How to set up the Salesforce application as the service provider (SP) and Enterprise Application Access (EAA)
as the identity provider (IdP).
Complete the following steps to configure
Salesforce as the SP and EAA as the IdP
How to
Access Salesforce. Log in if you
have an account. If you do not have an account, contact the EAA account
administrator to request access to the SaaS application feature.
Under the SAML SETTINGS
tab, go the IDP info section.
Copy the prepopulated
entity
ID, single sign on (ACS)
URL, and single logout
URL for use in configuring the Salesforce SP.
Click Download
next to Metadata to download the XML file containing the
required information onto your local machine. You will also need this
data to configure the Salesforce SP.
Salesforce EAA
SAML settings
Configure Salesforce as the SP.
a. Access the Salesforce admin account using your admin credentials.
The Home page appears.
b. Under SETTINGS, select Company Settings and
click My Domain.
Provide the domain name and follow the steps on screen to complete the
process. After you finish you will have a domain ready for
testing.
Salesforce home page
In the My Domain
section, edit the Authentication Configuration page and check the
Authentication Service for your domain. This provides
user with an option to have SP initiated authentication.
Salesforce Authentication Service fields
Under SETTINGS, expand Identity and click Single-Sign On
Settings.
Click Edit and select SAML
Enabled. You must enable SAML to view the SAML SSO
settings.
Salesforce SSO settings
Under SAML Single
Sign-On Settings, click New from Metadata
File.
Navigate to the Metadata file downloaded from EAA in Step 2c and click
Create.
Salesforce SAML SSO settings
After the Metadata file has been successfully uploaded, it
pre-populates all the information required. Under the SAML Identity Type
section, select Assertion contains the Federation ID from the
User object and then click Save
to complete.
Salesforce SSO configuration fields
Click Edit, and under Just-In-time User
Provisioning, check the User Provisioning Enabled
to select Standard type provisioning. This provisions new users in
Salesforce upon successful login.
Copy the Entity ID, Login
URL, and Logout URL data. You
need this to complete the EAA SAML settings in Step 4.
Salesforce sample configuration completed
If you are not using user provisioning and just want to use SSO
functionality, for the SAML Identity Type you can use a Salesforce
username or user ID from a user object. In this example, the settings
may look like this:
Salesforce SAML identity
Click Request Signing Certificate, and then
click Download Certificate on the next screen.
You will need this certificate to complete the EAA SAML settings in Step
4.
Go back to the EAA IdP application and configure the SAML settings under the
SAML SETTINGS tab to complete the EAA setup.
In the SAML Settings
section, enter the required Salesforce information you copied in Step 3k
to complete the setup: Entity
ID, Single SignOn
URL, and Single Logout
URL.
Select email from the NameID Format
ID menu.
Make sure to map the NameID attribute to the corresponding AD field
containing the email address.
Click the Signed Request check box and add the
certificate information downloaded in Step 3m.
Select SHA1 from the Response Signature
Algorithm menu.
Select Redirect
from the Single LogOut Binding menu.
Salesforce EAA SAML settings configuration
Map the required
attributes for this application to order to successfully perform SSO and
User provisioning. Attribute mapping is required only if you want to do
user provisioning (for example, create a user in Salesforce upon
successful login). See Create user attributes in EAA for more
information.
Salesforce EAA
user attributes
Verify that the EAA IdP is initiated.
Access the Identity Portal URL and log in using AD credentials.
Click on the icon for the Salesforce application.
This will open a new tab and provide users a session without
requesting login credentials.
When the end user logs out from the Identity Portal, the session with
the Salesforce application will also be ended.
Verify that the Salesforce SP is initiated.
Access the Salesforce
portal using your domain, for example,
https://jpt3-dev-ed.my.salesforce.com.
Click on your domain button rather than entering username and password.
This will open the EAA login portal and you can sign in there.