Set up Salesforce as the SP and EAA as the IdP
How to set up the Salesforce application as the service provider (SP) and Enterprise Application Access (EAA) as the identity provider (IdP).
Complete the following steps to configure Salesforce as the SP and EAA as the IdP
- Access Salesforce. Log in if you have an account. If you do not have an account, contact the EAA account administrator to request access to the SaaS application feature.
Create a new application in EAA. See Configure EAA as the IdP for a
custom SaaS application to do so. Do not deploy the application at
- Under the SAML SETTINGS tab, go the IDP info section.
- Copy the prepopulated entity ID, single sign on (ACS) URL, and single logout URL for use in configuring the Salesforce SP.
next to Metadata to download the XML file containing the
required information onto your local machine. You will also need this
data to configure the Salesforce SP.
Configure Salesforce as the SP.
- a. Access the Salesforce admin account using your admin credentials. The Home page appears.
- b. Under SETTINGS, select Company Settings and click My Domain.
Provide the domain name and follow the steps on screen to complete the
process. After you finish you will have a domain ready for
In the My Domain
section, edit the Authentication Configuration page and check the
Authentication Service for your domain. This provides
user with an option to have SP initiated authentication.
- Under SETTINGS, expand Identity and click Single-Sign On Settings.
Click Edit and select SAML
Enabled. You must enable SAML to view the SAML SSO
- Under SAML Single Sign-On Settings, click New from Metadata File.
Navigate to the Metadata file downloaded from EAA in Step 2c and click
After the Metadata file has been successfully uploaded, it
pre-populates all the information required. Under the SAML Identity Type
section, select Assertion contains the Federation ID from the
User object and then click Save
- Click Edit, and under Just-In-time User Provisioning, check the User Provisioning Enabled to select Standard type provisioning. This provisions new users in Salesforce upon successful login.
Copy the Entity ID, Login
URL, and Logout URL data. You
need this to complete the EAA SAML settings in Step 4.
If you are not using user provisioning and just want to use SSO
functionality, for the SAML Identity Type you can use a Salesforce
username or user ID from a user object. In this example, the settings
may look like this:
- Click Request Signing Certificate, and then click Download Certificate on the next screen. You will need this certificate to complete the EAA SAML settings in Step 4.
Go back to the EAA IdP application and configure the SAML settings under the
SAML SETTINGS tab to complete the EAA setup.
- In the SAML Settings section, enter the required Salesforce information you copied in Step 3k to complete the setup: Entity ID, Single SignOn URL, and Single Logout URL.
Select email from the NameID Format
Make sure to map the NameID attribute to the corresponding AD field containing the email address.
- Click the Signed Request check box and add the certificate information downloaded in Step 3m.
- Select SHA1 from the Response Signature Algorithm menu.
from the Single LogOut Binding menu.
Map the required
attributes for this application to order to successfully perform SSO and
User provisioning. Attribute mapping is required only if you want to do
user provisioning (for example, create a user in Salesforce upon
successful login). See Create user attributes in EAA for more
Verify that the EAA IdP is initiated.
- Access the Identity Portal URL and log in using AD credentials.
Click on the icon for the Salesforce application.
This will open a new tab and provide users a session without requesting login credentials.
- When the end user logs out from the Identity Portal, the session with the Salesforce application will also be ended.
Verify that the Salesforce SP is initiated.
- Access the Salesforce portal using your domain, for example, https://jpt3-dev-ed.my.salesforce.com.
Click on your domain button rather than entering username and password.
This will open the EAA login portal and you can sign in there.