Configuring Single Sign-On using ADFS 3.0

This section provide information about configuring Single Sign-On using ADFS 3.0. For more information, refer following sections:

• • Prerequisites
  • To install a certificate
  • To configure Single Sign-On in a Salesforce organization
  • To enable a direct login button for Single Sign-On
  • To configure Salesforce user settings
  • To configure ADFS 3.0
  • To verify ADFS 3.0 Single Sign-On setup
  • Related topic

Prerequisites

Before you start configuring ADFS and Salesforce for Single Sign-On, you must address the following prerequisites:

• Install Microsoft Windows 2008 R2
• Install Microsoft Active Directory
• Installing Microsoft Certificate Server and IIS
• Install Microsoft Active Directory Federations Services 3.0 or later versions
• Create and Configure a Server Authentication Certificate in IIS

Click Single Sign-On, Active Directory, and Salesforce to know the details about prerequisites.

To install a certificate

Perform the following steps if Token-signing certificate has expired in ADFS server.

1. In ADFS, expand Service and click Certificates.
2. Double click the certificate listed under Token-signing.
   
3. If the CA Root certificate is not trusted, it’ll look as follows.
   
4. Click Install Certificate.
5. Select Local Machine.
   
6. On Certificate Import Wizard, click Next.
7. Select Place all certificates in the following store and click Browse.
8. In the Select Certificate Store window, select Trusted Root Certification Authorities and click OK.
   
9. Click Next.
10. Click Finish.
11. When the Security Warning dialog box is displayed to install the certificate, click Yes.
12. Click OK on the message indicating that the import was successful.
13. Click OK and close the Certificate dialog.
14. Double click on the certificate listed under Token-signing. The certificate should now be trusted.
    
15. Click on the Details tab and then click Copy to File.
    
16. Specify a filename and a directory where the file should be created.
    
17. Click Next.
18. Click Finish.
19. Click OK on the dialog box that is displayed to show that the export was successful.
20. Click OK to close the Certificate dialog box.
21. Double click on the certificate listed under Token-decrypting.
    
22. To install the Token Decrypting certificate, perform Step 4 to Step 12.
23. In the ADFS 3.0 tree, click Service > Endpoints.
24. Under the Metadata section, locate the listing that has a type called Federation Metadata. 
25. Make a note of the URL path as shown in the following image.
    

26. Modify the URL as follows.

    https:// <VM/server name>/ Federation metadata url. (Machine where ADFS is installed)
    e.g.:- https:// vw-pun-rem-dvbx.punremforce.local /FederationMetadata/2007-06/FederationMetadata.xml

27. Download this Metadata file that will be imported in Salesforce Single Sign-On settings.

To configure Single Sign-On in a Salesforce organization

Perform the following steps if you are using new organization or if you want to create a new Single Sign-On settings for an existing organization.

1. To create a domain name, navigate to the required path:

   • For Salesforce Classic, go to Setup > Administer > Domain Management > My Domain.
   • For Salesforce Lightning, go to Setup > Settings > Company Settings > My Domain.

   

2. Enter Domain Name and click Check Availability.
3. Click Register Domain.

4. Navigate to the required path:

   • For Salesforce Classic, go to Setup > Administer > Security Controls > Single Sign-On Settings.
   • For Salesforce Lightning, go to Setup > Settings > Identity > Single Sign-On Settings.

   

5. Click Edit and select SAML Enabled.
6. Click New from Metadata File.
7. Import metadata file that was downloaded while performing ADFS configuration.
   
8. Click Create. The following screen is displayed with the pre-populated fields.
9. Select SAML Identity Type: Assertion contains the Federation ID from the User object.
   
10. Click Save.
11. Click Download Metadata.
    
12. Save XML file to a directory that will be used in ADFS settings in Data source.

To enable a direct login button for Single Sign-On

1. Navigate to the required path:
   • For Salesforce Classic, go to Setup > Administer > Domain Management > My Domain.
   • For Salesforce Lightning, go to Setup > Settings > Company Settings > My Domain.
2. Under Authentication Configuration, click Edit.
   
3. Select checkbox for the SAML which you created before.
   

4. Click Save.

   The login page displays an additional button as shown in the following image.
   

To configure Salesforce user settings

1. Log into Salesforce as a system administrator.
2. Navigate to the required path:
   • For Salesforce Classic, go to Setup > Administer > Manage Users > Users.
   • For Salesforce Lightning, go to Setup > Administration > Users > Users.
3. Locate the user whose credentials will be used for testing and click the user.
4. Click Edit.
5. In the Federation ID field, enter the fully qualified name of the user. In this example, it is: asdd2as@bmc.com
6. Click Save.

To configure ADFS 3.0

Build a trust relationship between Salesforce and ADFS 3.0 using the following steps:

1. In ADFS 3.0, click the root ADFS.
2. Under Actions > ADFS, click Add Relying Party Trust.
   
3. On the Welcome page, click Start.
4. On the Select Data Source page, click Import data about the relying party from a file.
5. In the Federation metadata file location field, select the metadata XML that you exported from Salesforce.
   
6. Click Next.
7. Enter a value in the Display name field. For example, RemedyforceSSO. 
   
8. In the Note field, add any additional notes as required and then click Next.
9. Select I do not want to configure multi-factor authentication settings for this relying party trust at the time. 
   
10. On the Choose Issuance Authorization Rules page, select Permit all users to access this relying party.
    
11. Click Next.
12. On the Ready to Add Trust page, click Next.
13. Ensure that the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes check box is selected.
    
14. Click Close.
15. In the Issuance Transform Rules tab, click Add Rule.
    
16. For the Claim rule template, select Send LDAP Attributes as Claims and click Next.
    
17. Enter a value in the Claim rule name field. In this example, Remedyforce Claim rule.
18. In the Attribute store field, select Active Directory.
19. Under LDAP Attribute, select E-Mail-Addresses.
20. Under Outgoing Claim Type, select Name ID.
    
21. Click Finish and then click Ok.

To verify ADFS 3.0 Single Sign-On setup

1. Log into the domain as your test account. (Login to machine/VM where ADFS server setup is done)
2. Launch your browser and go to the ADFS IdP-initiated login URL which for this example is as follows:
   https://vw-pun-rem-dvbx.punremforce.local/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=saml.salesforce.com
   
   
3. To validate SAML Assertion, navigate to the required path:
   • For Salesforce Classic, go to Setup > Administer > Security Controls > Single Sign-On Settings.
   • For Salesforce Lightning, go to Setup > Settings > Identity > Single Sign-On Settings.
4. Click the required single sign on setting name and then click SAML Assertion Validator.
   
5. Click Validate. The following screen is displayed.
   

Related topic

Troubleshooting-issues-related-to-Single-Sign-On-configuration-using-ADFS-3-0