Get both configured for 'My Domain'. 2. Setup your Identity Provider in the IdP Org. 3. Get your IdP's certificate, 'iss
SSO: Salesforce.com as Identity Provider and Service Provider Sample Use Case A Customer has multiple Salesforce instances with a common set of administrators. The administrators are currently required to remember the username/password for each instance.
It would be ideal to have each admin login to one instance and have the ability to launch other instances without having to login again. Furthermore, it should be possible to navigate back to the ‘home’ org or toggle from one instance to another.
Preparation
1. Determine which application will play the role of the Identity Provider (“IdP”). This will be the application that will authenticate the user and log him/her into the Service Providers (“SP”). 2. Provide each user with a Federation ID (unique identifier for the user across all applications)
Hub-and-spoke model
The IdP and participating SPs are represented in the hub-and-spoke diagram below. Service Provider 1 Service Provider 2
[email protected] [email protected]
Hub Identity Provider
[email protected]
Service Provider 3
In this example, the Federation ID ‘
[email protected]’ is used to log the user into all the participating SPs.
The rest of the document provides step-by-step instructions to set up one Salesforce org as the IdP and another as an SP.
Page 1 of 6
IdP and SP Configuration 1. Get both configured for 'My Domain'. 2. Setup your Identity Provider in the IdP Org.
3. Get your IdP's certificate, 'issuer', and SP initiated POST endpoint.
4. Go to your SP Org, and setup Single Sign-On. Enable SAML 2.0, import your cert, and paste in the issuer from your IDP org. Use federation ID located in the SAML subject. Choose your My Domain as your entity ID.
Page 2 of 6
5. Once that's configured, get your ACS URL, and go back to your IDP Org. Create a service provider with your ACS URL and entity ID.
6. Assign profile(s) to the SP.
7. Create a user in both orgs with the same Federation ID and make sure that user is in the proper profile in the IdP. For example:
[email protected]. Page 3 of 6
8. Launch the URL to the SP. You should be automatically taken to the login URL for the IdP. After authenticating in the IdP, you will land in the SP Org.
Home Page Layout of IdP instance
This section provides the configurations required on the home page layout to provide the admin with the ability to navigate to other SP instances.
Upon clicking a link in the ‘Spokes’ section, the corresponding instance is launched in a new window.
Page 4 of 6
Toggling between instances The Home Page Layout configuration approach can be expanded to provide the ability to toggle between instances as shown below. The main difference is that the instances will have to be opened in the same window.
Page 5 of 6
References 1. Online help page https://na1.salesforce.com/help/doc/user_ed.jsp?section=help&target=identity_pr ovider_examples.htm&loc=help&hash=heading_2_1
Page 6 of 6
