Set up Salesforce as the SP and EAA as the IdP

How to set up the Salesforce application as the service provider (SP) and Enterprise Application Access (EAA) as the identity provider (IdP).

Complete the following steps to configure Salesforce as the SP and EAA as the IdP

How to

  1. Access Salesforce. Log in if you have an account. If you do not have an account, contact the EAA account administrator to request access to the SaaS application feature.
  2. Create a new application in EAA. See Configure EAA as the IdP for a custom SaaS application to do so. Do not deploy the application at this time.
    1. Under the SAML SETTINGS tab, go the IDP info section.
    2. Copy the prepopulated entity ID, single sign on (ACS) URL, and single logout URL for use in configuring the Salesforce SP.
    3. Click Download next to Metadata to download the XML file containing the required information onto your local machine. You will also need this data to configure the Salesforce SP.
      Salesforce EAA SAML settings

  3. Configure Salesforce as the SP.
    1. a. Access the Salesforce admin account using your admin credentials. The Home page appears.
    2. b. Under SETTINGS, select Company Settings and click My Domain.
    3. Provide the domain name and follow the steps on screen to complete the process. After you finish you will have a domain ready for testing.
      Salesforce home page

    4. In the My Domain section, edit the Authentication Configuration page and check the Authentication Service for your domain. This provides user with an option to have SP initiated authentication.
      Salesforce Authentication Service fields

    5. Under SETTINGS, expand Identity and click Single-Sign On Settings.
    6. Click Edit and select SAML Enabled. You must enable SAML to view the SAML SSO settings.
      Salesforce SSO settings

    7. Under SAML Single Sign-On Settings, click New from Metadata File.
    8. Navigate to the Metadata file downloaded from EAA in Step 2c and click Create.
      Salesforce SAML SSO settings

    9. After the Metadata file has been successfully uploaded, it pre-populates all the information required. Under the SAML Identity Type section, select Assertion contains the Federation ID from the User object and then click Save to complete.
      Salesforce SSO configuration fields

    10. Click Edit, and under Just-In-time User Provisioning, check the User Provisioning Enabled to select Standard type provisioning. This provisions new users in Salesforce upon successful login.
    11. Copy the Entity ID, Login URL, and Logout URL data. You need this to complete the EAA SAML settings in Step 4.
      Salesforce sample configuration completed

    12. If you are not using user provisioning and just want to use SSO functionality, for the SAML Identity Type you can use a Salesforce username or user ID from a user object. In this example, the settings may look like this:
      Salesforce SAML identity

    13. Click Request Signing Certificate, and then click Download Certificate on the next screen. You will need this certificate to complete the EAA SAML settings in Step 4.
  4. Go back to the EAA IdP application and configure the SAML settings under the SAML SETTINGS tab to complete the EAA setup.
    1. In the SAML Settings section, enter the required Salesforce information you copied in Step 3k to complete the setup: Entity ID, Single SignOn URL, and Single Logout URL.
    2. Select email from the NameID Format ID menu.
      Make sure to map the NameID attribute to the corresponding AD field containing the email address.
    3. Click the Signed Request check box and add the certificate information downloaded in Step 3m.
    4. Select SHA1 from the Response Signature Algorithm menu.
    5. Select Redirect from the Single LogOut Binding menu.
      Salesforce EAA SAML settings configuration

    6. Map the required attributes for this application to order to successfully perform SSO and User provisioning. Attribute mapping is required only if you want to do user provisioning (for example, create a user in Salesforce upon successful login). See Create user attributes in EAA for more information.
      Salesforce EAA user attributes

  5. Verify that the EAA IdP is initiated.
    1. Access the Identity Portal URL and log in using AD credentials.
    2. Click on the icon for the Salesforce application.
      This will open a new tab and provide users a session without requesting login credentials.
    3. When the end user logs out from the Identity Portal, the session with the Salesforce application will also be ended.
  6. Verify that the Salesforce SP is initiated.
    1. Access the Salesforce portal using your domain, for example,
    2. Click on your domain button rather than entering username and password. This will open the EAA login portal and you can sign in there.
      Salesforce login