[Federated Authentication] Integrating Salesforce with WSO2 Identity Server as SAML2 SSO IDP

In my previous blog post we went through how you can configure the SAML2 SSO web application with Identity Server. Users authenticate to Identity Server by proving username/password. These username/password must be authenticated with the enterprise user store that identity server has been deployed. Therefore only the user who are in the enterprise user store can access the web application.

Assume, you have a new requirement that web application must be accessed by the users from some other partner organization. Partner organization has their employee’s user accounts in salesforce SAAS applications. Users from partner organization who need to login to the web application must be authenticated with their user account in salesforce.com. How we are going to achieve this?

With Identity Server, you can configure multiple IDPs that users can be authenticated. In this use case, users from its own enterprise can be authenticated with enterprise user store. And users from partner organization, can be authenticated with salesforce.com.

Configure WSO2 Identity Server as a Service providers in salesforce.com

Step 1. Login to salesforce SAAS Application as an administrator.

You can easily create a free trial account in salesforce.com, If you are just wish to try out this.

Step 2. Go to Identity provider management UI.

Step 3. Download Identity provider certificate.   You need this certificate to import in to Identity Server.  As Identity Server needs to trust the SAML Assertion that is received by salesforce.com

Step 4. Download Identity provider metadata.   IDP meta data file needs to find out meta of the IDP such as IDP url, entity Id and so on..

Step 5. Register new service provider connected application for Identity Server.

Step 6. Enable SAML for Service provider.   You need to  configure Identity Server ACS url and other configurations.  ACS url would be https://{IP}:{Port}/commonauth

Step 7. Associate new application with the profiles that users are assigned.

Now you are done with salesforce  configurations.

Configure salesforce.com as an trusted IDP for Identity Server.

Step 1. Go to Identity providers management UI and Configure new Trust IDP

Step 2. Provide Trusted IDP details.   You need to configure an unique name for IDP and  upload the downloaded certificate file of the salesforce.com domain

Step 3. Configure SAML2 SSO Configuration for IDP.  Identity Server is used to communicate with salesforce.com using SAML2 SSO web browser profile. Therefore,  In SAML2 SSO configurations,  You need to configure the SAML2 SSO details of the salesforce.com.   These details can be retrieved from the download IDP metadata file.  You can configure the IDP url, IDP entity Id and Service Provider entity id. Also Service Provider entity id must be the same value that you have configured in salesforce.com while configuring the service provider.

Now you are done with configuring the Salesforce as trusted IDP

Step 4. Configure salesforce.com trusted IDP as an  authentication IDP for web application.

There are two way that you can configure the salesforce.com trusted IDP.  One way is,  just configure it as a federated authentication IDP for web application.  Then,  Only the users who can be authenticated via salesforce.com IDP,  can login to web application.

Or less, you can configure authentication steps.  Here we configure two steps…   One is  basic authentication that allows to authenticate users from enterprise user store. Other one is salesforce.com IDP.

Once you configure like this,  users who are accessing to web application would be promoted a IDP login page with both options.  Therefore users from salesforce.com and enterprise user store can login to web application….