step-by-step guide to build salesforce single-sign on test lab with microsoft active directory

Step-by-Step Guide

To Build Your Own Single-Sign On Test Lab with Salesforce & Microsoft

Active Directory

Ver 2.1 Updated on 21-Nov-2014

Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce

Related Blog

2

Step-by-Step Guide to Build Your Own Salesforce Single-Sign On ( SSO ) Test Lab - http://www.asagarwal.com/2376/step-by-step-guide-to-build-your-own-salesforce-single-sign-on-sso-test-lab

http://www.asagarwal.com/2376/step-by-step-guide-to-build-your-own-salesforce-single-sign-on-sso-test-lab


Ingredients

3

You will need the following to set up your own Salesforce SSO test lab ■ Amazon Web Service (AWS) Account ■ Salesforce Developer Org ■ Internet Connection


Using This Guide

4

A couple of standards/conventions have been followed in this guide. Here is what they mean

Text with Red Background

Text with Yellow Background

1. Text with White background, red border and a number. In a callout

format

Text with Green Background

Important information. Take a closer look and follow as advised. You may not be able to complete the guide successfully if you miss these instructions

General explanation/information to support actions mentioned on the slide. Will assist you in understanding what is being done and why

Actions that you need to follow to configure. Carry out these steps in the order of their serial number.

Appears on the bottom bar of the page on right hand side. Provides information on the Hardware and Software currently being used


Steps Overview

5

➡ Configure Windows 2008 Server on AWS ■ Install Microsoft Active Directory ■ Install Microsoft ADFS 2.0 ■ Create Self-Signed Certificate in IIS ■ Configure Microsoft ADFS 2.0 ■ Export Self-Signed Certificate ■ Retrieve ADFS 2.0 Details for Salesforce Configuration ■ Configure My Domain in Salesforce ■ Enable SSO in Salesforce ■ Add Salesforce as Trusted Relying Party in ADFS 2.0 ■ Configure AD User for Single Sign On in Salesforce ■ Test SSO (SP Initiated & IdP Initiated) ■ Use Just-In-Time (JIT) Provisioning ■ Debug SSO Issues


Configuring Windows 2008 Server on AWS

6

1. Navigate to URL aws.amazon.com

2. Click on Sign in to the Console

Google Chrome on Mac

http://aws.amazon.com



7

1. Enter your AWS username and password and click on Sign in

using our secure server. 2. If you do not have an AWS

account, select the option “I am a new user” and sign up for the

account




8

1. Once logged on to AWS, click on EC2




9

1. Let’s stat by creating a key pair file. This is required to connect to the

Windows 2008 server on AWS that we will be configuring shortly. Click on Key

Pairs




10

1. Click on Create Key Pair




11

1. Enter key pair name and click Create




12

1. Once the key pair is created, system will automatically prompt to download the

key pair file. Select a location on the computer and save the file




13

1. The key pair is downloaded on the PC

2. Let’s start a Windows 2008 server now. Click on Instances on the left sidebar




14

1. Click on Launch Instance




15

1. Scroll down the page and Locate AMI “Microsoft

Windows Server 2008 R2 SP1 Datacenter edition, 64-

bit architecture”. Click Select




16

1. Select the instance type. Since we are creating just a test lab for our own practise and testing, I have selected the micro

instance type. The amount that AWS will charge you will depend on the instance type that you select here. (To give you an idea, a

micro instance will cost just about US$ 13 a month)

2. Click on ‘Next: Configure Instance Details’




17

1. Click on ‘Next: Add Storage’




18

1. Click ‘Next: Tag Instance’




19

2. Click on ‘Next: Configure Security

Group’

1. Specify an instance name for easy identification in AWS console. Here ‘msad’ that I have specified stands

for ‘Microsoft Active Directory’




20

1. Select option ‘Create a new security group’. A security group is used to define the firewall rules on

who can connect to the server and on what port

2. Specify the Security group name and description.

3. Leave the security group rule to its default value as

shown here

4. Click ‘Review and Launch’




21

1. Click Launch




22

1. Select the key pair created in earlier steps, click on the checkbox to acknowledge

and click on Launch Instances. This will launch a Windows 2008 server instance on

AWS




23

1. AWS will launch the instance. Click on the instance name



Connecting To Windows 2008 Server

24

1. Check the instance status. Wait for a couple of minutes for AWS to complete the launch. To

refresh status click on refresh icon

2. Click on Actions after waiting for a couple of

minutes




25

1. In Actions drop down menu, click on Get Windows Password




26

1. Click on Choose File to locate the key pair file created in earlier steps




27

1. Navigate to the directory where the key pair file was

downloaded. Locate and double click on the file name to open the

file




28

1. The contents of the key pair will be displayed in the window.

Click on Decrypt Password




29

1. Note the IP Address, User name and password to connect to the

Windows 2008 server on AWS. Click Close after noting down the details




30

1. We will now connect to the Windows 2008 server on AWS using Remote

Desktop Application. If you are on Mac, click on Applications. If you are on Windows, locate and start Remote

Desktop Connection

2. Click on Remote Desktop Connection

Mac



31

1. Enter the IP Address of the server noted earlier and

click Connect

Mac



32

1. Enter the username and password noted earlier and

click OK to connect to server

Mac



33

1. If you see a prompt for incorrect certificate click on

‘Connect’ anyway

Mac



34

1. If you see a prompt for incorrect certificate click on

‘Connect’ anyway

1. You should now be connected to the Windows 2008 server running on AWS. Good stuff. You can now take a coffee break to reward yourself for

making a good progress

AWS Server


Steps Overview

35

✓ Configure Windows 2008 Server on AWS ➡ Install Microsoft Active Directory ■ Install Microsoft ADFS 2.0 ■ Create Self-Signed Certificate in IIS ■ Configure Microsoft ADFS 2.0 ■ Export Self-Signed Certificate ■ Retrieve ADFS 2.0 Details for Salesforce Configuration ■ Configure My Domain in Salesforce ■ Enable SSO in Salesforce ■ Add Salesforce as Trusted Relying Party in ADFS ■ Configure AD User for Single Sign On in Salesforce ■ Test SSO (SP Initiated & IdP Initiated) ■ Use Just-In-Time (JIT) Provisioning ■ Debug SSO Issues


Installing Microsoft Active Directory

36

1. Ok, now let’s install Microsoft Active Directory on the server. Click

on Start and type run

2. Click on ‘Run’ (under Programs) from the search results

AWS Server



37

1. Type dcpromo.exe in the run window and click OK

AWS Server



38

1. System will initialise the installation. Wait till you see the

installation wizard as shown on the next slide

AWS Server



39

1. Click Next

AWS Server



40

1. Click Next

AWS Server



41

1. Select ‘Create a new domain in a new forest’

2. Click Next

AWS Server



42

1. Enter the fully qualified domain name. If you are creating this for your practise and test, enter

any domain name (e.g. yourname.com)

2. Click Next

AWS Server



43

1. Select the Forest functional level to Windows Server 2008 R2 from

the drop down list

2. Click Next

AWS Server



44

1. System will examine the DNS configuration. This may take a

while. Please wait for the screen as shown on the next slide

AWS Server



45

1. Check DNS Server for ‘Select additional options for

this domain controller’

2. Click Next

AWS Server



46

1. Our AWS Server has dynamic IP assigned by DHCP Server. For testing,

this is fine and so select this option. However if you are doing a real

configuration, make sure that you have static IP assigned to your server.

AWS Server



47

1. System will examine the DNS configuration. Wait for it to finish and navigate to next slide for further steps

AWS Server



48

1. Click ‘Yes’ to continue

AWS Server



49

1. Click Next (accept the default values for database, log files and

SYSDL)

AWS Server



50

1. Specify a password for Directory Services Restore Mode Administrator. Do not forget to note the password,

should you need it later

2. Click Next

AWS Server



51

1. Click Next

AWS Server



52

1. Installation wizard will start configuring the Active Directory on this server. Wait for the installation to finish. Navigate to

next slide for further steps

AWS Server



53

1. Click Finish once the installation is over

AWS Server



54

1.Click on ‘Restart Now’ to restart the server (clicking on restart will terminate the Remote Desktop

Connection to the AWS server. Wait for a couple of minutes and then connect again to the server

through Remote Desktop Connection following steps as mentioned earlier)

AWS Server


Steps Overview

55

✓ Configure Windows 2008 Server on AWS ✓ Install Microsoft Active Directory ➡ Install Microsoft ADFS 2.0 ■ Create Self-Signed Certificate in IIS ■ Configure Microsoft ADFS 2.0 ■ Export Self-Signed Certificate ■ Retrieve ADFS 2.0 Details for Salesforce Configuration ■ Configure My Domain in Salesforce ■ Enable SSO in Salesforce ■ Add Salesforce as Trusted Relying Party in ADFS ■ Configure AD User for Single Sign On in Salesforce ■ Test SSO (SP Initiated & IdP Initiated) ■ Use Just-In-Time (JIT) Provisioning ■ Debug SSO Issues


Installing Microsoft ADFS 2.0

56

We are back after the server restart. Upto this point we have configured a Windows 2008 server on AWS and have installed Microsoft Active Directory on the server. Next, we will now install Microsoft ADFS 2.0

(Active Directory Federation Services) on this server.

AWS Server


Turn Off IE ESC

57

1. Before we start installation of ADFS 2.0, let’s turn off of the Internet Explorer Enhanced Security Configuration (IE ESC) to enable browsing internet on this server without any restriction as we will need to download the ADFS 2.0 software. Click on Start

and type ‘Server’.

2. Click on Server Manager

AWS Server


Turn Off IE ESC

58

2. Click on Configure IE ESC

1. Click on the top node (Server Manager) in left

sidebar

AWS Server


Turn Off IE ESC

59

2. Click OK

1. Select Off for Administrators and

Users

AWS Server


Turn Off IE ESC

60

1. Minimise the Server Manager

AWS Server



61

1. Click on Start -> Internet Explorer

AWS Server



62

1. Click OK if prompted for Internet

Explorer setting

AWS Server



63

1. Navigate to URL http://www.microsoft.com/en-us/download/details.aspx?id=10909 to

download Microsoft ADFS 2.0

2. Click Continue

AWS Server

http://www.microsoft.com/en-us/download/details.aspx?id=10909



64

1. Select option No, I do not want to register. Take me to the download.

2. Click Next

AWS Server



65

1. Select file “R

TW\W

2K8R

2\amd64\A

dfsSetup.exe”

2. Click Next

AWS Server



66

1. Click Allow once

AWS Server



67

1. Click Save

AWS Server



68

1. Click Run to start the installation of Microsoft ADFS

2.0

AWS Server



69

1. Click Next

AWS Server



70

2. Click Next

1. Accept the license terms

AWS Server



71

2. Click Next

1. Select Federation Server

AWS Server



72

1. Click Next

AWS Server



73

1. Wait for the installation to complete

AWS Server



74

1. Ensure that the checkbox is checked to start the ADFS 2.0

Management snap-in

2. Click Next

AWS Server


Steps Overview

75

✓ Configure Windows 2008 Server on AWS ✓ Install Microsoft Active Directory ✓ Install Microsoft ADFS 2.0 ➡ Create Self-Signed Certificate in IIS ■ Configure Microsoft ADFS 2.0 ■ Export Self-Signed Certificate ■ Retrieve ADFS 2.0 Details for Salesforce Configuration ■ Configure My Domain in Salesforce ■ Enable SSO in Salesforce ■ Add Salesforce as Trusted Relying Party in ADFS ■ Configure AD User for Single Sign On in Salesforce ■ Test SSO (SP Initiated & IdP Initiated) ■ Use Just-In-Time (JIT) Provisioning ■ Debug SSO Issues


Creating Self-Signed Certificate

76

1. ADFS 2.0 Management window will open. But before we continue with the setup of ADFS 2.0 we will need to create a self

signed SSL certificate. Click on Start

AWS Server



77

1. Type Internet

2. Click on option Internet Information Services (IIS) Manager

AWS Server



78

2. Double click on Server Certificates

1. In IIS Manager window, click on the computer name in the

left sidebar

AWS Server



79

1. Click on Create Self-Signed Certificate

AWS Server



80

1. Specify the certificate name

2. Click OK

AWS Server



81

1. The certificate will be created and will appear as shown. Let’s navigate back to

ADFS 2.0 Management window now

2. Click on AD FS 2.0 icon on the task bar

AWS Server


Steps Overview

82

✓ Configure Windows 2008 Server on AWS ✓ Install Microsoft Active Directory ✓ Install Microsoft ADFS 2.0 ✓ Create Self-Signed Certificate in IIS ➡ Configure Microsoft ADFS 2.0 ■ Export Self-Signed Certificate ■ Retrieve ADFS 2.0 Details for Salesforce Configuration ■ Configure My Domain in Salesforce ■ Enable SSO in Salesforce ■ Add Salesforce as Trusted Relying Party in ADFS ■ Configure AD User for Single Sign On in Salesforce ■ Test SSO (SP Initiated & IdP Initiated) ■ Use Just-In-Time (JIT) Provisioning ■ Debug SSO Issues


Configuring Microsoft ADFS 2.0

83

1. Click on ‘ADFS 2.0 Federation Server Configuration Wizard’

AWS Server



84

1. Select ‘Create a new Federation Service’

2. Click Next

AWS Server



85

2. Click Next

1. Select ‘Stand-alone federation server’

AWS Server



86

1. The SSL certificate created earlier will

automatically be selected. Click Next

AWS Server



87

1. Click Next

AWS Server



88

1. The wizard will configure the ADFS Server. Click Close once the

configuration steps are completed

AWS Server



89

1. Next click on Start -> Command Prompt

AWS Server



90

1. In command prompt window type ‘hostname’ and

press enter to get your computer name

2. Once you have got the hostname, run command

setspn -a HOST/WIN-GOAIA2HS9LA.asagarwal.com asagarwal\WIN-GOAIA2HS9LA

where replace WIN-GOAIA2HS9LA with your computer name and replace asagarwal.com with the domain name that you specified while installing Microsoft Active Directory.

This is required as you may encounter error when the installer registers with a service principal name (SPN). Executing this command will manually create Kerberos SPN for the

DNS name so that integrated Windows Authentication between the browser and the AD FS IIS instance works correctly

AWS Server


Steps Overview

91

✓ Configure Windows 2008 Server on AWS ✓ Install Microsoft Active Directory ✓ Install Microsoft ADFS 2.0 ✓ Create Self-Signed Certificate in IIS ✓ Configure Microsoft ADFS 2.0 ➡ Export Self-Signed Certificate ■ Retrieve ADFS 2.0 Details for Salesforce Configuration ■ Configure My Domain in Salesforce ■ Enable SSO in Salesforce ■ Add Salesforce as Trusted Relying Party in ADFS ■ Configure AD User for Single Sign On in Salesforce ■ Test SSO (SP Initiated & IdP Initiated) ■ Use Just-In-Time (JIT) Provisioning ■ Debug SSO Issues


Exporting Self-Signed Certificate

92

1. Switch to ADFS 2.0 Management window and click on Service -> Certificates

2. Under Token-signing, double click on the certificate

AWS Server



93

1. Click on Details tab

2. Click on Copy to File…

AWS Server



94

1. Click Next

AWS Server



95

2. Click Next

1. Ensure that the format DER encoded binary X.509 (.CER) is selected

AWS Server



96

1. Click Browse

AWS Server



97

2. Specify the certificate file name

1. Select the location where you want to save the file

3. Click Save

AWS Server



98

1. Click Next

AWS Server



99

1. Click Finish

AWS Server



100

1. Click OK

AWS Server



101

1. Click OK again to close the window

AWS Server


Steps Overview

102

✓ Configure Windows 2008 Server on AWS ✓ Install Microsoft Active Directory ✓ Install Microsoft ADFS 2.0 ✓ Create Self-Signed Certificate in IIS ✓ Configure Microsoft ADFS 2.0 ✓ Export Self-Signed Certificate ➡ Retrieve ADFS 2.0 Details for Salesforce Configuration ■ Configure My Domain in Salesforce ■ Enable SSO in Salesforce ■ Add Salesforce as Trusted Relying Party in ADFS ■ Configure AD User for Single Sign On in Salesforce ■ Test SSO (SP Initiated & IdP Initiated) ■ Use Just-In-Time (JIT) Provisioning ■ Debug SSO Issues


Retrieving ADFS 2.0 EntityID

103

1. Click on Service -> Endpoints on the left sidebar in ADFS 2.0

Management window

2. Under Metadata section, look for the path to FederationMetadata.xml.

Note down the path

AWS Server



104

1. Switch to Internet Explorer and type the complete URL to FederationMetadata.xml. E.g.

https://win-goaia2hs9la.asagarwal.com/FederationMetadata/2007-06/FederationMetadata.xml

i.e.

https://hostname.domainname/FederationMetadata/2007-06/FederationMetadata.xml

AWS Server

https://hostname.domainname/FederationMetadata/2007-06/FederationMetadata.xml



105

1. Right click on the web page and click ‘View Source’

AWS Server



106

1. Note down the value for the entityID ( http://WIN-GOAIA2HS9LA.asagarwal.com/adfs/services/trust ). Close

the view source window

AWS Server


Steps Overview

107

✓ Configure Windows 2008 Server on AWS ✓ Install Microsoft Active Directory ✓ Install Microsoft ADFS 2.0 ✓ Create Self-Signed Certificate in IIS ✓ Configure Microsoft ADFS 2.0 ✓ Export Self-Signed Certificate ✓ Retrieve ADFS 2.0 Details for Salesforce Configuration ➡ Configure My Domain in Salesforce ■ Enable SSO in Salesforce ■ Add Salesforce as Trusted Relying Party in ADFS ■ Configure AD User for Single Sign On in Salesforce ■ Test SSO (SP Initiated & IdP Initiated) ■ Use Just-In-Time (JIT) Provisioning ■ Debug SSO Issues


Configuring My Domain in Salesforce

108

1. Navigate to login.salesforce.com and log on to the Salesforce instance, where you want to configure SSO with Microsoft Active

Directory. Here I am logging to a developer org

2. Specify username and password and click Log in to

Salesforce




109

1. To setup SSO on Salesforce, let’s start with configuring My Domain in Salesforce. The benefit of using 'My Domain' is that it enables support for SP-initiated single sign-on and allows users to access 'deep links' into their environment via SSO. Click on

Setup configure My Domain




110

1. In the setup menu, click on Domain Management -> My Domain




111

1. Enter the domain name for my domain. Note that with Salesforce will suffix the domain with “-dev-

ed.my.salesforce.com” as we are configuring this on a developer org. On a production org, the domain will

be suffixed with “.my.salesforce.com”

2. Click on Check Availability to ensure that the domain is available. If it is not, then specify a different domain name




112

1. If the domain is available, check the ‘Terms and Conditions’ and click Register Domain




113

1. Salesforce will register the domain. This may take a while. Refresh the page every couple of minutes to check the status




114

1. Once registered, click on ‘Click here to login’ to login using your domain and deploy the domain to users.




115

1. As you login using your domain, note that the URL changes to to reflect your domain name

2. Click on Deploy to Users




116

1. Click OK in the confirmation window




117

1. Domain will be deployed to users. From this point onwards, users can navigate to mydomain.my.salesforce.com to log on to the Salesforce instance in addition to the normal login URL,

which is login.salesforce.com



Steps Overview

118

✓ Configure Windows 2008 Server on AWS ✓ Install Microsoft Active Directory ✓ Install Microsoft ADFS 2.0 ✓ Create Self-Signed Certificate in IIS ✓ Configure Microsoft ADFS 2.0 ✓ Export Self-Signed Certificate ✓ Retrieve ADFS 2.0 Details for Salesforce Configuration ✓ Configure My Domain in Salesforce ➡ Enable SSO in Salesforce ■ Add Salesforce as Trusted Relying Party in ADFS ■ Configure AD User for Single Sign On in Salesforce ■ Test SSO (SP Initiated & IdP Initiated) ■ Use Just-In-Time (JIT) Provisioning ■ Debug SSO Issues


Configuring SSO in Salesforce

119

1. To continue with Single Sign Configuration, click on Security

Controls -> Single Sign-On Settings




120

1. Click Edit




121

1. Check ‘SAML Enabled’ and click Save




122

1. Click New to specify Microsoft ADFS as the Single Sign-On Server




123

1. Enter the SSO Name

2. Enter the Issuer. The Issuer is the entityID copied from FederationMetadata.xml in previous steps

3. Select SAML Identify Type as “Assertion contains the Federation ID

from the User object"

5. Specify Identity Provider Login URL as https://hostname.domainname/adfs/ls/

i.e. https://WIN-

GOAIA2HS9LA.asagarwal.com/adfs/ls/ (Be sure to specify “https” and ‘/‘ slash at

the end of the URL)7. Select HTTP Redirect

6. Identity Provider Logout URL: You can

configure a URL to which the user will be sent after they log out - for example, http://intranet.mycompany

.com/

IMPORTANT: All parameters shown on this page must be

configured exactly as instructed. Failure to do so may cause SSO

to not work as intended


4. Select ‘Identity is in the NameIdentifier

element of the Subject statement'



124

1. Specify the Entity ID as your Salesforce “My Domain” name

configured in previous steps (i.e. https://ssoasagarwal-dev-

ed.my.salesforce.com/ (with slash ‘/‘ at the end)

2. Click on Choose File

IMPORTANT: All parameters shown on this page must be

configured exactly as instructed. Failure to do so may cause SSO

to not work as intended




125

1. Double Click on the IdP Certificate.cer file exported from the MS Active Directory Server in previous steps. If you are performing these configuration steps from a different computer

(and not from AWS Server), then you will need to transfer the “IdP Certificate.cer” from AWS

server to this computer. One of the ways you can transfer is to email

the file yourself as an attachment and download on this computer




126

1. Click Save




127

1. Click Download Metadata. This is required to create the trust

relationship in ADFS




128

1. Save the Metadata file on your PC



Enabling SSO in Salesforce

129

2. Scroll down the page

1. Now let’s enable the SSO in Salesforce, click on Domain Management -> My

Domain




130

2. Click Edit for Login Page Settings




131

1. Check Microsoft ADFS

2. Click Save



Configuring Federation ID in Salesforce for SSO

132

2. Click Edit for your username1. Click on

Manage Users -> Users

The username in Salesforce and in Microsoft AD may be different than

each other. Use Federation ID to link the user in Salesforce with the user in

Microsoft AD



Configuring Federation ID in Salesforce for SSO

133

1. On the edit user page, specify the Federation ID. We will configure this in

Microsoft Active Directory in the subsequent steps. Here the federation ID I have specified

is “[email protected]”

2. Click Save



Steps Overview

134

✓ Configure Windows 2008 Server on AWS ✓ Install Microsoft Active Directory ✓ Install Microsoft ADFS 2.0 ✓ Create Self-Signed Certificate in IIS ✓ Configure Microsoft ADFS 2.0 ✓ Export Self-Signed Certificate ✓ Retrieve ADFS 2.0 Details for Salesforce Configuration ✓ Configure My Domain in Salesforce ✓ Enable SSO in Salesforce ➡ Add Salesforce as Trusted Relying Party in ADFS ■ Configure AD User for Single Sign On in Salesforce ■ Test SSO (SP Initiated & IdP Initiated) ■ Use Just-In-Time (JIT) Provisioning ■ Debug SSO Issues


Configuring Salesforce as Trusted Party in ADFS

135

1. Switch back to ADFS 2.0 Management Console window in AWS Server

2. Click on Add a trusted Relying Party

AWS Server



136

1. In the Add Relying Party Trust Wizard window click Start

AWS Server



137

1. Select option ‘Import data about the relying party from a file’

2. Click Browse and locate the Metadata file downloaded from Salesforce in previous steps.

If you downloaded the file on a different computer, transfer the file to AWS Server

3. Click Next

AWS Server



138

1. Specify the name of the relying party

2. Click Next

AWS Server



139

1. Select option ‘Permit all users to access this relying party’

2. Click Next

AWS Server



140

1. Click Next

AWS Server



141

1. Check box to open the Edit Claim Rules dialog

2. Click Close

AWS Server


Configuring Rules in ADFS for SSO

142

1. Click Add Rule

AWS Server



143

1. Select ‘Send LDAP Attribute as Claims’

2. Click Next

AWS Server



144

1. Specify the claim rule name

3. Specify LDAP Attribute and Outgoing Claim Type

2. Specify the Attribute store as ‘Active Directory’

4. Click Finish

AWS Server



145

1. Click OK

AWS Server


Changing Salesforce Settings in ADFS

146

1. In ADFS 2.0 Management Window click on Relying Party

Trusts in the left sidebar

2. Double Click on Salesforce SSO Test

AWS Server


Changing Salesforce Settings in ADFS

147

2. Select Secure has algorithm as ‘SHA-1’

1. Click in Advanced tab

3. Click OK

AWS Server


Steps Overview

148

✓ Configure Windows 2008 Server on AWS ✓ Install Microsoft Active Directory ✓ Install Microsoft ADFS 2.0 ✓ Create Self-Signed Certificate in IIS ✓ Configure Microsoft ADFS 2.0 ✓ Export Self-Signed Certificate ✓ Retrieve ADFS 2.0 Details for Salesforce Configuration ✓ Configure My Domain in Salesforce ✓ Enable SSO in Salesforce ✓ Add Salesforce as Trusted Relying Party in ADFS ➡ Configure AD User for Single Sign On in Salesforce ■ Test SSO (SP Initiated & IdP Initiated) ■ Use Just-In-Time (JIT) Provisioning ■ Debug SSO Issues


Configuring Username in AD for SSO

149

2. Click Active Directory Users and Computers

1. Click on Start and type ‘Active’ in the search box

AWS Server



150

1. In Active Directory Users and Computers window click on

domain name -> Users on the left sidebar

2. Double click on Administrator User

AWS Server



151

2. Specify the user logon name as ‘administrator’ and domain as the domain name that you have

specified while configuring Microsoft AD. This is where we

are mapping the Microsoft Active Directory user to the Salesforce User. The User logon name that we have specified here has been

defined as Federation ID in Salesforce

1. Click on Account tab

3. Click OK

AWS Server


Steps Overview

152

✓ Configure Windows 2008 Server on AWS ✓ Install Microsoft Active Directory ✓ Install Microsoft ADFS 2.0 ✓ Create Self-Signed Certificate in IIS ✓ Configure Microsoft ADFS 2.0 ✓ Export Self-Signed Certificate ✓ Retrieve ADFS 2.0 Details for Salesforce Configuration ✓ Configure My Domain in Salesforce ✓ Enable SSO in Salesforce ✓ Add Salesforce as Trusted Relying Party in ADFS ✓ Configure AD User for Single Sign On in Salesforce ➡ Test SSO (SP Initiated & IdP Initiated) ■ Use Just-In-Time (JIT) Provisioning ■ Debug SSO Issues


Testing SSO - SP Initiated Login

153

1. In the browser window on your AWS Server, navigate to Salesforce ‘My Domain’ URL configured in Salesforce (here it is https://ssoasagarwal-dev-ed.my.salesforce.com/)

2. To test single sign on through Microsoft Active Directory, click

on Microsoft ADFS

To test SSO, logon to Salesforce from the browser in your AWS Server as Microsoft ADFS URL (https://win-

goaia2hs9la.asagarwal.com/ in my case) configured on AWS server is not

available on Internet.

(To make it available on Internet, you need to change the DNS settings with your domain registrar to point to AWS

Server)

AWS Server



154

1. Notice that clicking on Microsoft ADFS in Salesforce login window is redirecting user to

Microsoft AD login window. Here you need to login using your Microsoft AD credentials, which in this

case is your AWS Server username and password. Click OK

AWS Server



155

And now you should be logged on to Salesforce through Microsoft Active Directory

AWS Server


Creating a New User

156

1. To create a new user in Salesforce, create the user in Microsoft Active Directory. On the

AWS Server, switch to Active Directory Users and Computers windows

AWS Server

1. On the left sidebar, click on Users -> New -> User


Creating a New User

157

1. Enter the new user details and click Next. Note that the username specified in the field ‘User logon name’ will need to be used as

Federation ID in Salesforce to map this Active Directory user to Salesforce user. In

this case, the User logon name is [email protected]

AWS Server


Creating a New User

158

1. Specify the password. Uncheck box ‘User must change password at

next logon’. Click Next

AWS Server


Creating a New User

159

1. Click Finish

AWS Server


Creating a New User

160

1. The user has been created in Microsoft Active Directory

AWS Server


Creating a New User

161

1. Create the user in Salesforce also. Logon to your Salesforce

instance and navigate to Setup -> Manager Users -> Users

AWS Server

2. Click on New User


Creating a New User

162

1. Enter the user details

AWS Server

2. Specify the Salesforce license

and profile

3. Scroll down the page


Creating a New User

163

1. Specify the Federation ID. The Federation ID should exactly match the User logon Name specified in Microsoft

Active Directory in previous steps.

AWS Server

2. Uncheck all options and click Save


Creating a New User

164

The user has been created in Salesforce also

AWS Server


Creating a New User

165AWS Server

1. To test the new user, navigate to Salesforce My Domain URL in the

browser on your AWS Server

2. Click on Link for Microsoft ADFS


Creating a New User

166AWS Server

1. Specify the new user name and password. Click OK


Creating a New User

167AWS Server

1. You are now logged on to Salesforce as the new user


Testing SSO - IdP Initiated Login

168AWS Server

1. For IdP Initiated Login, on your AWS Server, navigate to URL https://<microsoft_adfs_URL>/adfs/ls/idpinitiatedsignon.aspx

i.e. (in my case)

https://win-goaia2hs9la.asagarwal.com/adfs/ls/IdpInitiatedSignon.aspx

2. Select ‘Sign in to one of the following sites’ and select the relying party name

3. Click Continue to Sign in

You can also use the following URL format in IdP initiated login to login directly to Salesforce

https://<microsoft_adfs_URL>/adfs/ls/IdpInitiatedSignon.aspx?loginToRp=https://<salesforce_my_domain_URL>

e.g.

https://win-goaia2hs9la.asagarwal.com/adfs/ls/IdpInitiatedSignon.aspx?loginToRp=https://ssoasagarwal-dev-ed.my.salesforce.com

https://win-goaia2hs9la.asagarwal.com/adfs/ls/IdpInitiatedSignon.aspx



169AWS Server

1. Enter Microsoft Active Directory Username and password and click OK



170

And now you should be logged on to Salesforce through IdP initiated login

AWS Server


Steps Overview

171

✓ Configure Windows 2008 Server on AWS ✓ Install Microsoft Active Directory ✓ Install Microsoft ADFS 2.0 ✓ Create Self-Signed Certificate in IIS ✓ Configure Microsoft ADFS 2.0 ✓ Export Self-Signed Certificate ✓ Retrieve ADFS 2.0 Details for Salesforce Configuration ✓ Configure My Domain in Salesforce ✓ Enable SSO in Salesforce ✓ Add Salesforce as Trusted Relying Party in ADFS ✓ Configure AD User for Single Sign On in Salesforce ✓ Test SSO (SP Initiated & IdP Initiated) ➡ Use Just-In-Time (JIT) Provisioning ■ Debug SSO Issues


Just-In-Time Provisioning

172

■ Rather than creating users in both Microsoft Active Directory and Salesforce, you can enable Just-In-Time (JIT) provisioning

■ With JIT, you just need to create user in Microsoft Active Directory and when the user logs on to Salesforce, it will automatically be created in Salesforce, if it does not exist

■ To enable JIT, you need to send the following additional parameters as a minimum to Salesforce ■ Last Name ■ Username ■ Email Address ■ Profile


Enabling Just-In-Time Provisioning

173AWS Server

1. To enable Just-In-Time provisioning, logon to Salesforce and navigate to Setup -> Security

Controls -> Single-Sign On Settings

2. Click Edit



174AWS Server

1. Check ‘User Provisioning Enabled’ and click Save



175AWS Server

1. Switch to ADFS 2.0 Management Window in AWS Server

2. Click on Relying Party Trusts on the left sidebar

3. Select ‘Salesforce SSO Test’

4. Click Edit Claim Rules



176AWS Server

1. Click on Add Rule



177AWS Server

1. Select ‘Send Claims Using a Custom Rule’

2. ‘Click Next’



178AWS Server

1. Enter the rule name

3. Click Finish

2. Create rule to send the user name

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> issue(store = "Active Directory", types = ("User.UserName"), query = ";userPrincipalName;{0}", param = c.Value);



179AWS Server

■ Follow previous three steps to add the following rules, which is required for Just-In-Time Provisioning

■ Send LastName c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> issue(store = "Active Directory", types = ("User.LastName"), query = ";sn;{0}", param = c.Value);

■ Send Email c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> issue(store = "Active Directory", types = ("User.Email"), query = ";userPrincipalName;{0}", param = c.Value);

■ Send Profile c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> issue(type = "User.ProfileId", value = "Chatter Free User");

1. In Salesforce, the new users will be created “Chatter Free User” profile. We are using this for JIT as Salesforce provides 5000 Chatter Free User License in a Developer Org



180AWS Server

1. Once setup, you should have these rules in Issuance Transform

Rules tab


Testing Just-In-Time Provisioning

181AWS Server

1. To test JIT, switch to ‘Active Directory Users and Computers’ window. We will create a user in AD, without

creating the user in Salesforce. When we log on with this user in Salesforce, the user will automatically be created in

Salesforce as we have enabled and configured JIT

1. On the left sidebar, click on Users -> New -> User


Creating a New User

182

1. Enter the new user details and click Next.

AWS Server


Creating a New User

183

1. Specify the password. Uncheck box ‘User must change password at

next logon’. Click Next

AWS Server


Creating a New User

184

1. Click Finish

AWS Server


Creating a New User

185

1. The user has been created in Microsoft Active Directory

AWS Server


Testing JIT

186

1. Logon to your Salesforce instance, navigate to setup -> Manager Users -> Users and verify that currently there is no user with the user name that you specified in Microsoft

AD



Testing JIT

187

1. On your AWS Server, start the browser and navigate to My Domain Salesforce URL

AWS Server

2. Click on Microsoft ADFS


Testing JIT

188

1. In the Microsoft AD login window, enter the username & password that you have created in

Microsoft Active Directory. Remember that the user does not yet exist in Salesforce. Click OK

AWS Server


Testing JIT

189

1. And Bingo, Salesforce will create the user on the fly with

‘Chatter Free Profile’ and log the user in.

AWS Server


Testing JIT

190

1. Switch to the browser window where you are logged on as admin and refresh the users page. You can now see that

Salesforce has created a user with the name ‘[email protected]’ and profile ‘Chatter Free User’

AWS ServerGoogle Chrome on Mac


Steps Overview

191

✓ Configure Windows 2008 Server on AWS ✓ Install Microsoft Active Directory ✓ Install Microsoft ADFS 2.0 ✓ Create Self-Signed Certificate in IIS ✓ Configure Microsoft ADFS 2.0 ✓ Export Self-Signed Certificate ✓ Retrieve ADFS 2.0 Details for Salesforce Configuration ✓ Configure My Domain in Salesforce ✓ Enable SSO in Salesforce ✓ Add Salesforce as Trusted Relying Party in ADFS ✓ Configure AD User for Single Sign On in Salesforce ✓ Test SSO (SP Initiated & IdP Initiated) ✓ Use Just-In-Time (JIT) Provisioning ➡ Debug SSO Issues


Debugging SSO Issues

192

1. If you face any error/issue in signing on though SSO, Logon to

Salesforce instance using Salesforce username and

password (i.e. without going through the Microsoft ADFS)



Debugging SSO Issues - SAML Assertion Validator

193

1. Click on Setup -> Security Controls -> Single Sign-

On Settings

2. Click on SAML Assertion Validator



Debugging SSO Issues - SAML Assertion Validator

194

1. Review the results and troubleshoot



Debugging SSO Issues - Login History

195Google Chrome on Mac

1. You can also navigate to Setup -> Manage Users -> Login

History and look into the login history log


Debugging SSO Issues - SAML Tracer in FireFox

196

1. FireFox browser has a Add on called SAML Tracer which is great for troubleshooting SAML issues. To use SAML Tracer, start FireFox browser, navigate to URL https://addons.mozilla.org/en-US/firefox/addon/saml-

tracer/click

2. Click on Add to Firefox

FireFox on Mac

https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/click



197

1. Click on Install Now

FireFox on Mac



198

1. Click on Restart Now

FireFox on Mac



199

1. After restarting FireFox, click on Tools -> SAML Tracer

FireFox on Mac



200

1. Navigate to My Domain Salesforce URL

2. Notice that SAML Tracer will start logging the activities

3. Click on MS ADFS to login

FireFox on Mac



201

2. Specify the Microsoft Active Directory username and

password. Click OK

1. In SAMLTracer window, any SAML request or

response will be highlighted as SAML

FireFox on Mac



202FireFox on Mac

1. To view the SAML request/response details, select the

related SAML activity in SAML Tracer window

2. Click on SAML tab

3. Review the SAML response and troubleshoot as needed


Steps Overview

203

✓ Configure Windows 2008 Server on AWS ✓ Install Microsoft Active Directory ✓ Install Microsoft ADFS 2.0 ✓ Create Self-Signed Certificate in IIS ✓ Configure Microsoft ADFS 2.0 ✓ Export Self-Signed Certificate ✓ Retrieve ADFS 2.0 Details for Salesforce Configuration ✓ Configure My Domain in Salesforce ✓ Enable SSO in Salesforce ✓ Add Salesforce as Trusted Relying Party in ADFS ✓ Configure AD User for Single Sign On in Salesforce ✓ Test SSO (SP Initiated & IdP Initiated) ✓ Use Just-In-Time (JIT) Provisioning ✓ Debug SSO Issues


Leave Your Feedback

204

Hope you were able to build your test lab successfully following this guide.

Please do not forget to leave your feedback on my blog at URL http://www.asagarwal.com/2376/step-by-step-guide-to-build-your-own-salesforce-single-sign-on-sso-test-lab. Let me know if you were able to get SSO to work following this guide with your comments, feedback and suggestions.

If you got stuck anywhere and were able to resolve the issue, mention that as a comment so that others can benefit from your experience

http://www.asagarwal.com/2376/step-by-step-guide-to-build-your-own-salesforce-single-sign-on-sso-test-lab


For Daily Dose of Useful Tips & Tricks on Salesforce.com visit asagarwal.com

205

http://asagarwal.com

Visit asagarwal.com for daily dose of useful tips & tricks on Salesforce 206

Document Change LogVersion Changes

1.0 Original Document

2.0 Added Just-In-Time Provisioning, SAML Tracer

2.1 Added IdP Initiated Login

step-by-step guide to build salesforce single-sign on test lab with microsoft active directory

Technology

salesforce configuration

salesforce ingredients3you

salesforce singlesign

salesforce test sso

salesforce steps overview5

salesforce related blog2step

single sign

secure server