Federated Single Sign-On Using ADFS 2.0

Federated SSO configuration using ADFS 2.0 requires performing the following:

1. Export the Identity Provider Token Certificate
2. Configure the Service Provider (Salesforce)
3. Configure the Identity Provider (ADFS 2.0)
4. Verify the Single Sign-On Configuration using ADFS 2.0 

Exporting the Identity Provider Token Certificate

 To export the Identity Provider Token Certificate:

1. Navigate to the ADFS server and open the Active Directory Federation Services (ADFS). 2.0 Management console. The ADFS 2.0 window appears.
   The ADFS 2.0 window
   (Click the image to expand it.)
   
   
2. In the left pane, expand Service and click Certificates. The right pane displaying the Certificates appears.
   The ADFS window displaying the Certificates
   (Click the image to expand it.)
   
   
3. In the right pane, right-click the Token-signing, certificate and click View Certificate.A window displaying the certificate properties appears.
   The Certificate Properties window
   (Click the image to expand it.)
   
   
4. In the Certificate window, click the Details tab. The window displaying the certificate details appears.
   The Certificate Details tab
   (Click the image to expand it.)
   
   
5. Click Copy to File. The Certificate Export Wizard appears.
   The Certificate Export Wizard
   (Click the image to expand it.)
   
   
6. Click Next. The Export File Format window appears.
   The Export File Format window
   (Click the image to expand it.)
   
   
7. Select the DER encoded binary X.509 (.CER) format and click Next. The File to Export window appears.
   The File to Export window
   (Click the image to expand it.)
   
   

8. Click Browse to specify the name and location of the file, which you want to export. For example: C:\Users\test_user\Desktop\Token Signing Cert.cer

9. Click Finish.

Configuring the Service Provider (Salesforce)

To configure the Service Provider (Salesforce):

1. Login to Salesforce.
2. Click Setup. A left pane displaying various sections appears.
3. In the Administration Setup section, expand Security Controls and click Single Sign-On Settings. The Single Sign-On Settings page appears.
   The Single Sign-On Settings page
   (Click the image to expand it.)
   
   
4. Select the SAML Enabled option and click New. The SAML Single Sign-On Setting page appears.
   The SAML Single Sign-On Setting page
   (Click the image to expand it.)
   
   

   

5. Enter appropriate information in the fields given in the table below:

   Field	Description
   Name	Enter an appropriate name for the SSO Setting.
   API Name	The API name is generated automatically based upon the name specified for the SSO Setting.
   Issuer	Enter the provided entity Id of the Identity Provider. For example: http://testdomain.co.in/adfs/services/trust
   Entity Id	Enter https://saml.salesforce.com if you do not have any domain deployed. If domain is deployed, use the MyDomain URL. For example: https://test-sso-dev-ed.my.salesforce.com
   Identity Provider Certificate	Browse and select the token-signing certificate.
   Request Signing Certificate	From the drop-down list, select Default Certificate.
   Request Signature Method	From the drop-down list, select RSA-SHA1.
   Assertion Decryption Certificate	From the drop-down list, select Assertion not encrypted.
   SAML Identity Type	Select Assertion contains the Federation ID from the User object.
   SAML Identity Location	Select Identity is in the NameIdentifier element of the Subject statement.
   Identity Provider Login URL	Enter the URL of your ADFS SAML endpoint, to which Force.com sends SAML requests for SP-initiated login.
   Identity Provider Logout URL	Enter the URL that you want the logged out user to receive.
   Custom Error URL	Enter the URL of a custom page, to which the user is redirected in case of any error in login. For example: www.testdomain.com/ErrorPage
   Service Provider Initiated Request Binding	Select HTTP POST.

   Note

   • Fields marked with  are mandatory.
   • You can edit the auto-generated API name.
   • If you are not able to view Service Provider Initiated Request Binding, please check if My Domain feature is enabled for your organization. If My Domain is not enabled, please raise a case with Salesforce for enabling it.
6. Click Save. The configuration is saved. It updates and displays the certificate expiration date.
   The SAML SSO Setting page displaying the expiration date
   (Click the image to expand it.)
   
   

7. Click Download Metadata. The metadata xml file is downloaded, which is used in the ADFS 2.0 Configuration.

8. On the Salesforce Login page, Click Setup > Manage Users > Users. A page displaying the available users appears.
   The page displaying available users
   (Click the image to expand it.)
   
   

9. Click your Username. The User Detail page appears.
   The User Detail page
   (Click the image to expand it.)
   
   

10. Click Edit. The User Edit page appears.
    The User Edit page
    (Click the image to expand it.)
    
    

11. In the Single Sign-On Information section, enter the unique Federation ID, which the IDP provides.

12. Click Save.

Configuring the Service Provider for Custom Domain and SP Initiated Login

 For creating a custom domain and using it for Service Provider Initiated Login follow below steps:

1. Create and deploy domain for users
2. Configure custom domain for Login Restrictions
3. Configure a domain for Service Provider Initiated login 

Creating and Deploying Domains for Users

To create and deploy a domain for users:

1. Login to Salesforce.
2. Click Setup. A left pane displaying various sections appears.
3. In the Administration Setup section, expand Domain Management and click My Domain. The My Domain page appears.
   The My Domain page
   (Click the image to expand it.)
   
   

4. In the My Domain section, enter an appropriate domain name and click Check Availability. If the domain name is available, the page displays the status as Available.

5. Select “I agree to the Terms and Conditions” and click Register Domain. The page reloads displaying the My Domain and Authentication Configuration sections.
   The My Domain page reloaded
   (Click the image to expand it.)
   
   

6. In the My Domain section, click Click here to login. The page reloads enabling Deploy to Users.

7. In the My Domain section, click Deploy to Users. The page reloads displaying the My Domain, My Domain Settings, and Authentication Configuration sections.
   The My Domain page reloaded with the deployed domain
   (Click the image to expand it.)
   
   

Configuring a Custom Domain for Login Restrictions

You can use My Domain Settings to restrict user from logging through https://login.salesforce.com. Thus, users will only be able to login through your domain URL.
To configure your domain for Login Restrictions:

1. Login to Salesforce.
2. Click Setup. A left pane displaying various sections appears.
3. In the Administration Setup section, expand Domain Management and click My Domain. The My Domain page appears.
   My Domain Page
   (Click the image to expand it.)
   
   

4. In the My Domain Settings section, click Edit. The My Domain Settings section expands.
   The My Domain Settings section expanded
   (Click the image to expand it.)
   
   

5. (Optional) In the expanded My Domain Settings section for Login Policy, select Prevent login from https://login.salesforce.com. 

6. Click Save.

Configuring a Domain for Service Provider Initiated Login

You can configure the authentication configuration of your domain to use an alternative authentication service. By default Salesforce login page is used for authentication but you can use any of your Single Sign-On setting as an authentication service.

To configure your domain for SP-Initiated login:

1. Login to Salesforce.
2. Click Setup. A left pane displaying various sections appears.
3. In the Administration Setup section, expand Domain Management and click My Domain. The My Domain page appears.
   The My Domain page
   (Click the image to expand it.)
   
   

4. In the Authentication Configuration section, click Edit. The Authentication Configuration page appears.
   The Authentication Configuration Edit page
   (Click the image to expand it.)
   
   

5. For Authentication Service, select RF_SSO_SAML.

Configuring the Identity Provider (ADFS 2.0)

Salesforce (Service Provider) consumes the Token signing certificate, which the IDP provides and generates a metadata xml file. SP provides this generated file to the IDP.
To configure the Identity Provider (ADFS 2.0):

1. Navigate to the ADFS server and open the Active Directory Federation Services (ADFS) 2.0 Management console. The ADFS 2.0 window appears.
   The AD FS 2.0 window
   (Click the image to expand it.)
   
   

2. In the left pane, expand Trust Relationships and right-click Relying Party Trusts. A pop-up displaying the Relying Party Trusts options appears.
   The pop-up displaying the Rely Party Trusts options
   (Click the image to expand it.)
   
   

3. Click Add Relying Party Trust. The Add Relying Party Trust Wizard appears.
   The Add Relying Party Trust Wizard
   (Click the image to expand it.)
   
   

   

4. Click Start. The Select Data Source window appears.
   The Select Data Source window
   (Click the image to expand it.)
   
   

5. In the right pane, select Import data about the relying party from a file and click Browse to specify the location of the metadata xml file. For example: C:\Tools\Salesforce_Test\Salesforce_metadata.xml
   Click Next. The Specify Display Name window appears.
   The Specify Display Name window
   (Click the image to expand it.)
   
   

6. Enter an appropriate display name. For example: Salesforce_SP. Click Next. The Choose Issuance Authorization Rules window appears.
   The Choose Issuance Authorization Rules window
   (Click the image to expand it.)
   
   

7. Select Permit all users to access this relying party and click Next. The Ready to Add Trust window displaying the settings for monitoring, identifiers, encryption, and so on appears.
   The Ready to Add Trust window
   (Click the image to expand it.)
   
   

8. Click Next. The Finish window appears.
   The Finish window
   (Click the image to expand it.)
   
   

9. Select Open the Edit Claim Rules dialog for this relying party trust when the wizard closes. Click Close. The Edit Claim Rules for Salesforce_SP window appears.
   The Edit Claim Rules for Salesforce_SP window
   (Click the image to expand it.)
   
   

10. In the Issuance Transform Rules tab, click Add Rule. The Add Transform Claim Rule Wizard displaying the Select Rule Template window appears.
    The Add Transform Claim Rule Wizard
    (Click the image to expand it.)
    
    

11.  In the right pane, from the Claim rule template drop-down list, select Send LDAP Attributes as Claims. Click Next. The Configure Rule window appears.
    The Configure Rule window
    (Click the image to expand it.)
    
    

12. Enter appropriate information in the fields given in the table below:

    Field	Description
    Claim rule name	Enter an appropriate claim name for the rule. For example: Email ID & Name ID.
    Attribute store	From the drop-down list, select Active Directory.
    LDAP Attribute	From the drop-down list, select E-Mail Addresses.
    Outgoing Claim Type	From the drop-down list, select Name ID.

13. Click Finish. The Rely Party Trust is added.

14. Navigate to ADFS 2.0. For more information, see Step 1.

15. In the left pane, expand Trust Relationships and click Relying Party Trusts. A right pane displaying the available Relying Party Trusts appears.
    The list of Relying Party Trusts
    (Click the image to expand it.)
    
    

16. Right-click the Salesforce_SP Relying Party Trust and click Properties. The Salesforce_SP Properties window appears.
    The Salesforce_SP Properties window
    (Click the image to expand it.)
    
    

17. In the Advanced tab, from the Secure hash algorithm drop-down list, select SHA-1.

18. Click OK.

Verifying the Single Sign-On Configuration using ADFS 2.0

To verify that Single Sign-On has been configured correctly, you can perform the following procedure each for IDP and SP initiated login.

Identity Provider initiated login

To verify IDP initiated login:
Use the ADFS login URL and specify the loginToRp parameter in the URL. This parameter will be used as the SAML entity ID for Force.com. For example:

https://websso.mydomain.co.in/adfs/ls/idpinitiatedsignon.aspx?loginToRp=https://test-sso-dev-ed.my.salesforce.com 

If you are already logged in to the IDP, the browser follows a set of redirection instructions and logs you into Salesforce. If you are not logged into the IDP, enter your login credentials on the IDP login page. This will redirect you to Salesforce.

Service Provider initiated login 

To verify SP initiated login:
Enter the following domain specific URL in a browser: https://test-sso-dev-ed.my.salesforce.com
The page redirects to IDP for authentication.