step-by-step guide to build salesforce single-sign on test lab with microsoft active directory
TRANSCRIPT
Step-by-Step Guide
To Build Your Own Single-Sign On Test Lab with Salesforce & Microsoft
Active Directory
Ver 2.1 Updated on 21-Nov-2014
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Related Blog
2
Step-by-Step Guide to Build Your Own Salesforce Single-Sign On ( SSO ) Test Lab - http://www.asagarwal.com/2376/step-by-step-guide-to-build-your-own-salesforce-single-sign-on-sso-test-lab
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Ingredients
3
You will need the following to set up your own Salesforce SSO test lab ■ Amazon Web Service (AWS) Account ■ Salesforce Developer Org ■ Internet Connection
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Using This Guide
4
A couple of standards/conventions have been followed in this guide. Here is what they mean
Text with Red Background
Text with Yellow Background
1. Text with White background, red border and a number. In a callout
format
Text with Green Background
Important information. Take a closer look and follow as advised. You may not be able to complete the guide successfully if you miss these instructions
General explanation/information to support actions mentioned on the slide. Will assist you in understanding what is being done and why
Actions that you need to follow to configure. Carry out these steps in the order of their serial number.
Appears on the bottom bar of the page on right hand side. Provides information on the Hardware and Software currently being used
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Steps Overview
5
➡ Configure Windows 2008 Server on AWS ■ Install Microsoft Active Directory ■ Install Microsoft ADFS 2.0 ■ Create Self-Signed Certificate in IIS ■ Configure Microsoft ADFS 2.0 ■ Export Self-Signed Certificate ■ Retrieve ADFS 2.0 Details for Salesforce Configuration ■ Configure My Domain in Salesforce ■ Enable SSO in Salesforce ■ Add Salesforce as Trusted Relying Party in ADFS 2.0 ■ Configure AD User for Single Sign On in Salesforce ■ Test SSO (SP Initiated & IdP Initiated) ■ Use Just-In-Time (JIT) Provisioning ■ Debug SSO Issues
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Windows 2008 Server on AWS
6
1. Navigate to URL aws.amazon.com
2. Click on Sign in to the Console
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Windows 2008 Server on AWS
7
1. Enter your AWS username and password and click on Sign in
using our secure server. 2. If you do not have an AWS
account, select the option “I am a new user” and sign up for the
account
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Windows 2008 Server on AWS
8
1. Once logged on to AWS, click on EC2
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Windows 2008 Server on AWS
9
1. Let’s stat by creating a key pair file. This is required to connect to the
Windows 2008 server on AWS that we will be configuring shortly. Click on Key
Pairs
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Windows 2008 Server on AWS
10
1. Click on Create Key Pair
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Windows 2008 Server on AWS
11
1. Enter key pair name and click Create
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Windows 2008 Server on AWS
12
1. Once the key pair is created, system will automatically prompt to download the
key pair file. Select a location on the computer and save the file
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Windows 2008 Server on AWS
13
1. The key pair is downloaded on the PC
2. Let’s start a Windows 2008 server now. Click on Instances on the left sidebar
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Windows 2008 Server on AWS
14
1. Click on Launch Instance
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Windows 2008 Server on AWS
15
1. Scroll down the page and Locate AMI “Microsoft
Windows Server 2008 R2 SP1 Datacenter edition, 64-
bit architecture”. Click Select
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Windows 2008 Server on AWS
16
1. Select the instance type. Since we are creating just a test lab for our own practise and testing, I have selected the micro
instance type. The amount that AWS will charge you will depend on the instance type that you select here. (To give you an idea, a
micro instance will cost just about US$ 13 a month)
2. Click on ‘Next: Configure Instance Details’
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Windows 2008 Server on AWS
17
1. Click on ‘Next: Add Storage’
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Windows 2008 Server on AWS
18
1. Click ‘Next: Tag Instance’
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Windows 2008 Server on AWS
19
2. Click on ‘Next: Configure Security
Group’
1. Specify an instance name for easy identification in AWS console. Here ‘msad’ that I have specified stands
for ‘Microsoft Active Directory’
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Windows 2008 Server on AWS
20
1. Select option ‘Create a new security group’. A security group is used to define the firewall rules on
who can connect to the server and on what port
2. Specify the Security group name and description.
3. Leave the security group rule to its default value as
shown here
4. Click ‘Review and Launch’
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Windows 2008 Server on AWS
21
1. Click Launch
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Windows 2008 Server on AWS
22
1. Select the key pair created in earlier steps, click on the checkbox to acknowledge
and click on Launch Instances. This will launch a Windows 2008 server instance on
AWS
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Windows 2008 Server on AWS
23
1. AWS will launch the instance. Click on the instance name
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Connecting To Windows 2008 Server
24
1. Check the instance status. Wait for a couple of minutes for AWS to complete the launch. To
refresh status click on refresh icon
2. Click on Actions after waiting for a couple of
minutes
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Connecting To Windows 2008 Server
25
1. In Actions drop down menu, click on Get Windows Password
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Connecting To Windows 2008 Server
26
1. Click on Choose File to locate the key pair file created in earlier steps
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Connecting To Windows 2008 Server
27
1. Navigate to the directory where the key pair file was
downloaded. Locate and double click on the file name to open the
file
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Connecting To Windows 2008 Server
28
1. The contents of the key pair will be displayed in the window.
Click on Decrypt Password
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Connecting To Windows 2008 Server
29
1. Note the IP Address, User name and password to connect to the
Windows 2008 server on AWS. Click Close after noting down the details
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Connecting To Windows 2008 Server
30
1. We will now connect to the Windows 2008 server on AWS using Remote
Desktop Application. If you are on Mac, click on Applications. If you are on Windows, locate and start Remote
Desktop Connection
2. Click on Remote Desktop Connection
Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Connecting To Windows 2008 Server
31
1. Enter the IP Address of the server noted earlier and
click Connect
Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Connecting To Windows 2008 Server
32
1. Enter the username and password noted earlier and
click OK to connect to server
Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Connecting To Windows 2008 Server
33
1. If you see a prompt for incorrect certificate click on
‘Connect’ anyway
Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Connecting To Windows 2008 Server
34
1. If you see a prompt for incorrect certificate click on
‘Connect’ anyway
1. You should now be connected to the Windows 2008 server running on AWS. Good stuff. You can now take a coffee break to reward yourself for
making a good progress
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Steps Overview
35
✓ Configure Windows 2008 Server on AWS ➡ Install Microsoft Active Directory ■ Install Microsoft ADFS 2.0 ■ Create Self-Signed Certificate in IIS ■ Configure Microsoft ADFS 2.0 ■ Export Self-Signed Certificate ■ Retrieve ADFS 2.0 Details for Salesforce Configuration ■ Configure My Domain in Salesforce ■ Enable SSO in Salesforce ■ Add Salesforce as Trusted Relying Party in ADFS ■ Configure AD User for Single Sign On in Salesforce ■ Test SSO (SP Initiated & IdP Initiated) ■ Use Just-In-Time (JIT) Provisioning ■ Debug SSO Issues
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Installing Microsoft Active Directory
36
1. Ok, now let’s install Microsoft Active Directory on the server. Click
on Start and type run
2. Click on ‘Run’ (under Programs) from the search results
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Installing Microsoft Active Directory
37
1. Type dcpromo.exe in the run window and click OK
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Installing Microsoft Active Directory
38
1. System will initialise the installation. Wait till you see the
installation wizard as shown on the next slide
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Installing Microsoft Active Directory
39
1. Click Next
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Installing Microsoft Active Directory
40
1. Click Next
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Installing Microsoft Active Directory
41
1. Select ‘Create a new domain in a new forest’
2. Click Next
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Installing Microsoft Active Directory
42
1. Enter the fully qualified domain name. If you are creating this for your practise and test, enter
any domain name (e.g. yourname.com)
2. Click Next
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Installing Microsoft Active Directory
43
1. Select the Forest functional level to Windows Server 2008 R2 from
the drop down list
2. Click Next
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Installing Microsoft Active Directory
44
1. System will examine the DNS configuration. This may take a
while. Please wait for the screen as shown on the next slide
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Installing Microsoft Active Directory
45
1. Check DNS Server for ‘Select additional options for
this domain controller’
2. Click Next
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Installing Microsoft Active Directory
46
1. Our AWS Server has dynamic IP assigned by DHCP Server. For testing,
this is fine and so select this option. However if you are doing a real
configuration, make sure that you have static IP assigned to your server.
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Installing Microsoft Active Directory
47
1. System will examine the DNS configuration. Wait for it to finish and navigate to next slide for further steps
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Installing Microsoft Active Directory
48
1. Click ‘Yes’ to continue
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Installing Microsoft Active Directory
49
1. Click Next (accept the default values for database, log files and
SYSDL)
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Installing Microsoft Active Directory
50
1. Specify a password for Directory Services Restore Mode Administrator. Do not forget to note the password,
should you need it later
2. Click Next
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Installing Microsoft Active Directory
51
1. Click Next
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Installing Microsoft Active Directory
52
1. Installation wizard will start configuring the Active Directory on this server. Wait for the installation to finish. Navigate to
next slide for further steps
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Installing Microsoft Active Directory
53
1. Click Finish once the installation is over
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Installing Microsoft Active Directory
54
1.Click on ‘Restart Now’ to restart the server (clicking on restart will terminate the Remote Desktop
Connection to the AWS server. Wait for a couple of minutes and then connect again to the server
through Remote Desktop Connection following steps as mentioned earlier)
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Steps Overview
55
✓ Configure Windows 2008 Server on AWS ✓ Install Microsoft Active Directory ➡ Install Microsoft ADFS 2.0 ■ Create Self-Signed Certificate in IIS ■ Configure Microsoft ADFS 2.0 ■ Export Self-Signed Certificate ■ Retrieve ADFS 2.0 Details for Salesforce Configuration ■ Configure My Domain in Salesforce ■ Enable SSO in Salesforce ■ Add Salesforce as Trusted Relying Party in ADFS ■ Configure AD User for Single Sign On in Salesforce ■ Test SSO (SP Initiated & IdP Initiated) ■ Use Just-In-Time (JIT) Provisioning ■ Debug SSO Issues
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Installing Microsoft ADFS 2.0
56
We are back after the server restart. Upto this point we have configured a Windows 2008 server on AWS and have installed Microsoft Active Directory on the server. Next, we will now install Microsoft ADFS 2.0
(Active Directory Federation Services) on this server.
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Turn Off IE ESC
57
1. Before we start installation of ADFS 2.0, let’s turn off of the Internet Explorer Enhanced Security Configuration (IE ESC) to enable browsing internet on this server without any restriction as we will need to download the ADFS 2.0 software. Click on Start
and type ‘Server’.
2. Click on Server Manager
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Turn Off IE ESC
58
2. Click on Configure IE ESC
1. Click on the top node (Server Manager) in left
sidebar
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Turn Off IE ESC
59
2. Click OK
1. Select Off for Administrators and
Users
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Turn Off IE ESC
60
1. Minimise the Server Manager
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Installing Microsoft ADFS 2.0
61
1. Click on Start -> Internet Explorer
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Installing Microsoft ADFS 2.0
62
1. Click OK if prompted for Internet
Explorer setting
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Installing Microsoft ADFS 2.0
63
1. Navigate to URL http://www.microsoft.com/en-us/download/details.aspx?id=10909 to
download Microsoft ADFS 2.0
2. Click Continue
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Installing Microsoft ADFS 2.0
64
1. Select option No, I do not want to register. Take me to the download.
2. Click Next
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Installing Microsoft ADFS 2.0
65
1. Select file “R
TW\W
2K8R
2\amd64\A
dfsSetup.exe”
2. Click Next
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Installing Microsoft ADFS 2.0
66
1. Click Allow once
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Installing Microsoft ADFS 2.0
67
1. Click Save
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Installing Microsoft ADFS 2.0
68
1. Click Run to start the installation of Microsoft ADFS
2.0
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Installing Microsoft ADFS 2.0
69
1. Click Next
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Installing Microsoft ADFS 2.0
70
2. Click Next
1. Accept the license terms
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Installing Microsoft ADFS 2.0
71
2. Click Next
1. Select Federation Server
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Installing Microsoft ADFS 2.0
72
1. Click Next
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Installing Microsoft ADFS 2.0
73
1. Wait for the installation to complete
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Installing Microsoft ADFS 2.0
74
1. Ensure that the checkbox is checked to start the ADFS 2.0
Management snap-in
2. Click Next
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Steps Overview
75
✓ Configure Windows 2008 Server on AWS ✓ Install Microsoft Active Directory ✓ Install Microsoft ADFS 2.0 ➡ Create Self-Signed Certificate in IIS ■ Configure Microsoft ADFS 2.0 ■ Export Self-Signed Certificate ■ Retrieve ADFS 2.0 Details for Salesforce Configuration ■ Configure My Domain in Salesforce ■ Enable SSO in Salesforce ■ Add Salesforce as Trusted Relying Party in ADFS ■ Configure AD User for Single Sign On in Salesforce ■ Test SSO (SP Initiated & IdP Initiated) ■ Use Just-In-Time (JIT) Provisioning ■ Debug SSO Issues
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Creating Self-Signed Certificate
76
1. ADFS 2.0 Management window will open. But before we continue with the setup of ADFS 2.0 we will need to create a self
signed SSL certificate. Click on Start
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Creating Self-Signed Certificate
77
1. Type Internet
2. Click on option Internet Information Services (IIS) Manager
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Creating Self-Signed Certificate
78
2. Double click on Server Certificates
1. In IIS Manager window, click on the computer name in the
left sidebar
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Creating Self-Signed Certificate
79
1. Click on Create Self-Signed Certificate
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Creating Self-Signed Certificate
80
1. Specify the certificate name
2. Click OK
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Creating Self-Signed Certificate
81
1. The certificate will be created and will appear as shown. Let’s navigate back to
ADFS 2.0 Management window now
2. Click on AD FS 2.0 icon on the task bar
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Steps Overview
82
✓ Configure Windows 2008 Server on AWS ✓ Install Microsoft Active Directory ✓ Install Microsoft ADFS 2.0 ✓ Create Self-Signed Certificate in IIS ➡ Configure Microsoft ADFS 2.0 ■ Export Self-Signed Certificate ■ Retrieve ADFS 2.0 Details for Salesforce Configuration ■ Configure My Domain in Salesforce ■ Enable SSO in Salesforce ■ Add Salesforce as Trusted Relying Party in ADFS ■ Configure AD User for Single Sign On in Salesforce ■ Test SSO (SP Initiated & IdP Initiated) ■ Use Just-In-Time (JIT) Provisioning ■ Debug SSO Issues
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Microsoft ADFS 2.0
83
1. Click on ‘ADFS 2.0 Federation Server Configuration Wizard’
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Microsoft ADFS 2.0
84
1. Select ‘Create a new Federation Service’
2. Click Next
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Microsoft ADFS 2.0
85
2. Click Next
1. Select ‘Stand-alone federation server’
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Microsoft ADFS 2.0
86
1. The SSL certificate created earlier will
automatically be selected. Click Next
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Microsoft ADFS 2.0
87
1. Click Next
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Microsoft ADFS 2.0
88
1. The wizard will configure the ADFS Server. Click Close once the
configuration steps are completed
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Microsoft ADFS 2.0
89
1. Next click on Start -> Command Prompt
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Microsoft ADFS 2.0
90
1. In command prompt window type ‘hostname’ and
press enter to get your computer name
2. Once you have got the hostname, run command
setspn -a HOST/WIN-GOAIA2HS9LA.asagarwal.com asagarwal\WIN-GOAIA2HS9LA
where replace WIN-GOAIA2HS9LA with your computer name and replace asagarwal.com with the domain name that you specified while installing Microsoft Active Directory.
This is required as you may encounter error when the installer registers with a service principal name (SPN). Executing this command will manually create Kerberos SPN for the
DNS name so that integrated Windows Authentication between the browser and the AD FS IIS instance works correctly
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Steps Overview
91
✓ Configure Windows 2008 Server on AWS ✓ Install Microsoft Active Directory ✓ Install Microsoft ADFS 2.0 ✓ Create Self-Signed Certificate in IIS ✓ Configure Microsoft ADFS 2.0 ➡ Export Self-Signed Certificate ■ Retrieve ADFS 2.0 Details for Salesforce Configuration ■ Configure My Domain in Salesforce ■ Enable SSO in Salesforce ■ Add Salesforce as Trusted Relying Party in ADFS ■ Configure AD User for Single Sign On in Salesforce ■ Test SSO (SP Initiated & IdP Initiated) ■ Use Just-In-Time (JIT) Provisioning ■ Debug SSO Issues
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Exporting Self-Signed Certificate
92
1. Switch to ADFS 2.0 Management window and click on Service -> Certificates
2. Under Token-signing, double click on the certificate
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Exporting Self-Signed Certificate
93
1. Click on Details tab
2. Click on Copy to File…
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Exporting Self-Signed Certificate
94
1. Click Next
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Exporting Self-Signed Certificate
95
2. Click Next
1. Ensure that the format DER encoded binary X.509 (.CER) is selected
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Exporting Self-Signed Certificate
96
1. Click Browse
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Exporting Self-Signed Certificate
97
2. Specify the certificate file name
1. Select the location where you want to save the file
3. Click Save
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Exporting Self-Signed Certificate
98
1. Click Next
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Exporting Self-Signed Certificate
99
1. Click Finish
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Exporting Self-Signed Certificate
100
1. Click OK
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Exporting Self-Signed Certificate
101
1. Click OK again to close the window
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Steps Overview
102
✓ Configure Windows 2008 Server on AWS ✓ Install Microsoft Active Directory ✓ Install Microsoft ADFS 2.0 ✓ Create Self-Signed Certificate in IIS ✓ Configure Microsoft ADFS 2.0 ✓ Export Self-Signed Certificate ➡ Retrieve ADFS 2.0 Details for Salesforce Configuration ■ Configure My Domain in Salesforce ■ Enable SSO in Salesforce ■ Add Salesforce as Trusted Relying Party in ADFS ■ Configure AD User for Single Sign On in Salesforce ■ Test SSO (SP Initiated & IdP Initiated) ■ Use Just-In-Time (JIT) Provisioning ■ Debug SSO Issues
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Retrieving ADFS 2.0 EntityID
103
1. Click on Service -> Endpoints on the left sidebar in ADFS 2.0
Management window
2. Under Metadata section, look for the path to FederationMetadata.xml.
Note down the path
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Retrieving ADFS 2.0 EntityID
104
1. Switch to Internet Explorer and type the complete URL to FederationMetadata.xml. E.g.
https://win-goaia2hs9la.asagarwal.com/FederationMetadata/2007-06/FederationMetadata.xml
i.e.
https://hostname.domainname/FederationMetadata/2007-06/FederationMetadata.xml
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Retrieving ADFS 2.0 EntityID
105
1. Right click on the web page and click ‘View Source’
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Retrieving ADFS 2.0 EntityID
106
1. Note down the value for the entityID ( http://WIN-GOAIA2HS9LA.asagarwal.com/adfs/services/trust ). Close
the view source window
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Steps Overview
107
✓ Configure Windows 2008 Server on AWS ✓ Install Microsoft Active Directory ✓ Install Microsoft ADFS 2.0 ✓ Create Self-Signed Certificate in IIS ✓ Configure Microsoft ADFS 2.0 ✓ Export Self-Signed Certificate ✓ Retrieve ADFS 2.0 Details for Salesforce Configuration ➡ Configure My Domain in Salesforce ■ Enable SSO in Salesforce ■ Add Salesforce as Trusted Relying Party in ADFS ■ Configure AD User for Single Sign On in Salesforce ■ Test SSO (SP Initiated & IdP Initiated) ■ Use Just-In-Time (JIT) Provisioning ■ Debug SSO Issues
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring My Domain in Salesforce
108
1. Navigate to login.salesforce.com and log on to the Salesforce instance, where you want to configure SSO with Microsoft Active
Directory. Here I am logging to a developer org
2. Specify username and password and click Log in to
Salesforce
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring My Domain in Salesforce
109
1. To setup SSO on Salesforce, let’s start with configuring My Domain in Salesforce. The benefit of using 'My Domain' is that it enables support for SP-initiated single sign-on and allows users to access 'deep links' into their environment via SSO. Click on
Setup configure My Domain
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring My Domain in Salesforce
110
1. In the setup menu, click on Domain Management -> My Domain
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring My Domain in Salesforce
111
1. Enter the domain name for my domain. Note that with Salesforce will suffix the domain with “-dev-
ed.my.salesforce.com” as we are configuring this on a developer org. On a production org, the domain will
be suffixed with “.my.salesforce.com”
2. Click on Check Availability to ensure that the domain is available. If it is not, then specify a different domain name
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring My Domain in Salesforce
112
1. If the domain is available, check the ‘Terms and Conditions’ and click Register Domain
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring My Domain in Salesforce
113
1. Salesforce will register the domain. This may take a while. Refresh the page every couple of minutes to check the status
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring My Domain in Salesforce
114
1. Once registered, click on ‘Click here to login’ to login using your domain and deploy the domain to users.
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring My Domain in Salesforce
115
1. As you login using your domain, note that the URL changes to to reflect your domain name
2. Click on Deploy to Users
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring My Domain in Salesforce
116
1. Click OK in the confirmation window
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring My Domain in Salesforce
117
1. Domain will be deployed to users. From this point onwards, users can navigate to mydomain.my.salesforce.com to log on to the Salesforce instance in addition to the normal login URL,
which is login.salesforce.com
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Steps Overview
118
✓ Configure Windows 2008 Server on AWS ✓ Install Microsoft Active Directory ✓ Install Microsoft ADFS 2.0 ✓ Create Self-Signed Certificate in IIS ✓ Configure Microsoft ADFS 2.0 ✓ Export Self-Signed Certificate ✓ Retrieve ADFS 2.0 Details for Salesforce Configuration ✓ Configure My Domain in Salesforce ➡ Enable SSO in Salesforce ■ Add Salesforce as Trusted Relying Party in ADFS ■ Configure AD User for Single Sign On in Salesforce ■ Test SSO (SP Initiated & IdP Initiated) ■ Use Just-In-Time (JIT) Provisioning ■ Debug SSO Issues
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring SSO in Salesforce
119
1. To continue with Single Sign Configuration, click on Security
Controls -> Single Sign-On Settings
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring SSO in Salesforce
120
1. Click Edit
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring SSO in Salesforce
121
1. Check ‘SAML Enabled’ and click Save
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring SSO in Salesforce
122
1. Click New to specify Microsoft ADFS as the Single Sign-On Server
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring SSO in Salesforce
123
1. Enter the SSO Name
2. Enter the Issuer. The Issuer is the entityID copied from FederationMetadata.xml in previous steps
3. Select SAML Identify Type as “Assertion contains the Federation ID
from the User object"
5. Specify Identity Provider Login URL as https://hostname.domainname/adfs/ls/
i.e. https://WIN-
GOAIA2HS9LA.asagarwal.com/adfs/ls/ (Be sure to specify “https” and ‘/‘ slash at
the end of the URL)7. Select HTTP Redirect
6. Identity Provider Logout URL: You can
configure a URL to which the user will be sent after they log out - for example, http://intranet.mycompany
.com/
IMPORTANT: All parameters shown on this page must be
configured exactly as instructed. Failure to do so may cause SSO
to not work as intended
Google Chrome on Mac
4. Select ‘Identity is in the NameIdentifier
element of the Subject statement'
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring SSO in Salesforce
124
1. Specify the Entity ID as your Salesforce “My Domain” name
configured in previous steps (i.e. https://ssoasagarwal-dev-
ed.my.salesforce.com/ (with slash ‘/‘ at the end)
2. Click on Choose File
IMPORTANT: All parameters shown on this page must be
configured exactly as instructed. Failure to do so may cause SSO
to not work as intended
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring SSO in Salesforce
125
1. Double Click on the IdP Certificate.cer file exported from the MS Active Directory Server in previous steps. If you are performing these configuration steps from a different computer
(and not from AWS Server), then you will need to transfer the “IdP Certificate.cer” from AWS
server to this computer. One of the ways you can transfer is to email
the file yourself as an attachment and download on this computer
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring SSO in Salesforce
126
1. Click Save
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring SSO in Salesforce
127
1. Click Download Metadata. This is required to create the trust
relationship in ADFS
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring SSO in Salesforce
128
1. Save the Metadata file on your PC
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Enabling SSO in Salesforce
129
2. Scroll down the page
1. Now let’s enable the SSO in Salesforce, click on Domain Management -> My
Domain
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Enabling SSO in Salesforce
130
2. Click Edit for Login Page Settings
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Enabling SSO in Salesforce
131
1. Check Microsoft ADFS
2. Click Save
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Federation ID in Salesforce for SSO
132
2. Click Edit for your username1. Click on
Manage Users -> Users
The username in Salesforce and in Microsoft AD may be different than
each other. Use Federation ID to link the user in Salesforce with the user in
Microsoft AD
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Federation ID in Salesforce for SSO
133
1. On the edit user page, specify the Federation ID. We will configure this in
Microsoft Active Directory in the subsequent steps. Here the federation ID I have specified
is “[email protected]”
2. Click Save
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Steps Overview
134
✓ Configure Windows 2008 Server on AWS ✓ Install Microsoft Active Directory ✓ Install Microsoft ADFS 2.0 ✓ Create Self-Signed Certificate in IIS ✓ Configure Microsoft ADFS 2.0 ✓ Export Self-Signed Certificate ✓ Retrieve ADFS 2.0 Details for Salesforce Configuration ✓ Configure My Domain in Salesforce ✓ Enable SSO in Salesforce ➡ Add Salesforce as Trusted Relying Party in ADFS ■ Configure AD User for Single Sign On in Salesforce ■ Test SSO (SP Initiated & IdP Initiated) ■ Use Just-In-Time (JIT) Provisioning ■ Debug SSO Issues
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Salesforce as Trusted Party in ADFS
135
1. Switch back to ADFS 2.0 Management Console window in AWS Server
2. Click on Add a trusted Relying Party
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Salesforce as Trusted Party in ADFS
136
1. In the Add Relying Party Trust Wizard window click Start
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Salesforce as Trusted Party in ADFS
137
1. Select option ‘Import data about the relying party from a file’
2. Click Browse and locate the Metadata file downloaded from Salesforce in previous steps.
If you downloaded the file on a different computer, transfer the file to AWS Server
3. Click Next
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Salesforce as Trusted Party in ADFS
138
1. Specify the name of the relying party
2. Click Next
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Salesforce as Trusted Party in ADFS
139
1. Select option ‘Permit all users to access this relying party’
2. Click Next
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Salesforce as Trusted Party in ADFS
140
1. Click Next
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Salesforce as Trusted Party in ADFS
141
1. Check box to open the Edit Claim Rules dialog
2. Click Close
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Rules in ADFS for SSO
142
1. Click Add Rule
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Rules in ADFS for SSO
143
1. Select ‘Send LDAP Attribute as Claims’
2. Click Next
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Rules in ADFS for SSO
144
1. Specify the claim rule name
3. Specify LDAP Attribute and Outgoing Claim Type
2. Specify the Attribute store as ‘Active Directory’
4. Click Finish
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Rules in ADFS for SSO
145
1. Click OK
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Changing Salesforce Settings in ADFS
146
1. In ADFS 2.0 Management Window click on Relying Party
Trusts in the left sidebar
2. Double Click on Salesforce SSO Test
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Changing Salesforce Settings in ADFS
147
2. Select Secure has algorithm as ‘SHA-1’
1. Click in Advanced tab
3. Click OK
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Steps Overview
148
✓ Configure Windows 2008 Server on AWS ✓ Install Microsoft Active Directory ✓ Install Microsoft ADFS 2.0 ✓ Create Self-Signed Certificate in IIS ✓ Configure Microsoft ADFS 2.0 ✓ Export Self-Signed Certificate ✓ Retrieve ADFS 2.0 Details for Salesforce Configuration ✓ Configure My Domain in Salesforce ✓ Enable SSO in Salesforce ✓ Add Salesforce as Trusted Relying Party in ADFS ➡ Configure AD User for Single Sign On in Salesforce ■ Test SSO (SP Initiated & IdP Initiated) ■ Use Just-In-Time (JIT) Provisioning ■ Debug SSO Issues
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Username in AD for SSO
149
2. Click Active Directory Users and Computers
1. Click on Start and type ‘Active’ in the search box
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Username in AD for SSO
150
1. In Active Directory Users and Computers window click on
domain name -> Users on the left sidebar
2. Double click on Administrator User
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Configuring Username in AD for SSO
151
2. Specify the user logon name as ‘administrator’ and domain as the domain name that you have
specified while configuring Microsoft AD. This is where we
are mapping the Microsoft Active Directory user to the Salesforce User. The User logon name that we have specified here has been
defined as Federation ID in Salesforce
1. Click on Account tab
3. Click OK
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Steps Overview
152
✓ Configure Windows 2008 Server on AWS ✓ Install Microsoft Active Directory ✓ Install Microsoft ADFS 2.0 ✓ Create Self-Signed Certificate in IIS ✓ Configure Microsoft ADFS 2.0 ✓ Export Self-Signed Certificate ✓ Retrieve ADFS 2.0 Details for Salesforce Configuration ✓ Configure My Domain in Salesforce ✓ Enable SSO in Salesforce ✓ Add Salesforce as Trusted Relying Party in ADFS ✓ Configure AD User for Single Sign On in Salesforce ➡ Test SSO (SP Initiated & IdP Initiated) ■ Use Just-In-Time (JIT) Provisioning ■ Debug SSO Issues
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Testing SSO - SP Initiated Login
153
1. In the browser window on your AWS Server, navigate to Salesforce ‘My Domain’ URL configured in Salesforce (here it is https://ssoasagarwal-dev-ed.my.salesforce.com/)
2. To test single sign on through Microsoft Active Directory, click
on Microsoft ADFS
To test SSO, logon to Salesforce from the browser in your AWS Server as Microsoft ADFS URL (https://win-
goaia2hs9la.asagarwal.com/ in my case) configured on AWS server is not
available on Internet.
(To make it available on Internet, you need to change the DNS settings with your domain registrar to point to AWS
Server)
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Testing SSO - SP Initiated Login
154
1. Notice that clicking on Microsoft ADFS in Salesforce login window is redirecting user to
Microsoft AD login window. Here you need to login using your Microsoft AD credentials, which in this
case is your AWS Server username and password. Click OK
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Testing SSO - SP Initiated Login
155
And now you should be logged on to Salesforce through Microsoft Active Directory
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Creating a New User
156
1. To create a new user in Salesforce, create the user in Microsoft Active Directory. On the
AWS Server, switch to Active Directory Users and Computers windows
AWS Server
1. On the left sidebar, click on Users -> New -> User
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Creating a New User
157
1. Enter the new user details and click Next. Note that the username specified in the field ‘User logon name’ will need to be used as
Federation ID in Salesforce to map this Active Directory user to Salesforce user. In
this case, the User logon name is [email protected]
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Creating a New User
158
1. Specify the password. Uncheck box ‘User must change password at
next logon’. Click Next
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Creating a New User
159
1. Click Finish
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Creating a New User
160
1. The user has been created in Microsoft Active Directory
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Creating a New User
161
1. Create the user in Salesforce also. Logon to your Salesforce
instance and navigate to Setup -> Manager Users -> Users
AWS Server
2. Click on New User
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Creating a New User
162
1. Enter the user details
AWS Server
2. Specify the Salesforce license
and profile
3. Scroll down the page
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Creating a New User
163
1. Specify the Federation ID. The Federation ID should exactly match the User logon Name specified in Microsoft
Active Directory in previous steps.
AWS Server
2. Uncheck all options and click Save
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Creating a New User
164
The user has been created in Salesforce also
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Creating a New User
165AWS Server
1. To test the new user, navigate to Salesforce My Domain URL in the
browser on your AWS Server
2. Click on Link for Microsoft ADFS
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Creating a New User
166AWS Server
1. Specify the new user name and password. Click OK
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Creating a New User
167AWS Server
1. You are now logged on to Salesforce as the new user
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Testing SSO - IdP Initiated Login
168AWS Server
1. For IdP Initiated Login, on your AWS Server, navigate to URL https://<microsoft_adfs_URL>/adfs/ls/idpinitiatedsignon.aspx
i.e. (in my case)
https://win-goaia2hs9la.asagarwal.com/adfs/ls/IdpInitiatedSignon.aspx
2. Select ‘Sign in to one of the following sites’ and select the relying party name
3. Click Continue to Sign in
You can also use the following URL format in IdP initiated login to login directly to Salesforce
https://<microsoft_adfs_URL>/adfs/ls/IdpInitiatedSignon.aspx?loginToRp=https://<salesforce_my_domain_URL>
e.g.
https://win-goaia2hs9la.asagarwal.com/adfs/ls/IdpInitiatedSignon.aspx?loginToRp=https://ssoasagarwal-dev-ed.my.salesforce.com
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Testing SSO - IdP Initiated Login
169AWS Server
1. Enter Microsoft Active Directory Username and password and click OK
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Testing SSO - IdP Initiated Login
170
And now you should be logged on to Salesforce through IdP initiated login
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Steps Overview
171
✓ Configure Windows 2008 Server on AWS ✓ Install Microsoft Active Directory ✓ Install Microsoft ADFS 2.0 ✓ Create Self-Signed Certificate in IIS ✓ Configure Microsoft ADFS 2.0 ✓ Export Self-Signed Certificate ✓ Retrieve ADFS 2.0 Details for Salesforce Configuration ✓ Configure My Domain in Salesforce ✓ Enable SSO in Salesforce ✓ Add Salesforce as Trusted Relying Party in ADFS ✓ Configure AD User for Single Sign On in Salesforce ✓ Test SSO (SP Initiated & IdP Initiated) ➡ Use Just-In-Time (JIT) Provisioning ■ Debug SSO Issues
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Just-In-Time Provisioning
172
■ Rather than creating users in both Microsoft Active Directory and Salesforce, you can enable Just-In-Time (JIT) provisioning
■ With JIT, you just need to create user in Microsoft Active Directory and when the user logs on to Salesforce, it will automatically be created in Salesforce, if it does not exist
■ To enable JIT, you need to send the following additional parameters as a minimum to Salesforce ■ Last Name ■ Username ■ Email Address ■ Profile
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Enabling Just-In-Time Provisioning
173AWS Server
1. To enable Just-In-Time provisioning, logon to Salesforce and navigate to Setup -> Security
Controls -> Single-Sign On Settings
2. Click Edit
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Enabling Just-In-Time Provisioning
174AWS Server
1. Check ‘User Provisioning Enabled’ and click Save
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Enabling Just-In-Time Provisioning
175AWS Server
1. Switch to ADFS 2.0 Management Window in AWS Server
2. Click on Relying Party Trusts on the left sidebar
3. Select ‘Salesforce SSO Test’
4. Click Edit Claim Rules
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Enabling Just-In-Time Provisioning
176AWS Server
1. Click on Add Rule
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Enabling Just-In-Time Provisioning
177AWS Server
1. Select ‘Send Claims Using a Custom Rule’
2. ‘Click Next’
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Enabling Just-In-Time Provisioning
178AWS Server
1. Enter the rule name
3. Click Finish
2. Create rule to send the user name
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("User.UserName"), query = ";userPrincipalName;{0}", param = c.Value);
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Enabling Just-In-Time Provisioning
179AWS Server
■ Follow previous three steps to add the following rules, which is required for Just-In-Time Provisioning
■ Send LastName c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("User.LastName"), query = ";sn;{0}", param = c.Value);
■ Send Email c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("User.Email"), query = ";userPrincipalName;{0}", param = c.Value);
■ Send Profile c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(type = "User.ProfileId", value = "Chatter Free User");
1. In Salesforce, the new users will be created “Chatter Free User” profile. We are using this for JIT as Salesforce provides 5000 Chatter Free User License in a Developer Org
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Enabling Just-In-Time Provisioning
180AWS Server
1. Once setup, you should have these rules in Issuance Transform
Rules tab
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Testing Just-In-Time Provisioning
181AWS Server
1. To test JIT, switch to ‘Active Directory Users and Computers’ window. We will create a user in AD, without
creating the user in Salesforce. When we log on with this user in Salesforce, the user will automatically be created in
Salesforce as we have enabled and configured JIT
1. On the left sidebar, click on Users -> New -> User
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Creating a New User
182
1. Enter the new user details and click Next.
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Creating a New User
183
1. Specify the password. Uncheck box ‘User must change password at
next logon’. Click Next
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Creating a New User
184
1. Click Finish
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Creating a New User
185
1. The user has been created in Microsoft Active Directory
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Testing JIT
186
1. Logon to your Salesforce instance, navigate to setup -> Manager Users -> Users and verify that currently there is no user with the user name that you specified in Microsoft
AD
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Testing JIT
187
1. On your AWS Server, start the browser and navigate to My Domain Salesforce URL
AWS Server
2. Click on Microsoft ADFS
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Testing JIT
188
1. In the Microsoft AD login window, enter the username & password that you have created in
Microsoft Active Directory. Remember that the user does not yet exist in Salesforce. Click OK
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Testing JIT
189
1. And Bingo, Salesforce will create the user on the fly with
‘Chatter Free Profile’ and log the user in.
AWS Server
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Testing JIT
190
1. Switch to the browser window where you are logged on as admin and refresh the users page. You can now see that
Salesforce has created a user with the name ‘[email protected]’ and profile ‘Chatter Free User’
AWS ServerGoogle Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Steps Overview
191
✓ Configure Windows 2008 Server on AWS ✓ Install Microsoft Active Directory ✓ Install Microsoft ADFS 2.0 ✓ Create Self-Signed Certificate in IIS ✓ Configure Microsoft ADFS 2.0 ✓ Export Self-Signed Certificate ✓ Retrieve ADFS 2.0 Details for Salesforce Configuration ✓ Configure My Domain in Salesforce ✓ Enable SSO in Salesforce ✓ Add Salesforce as Trusted Relying Party in ADFS ✓ Configure AD User for Single Sign On in Salesforce ✓ Test SSO (SP Initiated & IdP Initiated) ✓ Use Just-In-Time (JIT) Provisioning ➡ Debug SSO Issues
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Debugging SSO Issues
192
1. If you face any error/issue in signing on though SSO, Logon to
Salesforce instance using Salesforce username and
password (i.e. without going through the Microsoft ADFS)
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Debugging SSO Issues - SAML Assertion Validator
193
1. Click on Setup -> Security Controls -> Single Sign-
On Settings
2. Click on SAML Assertion Validator
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Debugging SSO Issues - SAML Assertion Validator
194
1. Review the results and troubleshoot
Google Chrome on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Debugging SSO Issues - Login History
195Google Chrome on Mac
1. You can also navigate to Setup -> Manage Users -> Login
History and look into the login history log
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Debugging SSO Issues - SAML Tracer in FireFox
196
1. FireFox browser has a Add on called SAML Tracer which is great for troubleshooting SAML issues. To use SAML Tracer, start FireFox browser, navigate to URL https://addons.mozilla.org/en-US/firefox/addon/saml-
tracer/click
2. Click on Add to Firefox
FireFox on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Debugging SSO Issues - SAML Tracer in FireFox
197
1. Click on Install Now
FireFox on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Debugging SSO Issues - SAML Tracer in FireFox
198
1. Click on Restart Now
FireFox on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Debugging SSO Issues - SAML Tracer in FireFox
199
1. After restarting FireFox, click on Tools -> SAML Tracer
FireFox on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Debugging SSO Issues - SAML Tracer in FireFox
200
1. Navigate to My Domain Salesforce URL
2. Notice that SAML Tracer will start logging the activities
3. Click on MS ADFS to login
FireFox on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Debugging SSO Issues - SAML Tracer in FireFox
201
2. Specify the Microsoft Active Directory username and
password. Click OK
1. In SAMLTracer window, any SAML request or
response will be highlighted as SAML
FireFox on Mac
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Debugging SSO Issues - SAML Tracer in FireFox
202FireFox on Mac
1. To view the SAML request/response details, select the
related SAML activity in SAML Tracer window
2. Click on SAML tab
3. Review the SAML response and troubleshoot as needed
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Steps Overview
203
✓ Configure Windows 2008 Server on AWS ✓ Install Microsoft Active Directory ✓ Install Microsoft ADFS 2.0 ✓ Create Self-Signed Certificate in IIS ✓ Configure Microsoft ADFS 2.0 ✓ Export Self-Signed Certificate ✓ Retrieve ADFS 2.0 Details for Salesforce Configuration ✓ Configure My Domain in Salesforce ✓ Enable SSO in Salesforce ✓ Add Salesforce as Trusted Relying Party in ADFS ✓ Configure AD User for Single Sign On in Salesforce ✓ Test SSO (SP Initiated & IdP Initiated) ✓ Use Just-In-Time (JIT) Provisioning ✓ Debug SSO Issues
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
Leave Your Feedback
204
Hope you were able to build your test lab successfully following this guide.
Please do not forget to leave your feedback on my blog at URL http://www.asagarwal.com/2376/step-by-step-guide-to-build-your-own-salesforce-single-sign-on-sso-test-lab. Let me know if you were able to get SSO to work following this guide with your comments, feedback and suggestions.
If you got stuck anywhere and were able to resolve the issue, mention that as a comment so that others can benefit from your experience
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce
For Daily Dose of Useful Tips & Tricks on Salesforce.com visit asagarwal.com
205
Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce 206
Document Change LogVersion Changes
1.0 Original Document
2.0 Added Just-In-Time Provisioning, SAML Tracer
2.1 Added IdP Initiated Login