Federated Single Sign-On using OneLogin
Federated SSO configuration using OneLogin requires performing the following:
Getting the Salesforce Organization ID
To get the Salesforce Organization ID, use one of the following methods:
- From the Getting Started tab:
- Go to the Getting Started tab.
- Under the Enhance BMC Helix Remedyforce Performance section, note the Salesforce Organization ID.
- From the Setup option:
- Click Setup. A left pane displaying various sections appears.
In the Administer section, expand Company Profile and click Company Information. The Company Information page displaying the Salesforce Organization ID appears.
The following image shows the Company Information page displaying the Salesforce Organization ID.
Note
The Salesforce Organization ID is required while configuring the Identity Provider (OneLogin).
Configuring the Identity Provider (OneLogin)
Notes
For OneLogin credentials, you need to register on the OneLogin website.
- You can go to www.onelogin.com and opt for a free trial.
- You may also get in touch with the IT Team to check if your company is already a OneLogin customer/partner
To configure the Identity Provider (OneLogin), perform the following steps:
Login to OneLogin by entering the following URL: https://app.onelogin.com/login.
Enter your login credentials and click LOG IN. The OneLogin home page appears.
The following image shows the OneLogin Home page.
On the navigation bar, hover to Apps. A drop-down list appears.
The following image shows the Apps drop-down list.
Click Add Apps. The Find Applications page appears.
The following image shows the Find Applications page.In the search box, enter Remedyforce. A list of applications based on the search appears.
The following image shows the list of the searched applications.
Click Remedyforce Enterprise or Remedyforce [Sandbox] based on your requirement. The Add Remedyforce [Sandbox] page displaying the Configuration tab appears.
The following image shows the Add Remedyforce [Sandbox] page displaying the Configuration tab
- In the Portal section, enter an appropriate Display Name for the application.
- Click Save. The Info tab appears.
The following image shows the Remedyforce [Sandbox] Info tab.
Click the Configuration tab.
The following images shows the Remedyforce [Sandbox] Configuration tab.In the Application Details section, enter your Salesforce Organization ID and in the API Version field, click the latest version of API.
In the API Connection section, enter your Salesforce credentials.
Click Enable. The API Status displays the status as Enabled.Note
The Enabled status indicates that OneLogin has successfully established connection with your Salesforce org using your Salesforce credentials.
Click the Parameters tab.
The following image shows the Remedyforce [Sandbox] Parameters tab.
- Select Configured by admin.
- Select the specified values for the following Remedyforce [Sandbox] fields:
- Phone: From the drop-down list, select the value Phone.
- User ID: From the drop-down list, select the value Email.
- Click the SSO tab. The SSO tab displaying the X.509 Certificate, Issuer URL, SAML 2.0 Endpoint, and SLO Endpoint (HTTP) appears.
The following image shows the Remedyforce [Sandbox] SSO tab.The Issuer URL and SAML 2.0 Endpoint (HTTP) are auto-generated.
Click Save. The configuration is saved.
Notes
- X.509 Certificate, Issuer URL, SAML 2.0 Endpoint, and SLO Endpoint are auto-generated.
- Copy the auto-generated Issuer URL and SAML 2.0 Endpoint (HTTP), which are required in the Salesforce Single Sign-On Settings.
In the Enable SAML 2.0 section, click View Details.
The Standard Strength Certificate (2048-bit) page appears.
The following image shows the Standard Strength Certificate (2048-bit) page.
Click Download and save the certificate to your local machine.
Note
The downloaded Standard Strength Certificate is imported while configuring the Single Sign-On Settings on Salesforce.
Configuring the Service Provider (Salesforce)
To configure the Service Provider (Salesforce):
Login to Salesforce and see Step1 to Step 4.
Enter appropriate information in the fields given in the table below:
Field
Description
Name
Enter an appropriate name for the SSO Setting.
API Name
The API name is generated automatically based upon the name specified for the SSO Setting.
Issuer
Enter the Issuer URL generated in OneLogin
For example: https://app.onelogin.com/saml/metadata/453901
Entity Id
Enter https://saml.salesforce.com if you do not have any domain deployed. If domain is deployed, use the MyDomain URL.
For example:
Identity Provider Certificate
Browse and select the certificate downloaded from OneLogin.
For example: X.509 PEM Certificate
Request Signing Certificate
From the drop-down list, select Default Certificate.
Request Signature Method
From the drop-down list, select RSA-SHA1.
Assertion Decryption Certificate
From the drop-down list, select Assertion not encrypted.
SAML Identity Type
Select the Assertion contains the Federation ID from the User object option.
SAML Identity Location
Select the Identity is in the NameIdentifier element of the Subject statement option.
Identity Provider Login URL
Enter the URL of your OneLogin SAML endpoint, to which Force.com sends SAML requests for SP-initiated login.
Identity Provider Logout URL
Enter the URL that you want the logged out user to receive.
Custom Error URL
Enter the URL of a custom page, to which the user is redirected in case of any error in login.
For example: www.testdomain.com/ErrorPage
Service Provider Initiated Request Binding
Select the HTTP POST option.
- Fields marked with are mandatory.
- You can edit the auto-generated API name.
- If you are not able to view Service Provider Initiated Request Binding, please check if My Domain feature is enabled for your organization. If My Domain is not enabled, please raise a case with Salesforce for enabling it.
Click Save. The configuration is saved. It updates and displays the certificate expiration date.
The SAML SSO Setting page displaying the expiration date
(Click the image to expand it.)
Verifying the Single Sign-On Configuration with Federated SSO using OneLogin
To verify that Single Sign-On has been configured correctly, you can perform the following procedure each for IDP and SP initiated login.
Identity Provider initiated login
To verify IDP initiated login:
Enter the OneLogin login URL in a browser.
For example: https://psl.onelogin.com/trust/saml2/http-post/sso/453901
If you are already logged in to the IDP, the browser follows a set of redirection instructions and logs you into Salesforce. If you are not logged into the IDP, enter your login credentials on the IDP login page. This will redirect you to Salesforce.
Note
In case of a Force.com login error, navigate to SSO Setting in Salesforce and use the SAML Validation Tool. This displays the last failed SAML login.
Service Provider initiated login
To verify SP initiated login:
Enter the following domain specific URL in a browser: https://test-sso--x1.cs22.my.salesforce.com.
The page redirects to IDP for authentication.
Note
If your user credentials are already validated, you will be redirected to Salesforce. If the user credentials are not validated, the IDP will prompt you to enter your credentials.
Comments
Log in or register to comment.