevant Salesforce-associated user to edit the user's login record.
Deep Linking
If you click on a Salesforce link in an email you will be taken directly to the requested page in Salesforce. If you are not logged into OneLogin, the link will be followed upon successful authentication. Note that this will not work until Salesforce has successfully set a cookie in your browser, typically after the first successful log in.
|