Default language.

Federated Single Sign-On using OneLogin

Federated SSO configuration using OneLogin requires performing the following:

  1. Getting the Salesforce Organization ID
  2. Configuring the Identity Provider (OneLogin)
  3. Configuring the Service Provider (Salesforce)
  4. Verifying the Single Sign-On Configuration with Federated SSO using OneLogin

Getting the Salesforce organization ID

To get the Salesforce Organization ID:

  1. Click Setup. A left pane displaying various sections appears.
  2. In the Administration Setup section, expand Company Profile and click Company Information. The Company Information page displaying the Salesforce Organization ID appears.
    The Company Information page displaying the Salesforce Organization ID
    (Click the image to expand it.)

    SSO_Fig 43-The Company Information page displaying the Salesforce Organization ID.png

 

Note

The Salesforce Organization ID is required while configuring the Identity Provider (OneLogin).

Configuring the Identity Provider (OneLogin)

To configure the Identity Provider (OneLogin):

  1. Login to OneLogin, entering the following URL: https://app.onelogin.com/login

    Note

    • For OneLogin credentials, you need to register on OneLogin website for obtaining access to OneLogin.
    • You can go to www.onelogin.com and opt for a free trial.
    • You may also get in touch with IT Team and check if your company is already a OneLogin customer/partner.
  2. Enter your login credentials and click LOG IN. The OneLogin home page appears.
    The OneLogin home page
    (Click the image to expand it.)

    SSO_Fig 44-The OneLogin home page.png 
  3. On the navigation bar, hover to Apps. A drop-down list appears.
    The Apps drop-down list
    (Click the image to expand it.)

    SSO_Fig 45-The Apps drop-down list.png 
  4. Click Add Apps. The Find Applications page appears.
    The Find Applications page
    (Click the image to expand it.)

    SSO_Fig 46-The Find Applications page.png
  5. In the search box, enter Remedyforce. A list of applications based on the search appears.
    The list of the searched applications
    (Click the image to expand it.)

    SSO_Fig 47-The list of the searched applications.png
  6. Click Remedyforce [Sandbox]. The Add Remedyforce [Sandbox] page displaying the Configuration tab appears.
    The Add Remedyforce [Sandbox] page displaying the Configuration tab
    (Click the image to expand it.)

    SSO_Fig 48-The Add Remedyforce [Sandbox] page displaying the Configuration tab.png
  7. In the Portal section, enter an appropriate Display Name for the application.
  8. Click Save. The Info tab appears.
    The Remedyforce [Sandbox] Info tab
    (Click the image to expand it.)

    SSO_Fig 49-The Remedyforce [Sandbox] Info tab.png 
  9. Click the Configuration tab. The Configuration tab appears.
    The Remedyforce Configuration tab
    (Click the image to expand it.)

    SSO_Fig 50-The Remedyforce Configuration tab.png 

  10. In the Application Details section, enter your Salesforce Organization ID. In the API Connection section, enter your Salesforce credentials.
    The API Status displays the status as Connected.

    Note

    The Connected status indicates that OneLogin has successfully established connection with your Salesforce org using your Salesforce credentials.

  11. Click the Parameters tab. The Parameters tab appears.
    The Remedyforce [Sandbox] Parameters tab
    (Click the image to expand it.)

    SSO_Fig 51-The Remedyforce [Sandbox] Parameters tab.png 
  12. Select Configured by admin.
  13. Select the specified values for the following Remedyforce [Sandbox] fields:
    • Phone: From the drop-down list, select the value Phone.
    • User ID: From the drop-down list, select the value Email.
  14. Click the SSO tab. The SSO tab displaying the X.509 Certificate, Issuer URL, SAML 2.0 Endpoint, and SLO Endpoint (HTTP) appears.
    The Remedyforce [Sandbox] SSO tab
    (Click the image to expand it.)

    SSO_Fig 52-The Remedyforce [Sandbox] S_S_O tab.pngThe Issuer URL and SAML 2.0 Endpoint (HTTP) are auto-generated.

  15. Click Save. The configuration is saved.

    Note

    • X.509 Certificate, Issuer URL, SAML 2.0 Endpoint, and SLO Endpoint are auto-generated.
    • Copy the auto-generated Issuer URL and SAML 2.0 Endpoint (HTTP), which are required in the Salesforce Single Sign-On Settings.
  16. In the Enable SAML 2.0 section, click View Details. The Standard Strength Certificate (2048-bit) page appears.
    The Standard Strength Certificate (2048-bit) page
    (Click the image to expand it.)

    SSO_Fig 53-The Standard Strength Certificate (2048-bit) page.png 

  17. Click Download and save the certificate to your local machine.

    Note

    The downloaded Standard Strength Certificate is imported while configuring the Single Sign-On Settings on Salesforce. 

Configuring the Service Provider (Salesforce)

To configure the Service Provider (Salesforce):

  1. Login to Salesforce and see Step1 to Step 4.

  2. Enter appropriate information in the fields given in the table below:

    Field

    Description

    Name

    Enter an appropriate name for the SSO Setting.

    API Name

    The API name is generated automatically based upon the name specified for the SSO Setting.

    Issuer

    Enter the Issuer URL generated in OneLogin

    For example: https://app.onelogin.com/saml/metadata/453901

    Entity Id

    Enter https://saml.salesforce.com if you do not have any domain deployed. If domain is deployed, use the MyDomain URL.

    For example:

    https:// test-sso--x1.cs22.my.salesforce.com

    Identity Provider Certificate

    Browse and select the certificate downloaded from OneLogin.

    For example: X.509 PEM Certificate

    Request Signing Certificate

    From the drop-down list, select Default Certificate.

    Request Signature Method

    From the drop-down list, select RSA-SHA1.

    Assertion Decryption Certificate

    From the drop-down list, select Assertion not encrypted.

    SAML Identity Type

    Select the Assertion contains the Federation ID from the User object option.

    SAML Identity Location

    Select the Identity is in the NameIdentifier element of the Subject statement option.

    Identity Provider Login URL

    Enter the URL of your OneLogin SAML endpoint, to which Force.com sends SAML requests for SP-initiated login.

    Identity Provider Logout URL

    Enter the URL that you want the logged out user to receive.

    Custom Error URL

    Enter the URL of a custom page, to which the user is redirected in case of any error in login.

    For example: www.testdomain.com/ErrorPage

    Service Provider Initiated Request Binding

    Select the HTTP POST option.

      

    • Fields marked with red_side_bar.gif are mandatory.
    • You can edit the auto-generated API name.
    • If you are not able to view Service Provider Initiated Request Binding, please check if My Domain feature is enabled for your organization. If My Domain is not enabled, please raise a case with Salesforce for enabling it.
  3. Click Save. The configuration is saved. It updates and displays the certificate expiration date.
    The SAML SSO Setting page displaying the expiration date
    (Click the image to expand it.)

    SSO_Fig 54-The SAML S_S_O Setting page displaying the expiration date.png

Verifying the Single Sign-On Configuration with Federated SSO using OneLogin

To verify that Single Sign-On has been configured correctly, you can perform the following procedure each for IDP and SP initiated login.

Identity Provider initiated login

To verify IDP initiated login:

Enter the OneLogin login URL in a browser.

For example: https://psl.onelogin.com/trust/saml2/http-post/sso/453901

If you are already logged in to the IDP, the browser follows a set of redirection instructions and logs you into Salesforce. If you are not logged into the IDP, enter your login credentials on the IDP login page. This will redirect you to Salesforce. 

Note

In case of a Force.com login error, navigate to SSO Setting in Salesforce and use the SAML Validation Tool. This displays the last failed SAML login.

Service Provider initiated login

To verify SP initiated login:

Enter the following domain specific URL in a browser: https://test-sso--x1.cs22.my.salesforce.com.

The page redirects to IDP for authentication. 

Note

If your user credentials are already validated, you will be redirected to Salesforce. If the user credentials are not validated, the IDP will prompt you to enter your credentials.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*