OpenAM can serve as the identity provider when you use Salesforce CRM as a service provider, allowing users to have single sign-on with their Salesforce CRM account.
In order to use this service, you must have Salesforce CRM accounts for your organization.
- If you have not yet done so, set up OpenAM as described in Procedure 11.1, “To Create a Hosted Identity Provider”, using a signing certificate that is needed by Salesforce CRM.See the procedure To Change the Signing Key for Federation for details regarding the signing certificate.
- On the OpenAM console Common Tasks page, click Configure Salesforce CRM.
- On the first Salesforce CRM Single Sign-On Configuration page, configure attribute mapping to associate the appropriate attribute from Salesforce CRM with the user profile attribute on your IDP.For example, add a mapping for
- On the second Salesforce CRM Single Sign-On Configuration page, follow the instructions below before clicking Finish.
- In a new browser tab or window, login to Salesforce CRM with your administrator credentials.Create an administrator account if none exists, yet.
- If your users go directly to Salesforce to access services, then their single sign-on is SP-initiated from the Salesforce side. Salesforce provides a “My Domain” feature to facilitate SP-initiated single sign-on for desktop and device users.When you have completed configuring Salesforce as a service provider, users can then browse to your domain at Salesforce, such as
https://openam.my.salesforce.com, and be redirected to OpenAM to authenticate before being redirected to Salesforce.
- Select Administration Setup > Company Profile > My Domain.
- Choose the domain name, and then register the domain.
- Wait until the domain is ready for testing to proceed.
- In Salesforce CRM, browse to Setup > Administration Setup > Single Sign-On Settings > Security Controls, and then click Edit for Single Sign-On Settings.
- Select SAML Enabled.
- Set the SAML Version to 2.0.
- Copy the issuer name from the OpenAM page to the Issuer field on the Salesforce CRM page.
- Save the OpenAM verification certificate to a text file, such as
- Upload the certificate file as Identity Provider Certificate on the Salesforce CRM page.
- For SAML User ID Type in Salesforce CRM, choose Assertion contains the Federation ID from the User object.
- For SAML User Location in Salesforce CRM, choose User ID is in an Attribute element.
- Copy the attribute name such as
IDPEmailfrom the OpenAM page to the Attribute Name field on the Salesforce CRM page.
- Leave the NameID Format field empty.
- Select the Entity ID corresponding to the “My Domain” that you set up.
- Save your work in Salesforce CRM.
- Salesforce CRM displays a Salesforce Login URL.Copy the Salesforce Login URL to the field provided on the OpenAM page.
- Salesforce CRM displays a Salesforce.com Single Logout URL.If you want to perform Global Logout when a user logs out of Salesforce, edit this form to include the OpenAM Logout URL here.
If you do not want to OpenAM to end the user’s session when they log out of Salesforce, edit this for to leave this blank.
- Click Download Metadata to download the Salesforce CRM SP metadata.After you complete the configuration, you must import the SP metadata you download in this step.
- In Salesforce CRM, browse to Administration Setup > Manage Users, and then click Users.
- Add users as necessary, making sure the attribute chosen as the Federation ID matches the local attribute you mapped to the remote attribute in the previous page in OpenAM.
- Click Finish to complete the process.
- After you finish, import the metadata for Salesforce CRM as SP.
- Browse in OpenAM console to the Federation tab.
- If the remote SP entity for Salesforce CRM is already in the Entity Providers list, delete the existing configuration.
- Click Import Entity…, and then use the Import Entity Provider page to import the Salesforce CRM metadata.
At this point, when a user browses to the Salesforce domain you set up, they should be redirected to OpenAM for authentication. Upon successful authentication, they should be logged in to Salesforce.