How to Configure Single Sign-On (SSO) to Salesforce With Gluu+WWPass Identity Provider

This tutorial guides you through the steps you need to take to integrate Gluu+WWPass Single Sign-On (SSO) with Salesforce. WWPass provides secure and convenient authentication technology and Gluu makes it easy to perform tasks related to user management.

Step 1: Implement Gluu+WWPass Server

You can find the software modules and instructions for Gluu+WWPass server implementation in our GitHub project.

Step 2: Set Up Salesforce.com

First, you need to prepare Salesforce.com

  1. Log in to Saleforce.com;
  2. Click Setup;
  3. Click Company Settings, then My Domain;
  4. Add your domain or use Salesforce test domain;
  5. _Please, stand by..._ It takes time to register a domain; Note: you need to add a custom domain to your Salesforce.com account or you can use a test domain name provided by Salesforce.
  6. Enter your Gluu server information to Salesforce.com;
  7. Go to Identity > Single Sign-On Settings;
  8. Click New;
  9. Add following information to your Gluu Server:
    • Name: add anything for you to recognize this this setup, i.e. My SSO Server;
    • API Name: My_SSO_Server;
    • Issuer: EntityID of your Gluu Server, i.e. https://iam.example.com/idp/shibboleth;
    • EntityID: Your Salesforce.com custom domain name;
    • Identity Provider Certificate: Assign your Gluu Server "idp-signing" certificate (you need to save and upload SAML certificate from your Gluu Server metadata or /etc/certs location);
    • Request Signing Certificate: Default certificate;
    • Request Signature Method: RSA-SHA256;
    • Assertion Decryption Certificate: not encrypted;
    • SAML Identity Type: Assertion contains your Salesforce.com username;
    • SAML Identity Location: Identity is in an Attribute element;
    • Attribute Name: Provide SAML2 URI of your attribute. For our test case we use the URN value of Gluu Server Email attribute. You can check your attribute information here;
    • NameID Format: Leave it empty;
    • Identity Provider Login URL: https://iam.example.com/idp/profile/SAML2/Redirect/SSO;
    • Service Provider Initiated Request Binding: HTTP-Redirect;

    Your setup should look similar to:

  10. Confirm. If you did it right, you will see the page like the following:

Step 3. The Gluu Server

Now you are ready to prepare the Gluu Server:

Note: More about Creating SAML Trust Relationship

  1. Use the Download Metadata option on the Salesforce.com website;
  2. Create Trust Relationship:
    • Display Name: insert anything for yourself to recognize this trust relationship later;
    • Description: insert anything for yourself to recognize this trust relationship later;
    • Metadata Type: ’File’;
    • Upload the Salesforce metadata;
    • Releases attributes: TransientID and Email;
    • Add it;
  3. Configure Specific Relying (you can use the Gluu Server GUI named:oxTrust);
    • Select SAML2SSO:
      • includeAttributeStatement: Enabled;
      • assertionLifetime: default;
      • assertionProxyCount: default;
      • signResponses: conditional;
      • signAssertions: never;
      • signRequests: conditional;
      • encryptAssertions: never;
      • encryptNameIds: never;
    • Save it;
  4. Update your relationship;

It should look like the picture below:

* Relying party configuration:

Step 4. Testing Your SSO

Final step. It is time to check if your SSO was configured properly.

  1. Log in to Salesforce.com;
  2. todo: add info on how to get to setup;
  3. Create your test user; it should also exist on the Gluu Server;
  4. Click Identity > Single Sign-On Settings;
  5. Enable Federated Single Sign-On Using SAML :
  6. Click Company Settings > My Domain;
  7. Set the Authentication Configuration;
  8. Click Edit;
    • Select Gluu Server;
    • Save the configuration;

    If all steps were done properly, your Authentication Configuration should look similar to:

Summary

You have successfully сonfigured SSO to Salesforce with Gluu+WWPass Identity Provider. If you have any questions, please contact us at support@wwpass.com