Fairsail. Implementer. Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0. Version 1.92 FS-SSO-XXX-IG R001.

Transcription

1 Fairsail Implementer Microsoft Active Directory Federation Services 2.0 Version 1.92 FS-SSO-XXX-IG R001.92

2 Fairsail All rights reserved. This document contains information proprietary to Fairsail and may not be reproduced, disclosed, or used in whole or in part without the written permission of Fairsail. Software, including but not limited to the code, user interface, structure, sequence, and organization, and documentation are protected by national copyright laws and international treaty provisions. This document is subject to U.S. and other national export regulations. Fairsail takes care to ensure that the information in this document is accurate, but Fairsail does not guarantee the accuracy of the information or that use of the information will ensure correct and faultless operation of the service to which it relates. Fairsail, its agents and employees, shall not be held liable to or through any user for any loss or damage whatsoever resulting from reliance on the information contained in this document. Nothing in this document alters the legal obligations, responsibilities or relationship between you and Fairsail as set out in the contract existing between us. This document may contain screenshots captured from a standard Fairsail system populated with fictional characters and using licensed personal images. Any resemblance to real people is coincidental and unintended. All trademarks and service marks mentioned in this document belong to their corresponding owners. FS-SSO-XXX-IG R Microsoft Active Directory Federation Services 2.0 Fairsail

3 Contents Contents Background 4 Prerequisites 5 Overview 6 Procedure 7 Installation 8 Configuration 9 Fairsail Configuration 9 AD FS 2.0 Configuration 15 SP-Initiated Login 17 Testing 18 Logging in to Fairsail Using Single Sign-On 19 Setting Up Chrome for Single Sign-On 20 Setting Up Firefox for Single Sign-On 25 Setting Up Internet Explorer for Single Sign-On 27 References and more information 31 Troubleshooting 32 Internet Information Services 33 Active Directory Federation Services 34 Service Provider Initiated Login 36 Appendix: Browser handling of SAML requests 37 Step 1 38 Step 2 40 Step 3 43 Microsoft Active Directory Federation Services 2.0 Fairsail

4 Background Authentication for multiple cloud based services is greatly simplified by using single sign-on (SSO) technologies. SSO enables users to log in at a single location and access a range of services without re-authenticating. Since its release in 2005, the Security Assertion Markup Language (SAML) version 2.0 has established itself as the dominant standard for cross-domain web single sign-on in the enterprise space, with salesforce.com introducing support in the Winter '09 release (October 2008) and Microsoft in Active Directory Federation Services (AD FS) version 2.0 in May You can now configure a seamless single sign-on from a Microsoft environment to Fairsail without a third-party federation product. Microsoft Active Directory Federation Services 2.0 Fairsail

5 Prerequisites You will need: Microsoft Windows Server 2008 R2 Enterprise or Datacenter edition, NOT Standard edition. If you are configuring this environment for an evaluation, you can download a 180 day trial version here: Microsoft Active Directory Federation Services (AD FS) 2.0. Windows Server 2008 R2 includes AD FS 1.0, which does not support SAML 2.0. If you have AD FS 1.0, download and install the AD FS 2.0 RTW (release to web) package. AD FS is a Microsoft Management Console (MMC) snap-in. Microsoft Update Rollup 3 for AD FS 2.0, available to download from Microsoft here: Update Rollup 3 includes fixes for known issues and enables multiple SSO instances to use the same token signing certificate. After installing the rollup make sure you download and execute the RelaxedRequestSigningCertsv2.sql script as documented in the Knowledge Base article. A Fairsail environment, commonly known as an org. For the purposes of evaluation you can sign up for a free Fairsail HCM or Fairsail Recruit trial here: The procedures described in this guide are effective but take time to complete, test and validate. You must allow enough time before attempting to use Fairsail with single sign-on in a full production environment. We strongly recommend scheduling the project to complete the process as far as successful login at least four weeks before go-live. This allows enough time: To resolve support issues. For adequate testing. To synchronize data with Fairsail. Microsoft Active Directory Federation Services 2.0 Fairsail

6 Overview SAML 2.0 defines several roles for parties involved in single sign-on: The user authenticates (logs in) to the identity provider (IdP) - in our case, this is AD FS 2.0. The user can then access a resource at one or more service providers (SP, and also known as relying parties) without needing to log in at each service provider. The process for an IdP-initiated login into Fairsail is simplified as: 1. The user authenticates to the AD FS server using Integrated Windows Authentication (Kerberos tokens over HTTP) and requests login to Fairsail 2. AD FS returns a SAML assertion to the user s browser 3. The browser automatically submits the assertion to Fairsail, which logs the user in. For SP-initiated login, go to SP-Initiated Login (see page 17). Microsoft Active Directory Federation Services 2.0 Fairsail

7 Procedure This icon is used to indicate points in the procedure where additional information is available in Troubleshooting (see page 32), starting on page. Each icon is hyperlinked; use it to jump to the relevant point in Troubleshooting (see page 32). Microsoft Active Directory Federation Services 2.0 Fairsail

8 Procedure Installation Installation 1. Install Windows Server 2008 R2 Enterprise or Datacenter edition, NOT Standard edition. If you are re-installing Windows Server R2, make sure that the environment is clean. Traces of previous AD FS installations, such as an existing adfs directory or configuration database will stop successful re-installation. If you are running an Active Directory forest with domain controllers running on earlier functional levels, to ensure compatibility leave the Windows Server 2008-based domain controller at its default level. The 2008 domain controller then runs at the lowest functional level that is possible in your environment. After the domain functional level is raised, domain controllers running earlier operating systems cannot operate in the domain. 2. Create a friendly DNS name for AD FS and point it to your adfs server. In this article, we'll use adfs.fairsaildev.com. Typically, this is the CNAME for your adfs server. If you want to use a different name, attach another IP address to the server and create a DNS A record to map the hostname to this IP address to avoid server authentication errors. 3. Download and install the AD FS 2.0 server role. This automatically installs other pre-requisite Windows components including IIS. 4. In the IIS manager create an SSL certificate for your friendly DNS name. Give the certificate a bit length of Do not create the certificate as self-signed. 5. On the client machine, install: o The SSL certificate o The Certificate Authority s root certificate 6. Run through the AD FS Server configuration wizard: a. Create a new Federation Service b. Select Stand-alone Federation Server c. Select the certificate that you created for your friendly DNS name 7. Add the friendly DNS name for the AD FS server to the client machine as a local intranet website through Control Panel > Internet Options > Security. Use the form Microsoft Active Directory Federation Services 2.0 Fairsail

9 Procedure Configuration Configuration To build a federation between two parties you must establish a trust relationship by exchanging metadata. Manually enter the metadata for the AD FS 2.0 instance into the Fairsail configuration. Fairsail metadata is downloaded as an XML file which AD FS 2.0 can consume. Fairsail Configuration You must configure: The domain (see page 9). SAML 2.0 setup (see page 10). You can also configure your login page to select an authentication service as an identity provider (see page 14). Configure My Domain The Fairsail My Domain ( feature enables you to select a custom domain name for your application. A My Domain URL looks like for a production org, or for a Developer Edition. You cannot configure My Domain for a Fairsail trial org; to test, you must use a live production org or a Force.com development org. A benefit of configuring My Domain is that it enables support for SP-initiated single sign-on, improving the user experience, and allowing users to access 'deep links' into their environment via SSO. Configure My Domain in Setup > Company Profile > My Domain. You will need to complete the process of configuring, testing and deploying My Domain ( for SP-initiated SSO to work correctly. Microsoft Active Directory Federation Services 2.0 Fairsail

10 Procedure Configuration Configure SAML In the AD FS 2.0 MMC snap-in, select the certificates node and double click the token-signing certificate to view it: 2. Click the Details tab 3. Click Copy to File 4. Save the certificate in DER format. 5. On the AD FS server find and record your Federation Metadata URL: a. Open the AD FS MMC b. Select Service > Endpoints > Metadata > Type:Federation Metadata: 6. Open the Federation Metadata file: In a browser address bar enter <Server URL><Federation Metadata URL> Microsoft Active Directory Federation Services 2.0 Fairsail

11 Procedure Configuration 7. In the Federation Metadata file find the EntityDescriptor ID line and record the attribute labeled entityid: 8. In Fairsail, go to Setup > Administration Setup > Security Controls > Single Sign-On Settings 9. Click Edit Fairsail displays the Single Sign-On Settings page. 10. Check SAML Enabled:. 11. Click Save. Fairsail displays the Single Sign-On Settings page with the SAML Single Sign-On Settings related list. 12. Click New: Microsoft Active Directory Federation Services 2.0 Fairsail

12 Procedure Configuration Fairsail displays the SAML Single Sign-On Setting Edit page: 13. Complete the fields as follows: Name API Name SAML Version A name for this service. For example Fairsail SSO Automatically created by Fairsail based on Name Not editable. User Provisioning Enabled Not checked. Issuer Entity ID Enter the attribute labeled entityid displayed in your Federation Metadata. Issuer is case sensitive. EntityID forms the first part of the URL of your Fairsail org, up to and including the cloudforce.com. After configuring MyDomain, login to Fairsail and capture your EntityID from the address bar. Confusingly, this is not the attribute labeled entityid displayed in your Federation Metadata. Microsoft Active Directory Federation Services 2.0 Fairsail

13 Procedure Configuration Identity Provider Certificate Signing Certificate Assertion Decryption Certificate SAML Identity Type SAML Identity Location Identity Provider Login URL Identity Provider Logout URL Custom Error URL Browse and select the token-signing certificate you exported earlier Default Certificate. Assertion not encrypted. Assertion contains the Federation ID from the User object. Identity is in the NameIdentifier element of the Subject statement The URL of your AD FS SAML endpoint, to which Fairsail sends SAML requests for SP-initiated login. You can find the URL in the AD FS MMC at Endpoints > Token Issuance > Type:SAML 2.0/WS-Federation. In the example: Note that the Identity Provider Login URL field is case sensitive. Enter a URL to which the user will be sent after they log out. For example: Leave blank. 14. Click Save to save the settings and download the metadata xml file. Microsoft Active Directory Federation Services 2.0 Fairsail

14 Procedure Configuration Configure Login Page When you have configured My Domain and SAML 2.0 you can configure your login page to select an authentication service as an identity provider. 1. Go to Setup > Domain Management > My Domain. 2. Under Login Page Branding, click Edit Fairsail displays the Login Page Branding page. This page lists the authentication services available to you for selection: 3. Under Authentication Service select the name of the service you have just configured. 4. Make any other changes you want to the branding. 5. Click Save. Microsoft Active Directory Federation Services 2.0 Fairsail

15 Procedure Configuration AD FS 2.0 Configuration 1. Open the AD FS 2.0 MMC snap in and Add a Trusted Relying Party: a. Select Data Source: Import data about a relying party from a file. Browse to the XML you downloaded from Fairsail b. Display Name: Give the trust a display name, for example Fairsail Test c. Select Issuance Authorization Rules: Permit all users to access this relying party d. Click Next to accept the defaults e. Open Edit Claim Rules Dialog: Checked 2. In the claim rules editor click the Issuance Transform Rules tab 3. Add a new rule: Claim Rule Template Send LDAP Attributes as Claims. Microsoft Active Directory Federation Services 2.0 Fairsail

16 Procedure Configuration Claim Rule Name LDAP Attribute Outgoing Claim Type For testing use the User Principal Name (UPN) as NameID. Enter: Send UPN as NameID. In production, use an attribute with a value that is unlikely to change over time such as the user s address or employee ID. Any change in the value will break SSO for that user. For testing use the User Principal Name (UPN) as NameID. Enter: Send UPN as NameID. In production, use an attribute with a value that is unlikely to change over time such as the user s address or employee ID. Any change in the value will break SSO for that user. If you change Claim Rule Name here you must pass through the new value by specifying it in the AD FS MMC at: Trust Relationships > Claims Provider Trusts > Acceptance Transform Rules User Principal Name Name ID 4. Click Finish. Microsoft Active Directory Federation Services 2.0 Fairsail

17 SP-Initiated Login IdP-initiated login typically works by setting up a link on the company intranet that users click to get access to Fairsail. SP-initiated login happens when a user clicks a direct link to Fairsail. If you configured a My Domain entity ID in the Force.com SAML settings, for example, users can go to URLs in that domain and be automatically redirected to AD FS for authentication. For SP-initiated login to work, you must set AD FS Secure Hash Algorithm parameter to SHA-1, because Fairsail uses the SHA-1 algorithm when signing SAML requests, and AD FS defaults to SHA-256: Go to AD FS trust properties for the Fairsail relying party under Advanced: Microsoft Active Directory Federation Services 2.0 Fairsail

18 Testing To test your configuration, set the Federation ID of a Fairsail user to the UPN of your own AD account and attempt to login: For SP-initiated login, assuming you configured a 'My Domain' entity ID (see page 9), you can just go straight to it, for example For IdP-initiated login, you must use the AD FS login URL and specify the logintorp parameter as the Fairsail SAML entity ID, for example: In either case, the browser should follow a chain of redirects, ultimately logging you in to Fairsail. If you get a Fairsail login error use the SAML assertion validator tool on the Fairsail single sign-on configuration page. It displays the results of the last failed SAML login. If you get an error from AD FS, check the AD FS logs in Server Manager\Diagnostics\Applications and Services Logs\AD FS 2.0\Admin. If you configured a My Domain entity ID, SP-initiated login will work for deep-links. Bookmark a link from deep inside Fairsail then log out. Reload your browser and select the bookmark. You should be seamlessly redirected to your IdP, authenticated, and then redirected back to the bookmarked link. Microsoft Active Directory Federation Services 2.0 Fairsail

19 Logging in to Fairsail Using Single Sign-On When Fairsail has been implemented using single sign-on technology, use the web address for your Fairsail site and your company provided single sign-on credentials to get access to the Fairsail system. Add the Fairsail start page to your browser Favorites or Bookmarks to get there quickly and easily. To avoid having to log in separately to Fairsail every time, you can set up your browser to take full advantage of single sign-on. Instructions differ depending on the browser you are using. Microsoft Active Directory Federation Services 2.0 Fairsail

20 Logging in to Fairsail Using Single Sign-On Setting Up Chrome for Single Sign-On Setting Up Chrome for Single Sign-On 1. Open Google Chrome. 2. Click Customize and select Settings from the drop down: Chrome displays the Settings tab. 3. At the bottom of the window, click Show advanced settings : 4. In the Network section, click Change proxy settings Chrome displays the Internet Properties dialog. Microsoft Active Directory Federation Services 2.0 Fairsail

21 Logging in to Fairsail Using Single Sign-On Setting Up Chrome for Single Sign-On 5. Click the Security tab and click Local intranet: 6. Click Sites: Chrome displays the Local intranet dialog: Microsoft Active Directory Federation Services 2.0 Fairsail

22 7. Click Advanced. Chrome displays the Local intranet Advanced dialog. Logging in to Fairsail Using Single Sign-On Setting Up Chrome for Single Sign-On 8. Enter the server url in the Add field using the form and click Add: Chrome adds the sites to the list of Websites in the dialog: 9. Click Close to close the Local intranet Advanced dialog. 10. Click OK to close the Local intranet dialog and return to the Internet Options dialog. 11. In the Internet Options dialog click Trusted sites and click Sites: Chrome displays the Trusted sites dialog. Microsoft Active Directory Federation Services 2.0 Fairsail

23 Logging in to Fairsail Using Single Sign-On Setting Up Chrome for Single Sign-On 12. Enter in the Add field and click Add: Chrome adds the site to the list of Websites in the dialog: 13. Click Close to close the Trusted sites dialog and return to the Internet Options dialog. Microsoft Active Directory Federation Services 2.0 Fairsail

24 14. In the Internet Options dialog with Trusted sites still selected, click Custom level : Logging in to Fairsail Using Single Sign-On Setting Up Chrome for Single Sign-On Chrome displays the Security Settings Trusted Sites Zone dialog. 15. Scroll through the list of Settings and click the radio button Automatic logon with current user name and password: 16. Click OK to close the Security Settings Trusted Sites Zone dialog. 17. Click OK to close the Internet Options dialog. You can now log in to SSO using the link: Microsoft Active Directory Federation Services 2.0 Fairsail

25 Logging in to Fairsail Using Single Sign-On Setting Up Firefox for Single Sign-On Setting Up Firefox for Single Sign-On 1. Open Firefox. 2. In the Address bar enter: about:config and press Enter. Firefox displays a warning message: 3. Click I ll be careful, I promise! Firefox displays the list of configuration preferences for your browser. 4. In the Search box enter: network.negotiate to focus the list of preference names. 5. Double click on the preference name: network.negotiate-auth.trusted-uris Firefox opens an Enter string value dialog. 6. In the Enter string value dialog enter: 7. Click OK Firefox adds the address as a value: Microsoft Active Directory Federation Services 2.0 Fairsail

26 8. Close the about:config browser window. Logging in to Fairsail Using Single Sign-On Setting Up Firefox for Single Sign-On You can now log in to SSO using the link: The first time you log in to SSO after setting up your browser Firefox may display a warning message: If this occurs: 1. Click I Understand the Risks. 2. Click Add Exception Firefox displays a confirmation dialog: 3. Check Permanently store this exception. 4. Click Confirm Security Exception. Microsoft Active Directory Federation Services 2.0 Fairsail

27 Logging in to Fairsail Using Single Sign-On Setting Up Internet Explorer for Single Sign-On Setting Up Internet Explorer for Single Sign-On 1. Open Internet Explorer. 2. Go to Tools and select Internet Options: Internet Explorer displays the Internet Options dialog. 3. Click the Security tab and click Local intranet: Microsoft Active Directory Federation Services 2.0 Fairsail

28 Logging in to Fairsail Using Single Sign-On Setting Up Internet Explorer for Single Sign-On 4. Click Sites: Internet Explorer displays the Local intranet dialog: 5. Click Advanced. Internet Explorer displays the Local intranet Advanced dialog. 6. Enter the server url in the Add field using the form and click Add: Microsoft Active Directory Federation Services 2.0 Fairsail

29 Internet Explorer adds the sites to the list of Websites in the dialog: Logging in to Fairsail Using Single Sign-On Setting Up Internet Explorer for Single Sign-On 7. Click Close to close the Local intranet Advanced dialog. 8. Click OK to close the Local intranet dialog and return to the Internet Options dialog. 9. In the Internet Options dialog click Trusted sites and click Sites: Internet Explorer displays the Trusted sites dialog. 10. Enter in the Add field and click Add: Internet Explorer adds the site to the list of Websites in the dialog: Microsoft Active Directory Federation Services 2.0 Fairsail

30 Logging in to Fairsail Using Single Sign-On Setting Up Internet Explorer for Single Sign-On 11. Click Close to close the Trusted sites dialog and return to the Internet Options dialog. 12. In the Internet Options dialog with Trusted sites still selected, click Custom level : Internet Explorer displays the Security Settings Trusted Sites Zone dialog. 13. Scroll through the list of Settings and click the radio button Automatic logon with current user name and password: 14. Click OK to close the Security Settings Trusted Sites Zone dialog. 15. Click OK to close the Internet Options dialog. You can now log in to SSO using the link: Microsoft Active Directory Federation Services 2.0 Fairsail

31 References and more information Setting Up Internet Explorer for Single Sign-On References and more information This document draws on the following source material: The developerforce wiki article: ration_services Rhys Goodwin s Weblog: For more information on: AD FS 2.0 diagnostics see the MSDN Claims-Based Identity Blog AD FS 2.0 RTW (release to web) download: Kerberos SPNs see Active Directory and Kerberos SPNs Made Easy Microsoft Windows Server 2008 R2: Microsoft Active Directory Federation Services 2.0 Fairsail

32 Troubleshooting This section provides solutions for issues that you may experience during the setup process described in this guide. This icon is used throughout this guide to indicate points where additional information is available in this section. Each icon is hyperlinked; use it to jump to the relevant point in this section. Click this icon at the end of each section to return to the main guide. Microsoft Active Directory Federation Services 2.0 Fairsail

33 Troubleshooting Internet Information Services Internet Information Services IIS001 What happens When trying to start a web site in the IIS MMC snap-in you get the error message: The process cannot access the file because it is being used by another process Why There may be a conflict with another process using port 80 or port 443, the ports IIS uses by default for TCP (port 80) and SSL (port 443). The ListenOnlyList registry subkey is not configured correctly on the computer running IIS. What to do This issue is covered in a Microsoft knowledge base article: 1. Use Netstat.exe to see if another process is using port 80 or port If there is no port conflict, examine the ListenOnlyList registry subkey and make any changes required as described here: Microsoft Active Directory Federation Services 2.0 Fairsail

34 Troubleshooting Active Directory Federation Services Active Directory Federation Services ADFS001 What happens When the installer tries to register a service principal name (SPN) you get an error message. Why Integrated Windows Authentication between the browser and the AD FS IIS instance is unable to work correctly with the automatically created SPN. What to do Manually create a Kerberos SPN for the DNS name. Use Command Prompt to enter: setspn -a HOST/adfs.fairsaildev.com testzone\ad FSSVR01 setspn -a HOST/adfs testzone\ad FSSVR01 ADFS002 What happens During AD FS configuration you get this message: Why An adfs directory already exists, probably from a previous installation. The adfs directory hosts the AD FS configuration database, which must also be deleted. What to do Exit the AD FS configuration wizard and delete the directory. This action detects the underlying database and restarts the Federation Server Configuration Wizard, which now offers you the option of deleting the configuration database: Microsoft Active Directory Federation Services 2.0 Fairsail

35 Troubleshooting Active Directory Federation Services Check Delete database and click Next to resume the Configuration Wizard. ADFS003 What happens The event log displays errors relating to Certificate Revocation List (CRL) checks failing when the AD FS server cannot connect to the internet. Why The AD FS server must connect to the internet in order to download the full signing certificate chain from the certificate provider. What to do Turn off CRL checking for AD FS by opening Powershell as Administrator and running the script: Add-PSSnapin Microsoft.Adfs.PowerShell Set-ADFSRelyingPartyTrust -TargetName "YourRelyingPartyDisplayName" -SigningCertificateRevocationCheck None Microsoft Active Directory Federation Services 2.0 Fairsail

36 Troubleshooting Service Provider Initiated Login Service Provider Initiated Login SPIL001 What happens The AD FS event log displays the message: Event ID: 378 SAML request is not signed with expected signature algorithm. SAML request is signed with signature algorithm Expected signature algorithm is ( Why The secure hash algorithm is not set to SHA-1 What to do Go to the SalesForce Sandbox Properties dialog and set the secure hash algorithm to SHA-1 Microsoft Active Directory Federation Services 2.0 Fairsail

37 Appendix: Browser handling of SAML requests SP-Initiated login has the most steps and demonstrates SAML and federation at its best. The HTTP protocol messages show you exactly what s happening at each step. You can use a tool such as iehttpheaders or Fiddler2 to capture these messages for yourself, but note that Fiddler2 interferes with Integrated Windows Authentication to IIS so you ll need to turn off extended protection on the /adfs/ls/ virtual directory if you want to try this, otherwise your browser won t authenticate with AD FS and you ll see event 4625 with error 0xc000035b in the Windows security log on the AD FS server. In the interests of clarity, some extraneous HTTP headers are omitted and long strings of base 64 encoded data and sensitive identifiers are replaced by ellipses. Microsoft Active Directory Federation Services 2.0 Fairsail

38 Appendix: Browser handling of SAML requests Step 1 Step 1 The user clicks a deep link to a Force.com page; in our example, it's The browser requests the page and Force.com renders a page containing JavaScript to redirect the browser to the Force.com SAML request generator. The SAML request generator creates a SAML request for the IdP by sending an HTML form with hidden fields back to the browser. Microsoft Active Directory Federation Services 2.0 Fairsail

39 Appendix: Browser handling of SAML requests Step 1 It then uses JavaScript to automatically submit the form to the IdP SAML endpoint. Note the text in the <noscript> element instructing the user to click the 'Continue' button to proceed. You can decode the SAMLRequest using a tool such as the SAML 2.0 Debugger: Microsoft Active Directory Federation Services 2.0 Fairsail

40 Appendix: Browser handling of SAML requests Step 2 Step 2 The browser submits the HTML form containing the SAML request to the AD FS SAML endpoint: Since we are using Integrated Windows Authentication, AD FS redirects the browser to the /auth/integrated/ directory: Finally, the user is authenticated using Integrated Windows Authentication, comprising several HTTP request/response exchanges, and AD FS serves up a SAML response. Microsoft Active Directory Federation Services 2.0 Fairsail

41 Appendix: Browser handling of SAML requests Step 2 Again, the SAML message is returned to the browser in an HTML form which is then submitted to the Force.com SAML endpoint using JavaScript. Microsoft Active Directory Federation Services 2.0 Fairsail

42 Decoding the SAML response (note the UPN in the NameID element): Appendix: Browser handling of SAML requests Step 2 Microsoft Active Directory Federation Services 2.0 Fairsail

43 Appendix: Browser handling of SAML requests Step 3 Step 3 The browser submits the HTML form which contains the SAML response to the Force.com SAML endpoint which verifies the SAML assertion, logs the user in and redirects the browser to the original requested URL. Microsoft Active Directory Federation Services 2.0 Fairsail

44 Appendix: Browser handling of SAML requests Step 3 Microsoft Active Directory Federation Services 2.0 Fairsail