Chapter 94 Configuring Salesforce The following is an overview of how to configure the Salesforce.com application for singlesign on: 1 Prepare Salesforce for single sign-on: This involves the following: Verify that the Salesforce account provides SSO: Make sure that you have an account with Salesforce, such as an Enterprise, Unlimited, Professional, Performance, Developer, or Database.com account. These are the only types of Salesforce accounts that can be enabled for SSO. For more information, see "Verifying the Salesforce account edition" on page 94-793. Create a domain (al): If you prefer to use a custom Salesforce domain, create it before configuring the application in Admin Portal. For details, see "Creating a custom domain in Salesforce" on page 94-802. 2 Configure the application settings in Admin Portal. You ll need to copy a few settings from here to paste into the Salesforce web site. For details, see "Configuring Salesforce in Admin Portal" on page 94-794. 3 Configure Salesforce for SSO. For details, see "Configuring Salesforce for SSO" on page 94-799. Note For details about using automatic user provisioning with Salesforce, see Configuring user provisioning for Salesforce. Verifying the Salesforce account edition In order for Salesforce to be configured for SSO, your Salesforce account must be one of the following types: Group (also supports provisioning) Enterprise (also supports provisioning) Unlimited (also supports provisioning) Developer Non-profit Note For the Professional edition, your application must be certified for it to have provisioning API access. For details, see the Salesforce documentation, such as http:// www.salesforce.com/us/developer/docs/packagingguide/content/ dev_packages_api_access.htm and https://developer.salesforce.com/page/ Certification_FAQ. 793
Configuring Salesforce in Admin Portal To verify your Salesforce account edition: 1 Log in to your Salesforce account. 2 Go to Setup, and then Company Profile. The Company Profile page displays your account edition. Configuring Salesforce in Admin Portal To add and configure the Salesforce application in Admin Portal: 1 In Admin Portal, click Apps. 2 Click Add Web Apps. The Add Web Apps screen appears. 3 On the Search tab, enter the partial or full application name in the Search field and click the search icon. 4 Next to the application, click Add. 5 In the Add Web App screen, click Yes to confirm. Admin Portal adds the application. 6 Click Close to exit the Application Catalog. The application that you just added opens to the Application Settings page. Admin Portal user s guide 794
Configuring Salesforce in Admin Portal 7 Specify the following: Assertion Customer Service URL Required or optional Required Set it to [enter your Salesforce login URL] For production accounts, specify the URL that you use to log in to your Salesforce account. The URL begins with the following pattern and ends with a 15-digit ID: https:// login.salesforce.com?so=. For example: https:// login.salesforce.com?so=00d 90000000uBQi For sandbox (test) accounts, specify https://test.salesforce.com. Issuer Required The cloud service generates the contents of this field for you automatically. Encrypt Assertion??? Identity Provider Login URL The contents of this field must exactly match the Issuer field for this application in the Admin Portal and the Issuer field in the Salesforce website. The cloud service automatically generates the content of this field. If you want to do SP-initiated SSO, copy this URL into the Identity Provider Login URL field in Salesforce. If you want IdP-initiated only SSO, leave this field as is and do not copy it over to Salesforce. Chapter 94 Configuring Salesforce 795
Configuring Salesforce in Admin Portal Required or optional Set it to Custom Error URL The cloud service automatically generates the content of this field. If desired, copy this URL into the Custom Error URL field in Salesforce. This custom page in the user portal displays when users encounter an error in Salesforce. Identity Provider Logout URL The cloud service automatically generates the content of this field. When a user logs out of Salesforce, if you want the user to be logged out of the user portal also, copy this URL into Salesforce directly. Otherwise, leave this field as is. 8 On the Application Settings page, expand the Additional s section and specify the following settings: Application ID Configure this field if you are deploying a mobile application that uses the Samsung mobile SDK, for example mobile applications that are deployed into a Samsung KNOX version 1 container. The cloud service uses the Application ID to provide single sign-on to mobile applications. Note the following: The Application ID has to be the same as the text string that is specified as the target in the code of the mobile application written using the mobile SDK. If you change the name of the web application that corresponds to the mobile application, you need to enter the original application name in the Application ID field. There can only be one SAML application deployed with the name used by the mobile application. The Application ID is case-sensitive and can be any combination of letters, numbers, spaces, and special characters up to 256 characters. Admin Portal user s guide 796
Configuring Salesforce in Admin Portal Show in User app list Security Certificate Select Show in User app list so that this web application displays in the user portal. (By default, this option is selected.) If this web application is only needed in order to provide SAML for a corresponding mobile application, deselect this option. This web application won t display for users in the user portal. These settings specify the signing certificate used for secure SSO authentication between the cloud service and the web application. Just be sure to use a matching certificate both in the application settings in the Admin Portal and in the application itself. Select an option to change the signing certificate. Use existing certificate When selected the certificate currently in use is displayed. It s not necessary to select this option it s present to display the current certificate in use. Use the default tenant signing certificate Select this option to use the cloud service standard certificate. This is the default setting. Use a certificate with a private key (pfx file) from your local storage Select this option to use your organization s own certificate. To use your own certificate, you must click Browse to upload an archive file (.p12 or.pfx extension) that contains the certificate along with its private key. If the file has a password, you must enter it when prompted. 9 (al) On the page, you can change the name, description, and logo for the application. For some applications, the name cannot be modified. The Category field specifies the default grouping for the application in the user portal. Users have the option to create a tag that overrides the default grouping in the user portal. 10 On the User Access page, select the role(s) that represent the users and groups that have access to the application. When assigning an application to a role, select either Automatic Install or al Install: Select Automatic Install for applications that you want to appear automatically for users. If you select al Install, the application doesn t automatically appear in the user portal and users have the option to add the application. 11 (al) On the Policy page, specify additional authentication control for this application.you can select one or both of the following settings: Restrict app to clients within the Corporate IP Range: Select this option to prevent users outside the company intranet from launching this application. To use this Chapter 94 Configuring Salesforce 797
Configuring Salesforce in Admin Portal option, you must also specify which IP addresses are considered as your intranet by specifying the Corporate IP range in Settings > Corporate IP Range. Require Strong Authentication: Select this option to force users to authenticate using additional, stronger authentication mechanisms when launching an application. Specify these mechanisms in Policy > Add Policy Set > Account Security Policies > Authentication. You can also include JavaScript code to identify specific circumstances when you want to block an application or you want to require additional authentication methods. For details, see Specifying application access policies with JavaScript. 12 On the Account Mapping page, configure how the login information is mapped to the application s user accounts. The options are as follows: Use the following Directory Service field to supply the user name: Use this option if the user accounts are based on user attributes. For example, specify an Active Directory field such as mail or userprincipalname or a similar field from the Samsung KNOX EMM user service. Everybody shares a single user name: Use this option if you want to share access to an account but not share the user name and password. For example, some people share an application developer account. Use Account Mapping Script: You can customize the user account mapping here by supplying a custom JavaScript script. For example, you could use the following line as a script: LoginUser.Username = LoginUser.Get('mail')+'.ad'; The above script instructs the cloud service to set the login user name to the user s mail attribute value in Active Directory and add.ad to the end. So, if the user s mail attribute value is Adele.Darwin@acme.com then the cloud service uses Adele.Darwin@acme.com.ad. For more information about writing a script to map user accounts, see the SAML application scripting guide. 13 (al) On the Advanced page, you can edit the script that generates the SAML assertion, if needed. In most cases, you don t need to edit this script. For more information, see the SAML application scripting guide. Note On the Changelog page, you can see recent changes that have been made to the application settings, by date, user, and the type of change that was made. 14 Click Workflow to set up a request and approval work flow for this application. The Workflow feature is a premium feature and is available only in the Samsung KNOX EMM User Suite App+ Edition. See Configuring Workflow for more information. 15 Click Save. Admin Portal user s guide 798
Configuring Salesforce for SSO After configuring the application settings (including the role assignment) and the application s web site, you re ready for users to launch the application from the user portal. Configuring Salesforce for SSO You need system administrator permission in Salesforce to perform these steps. Tip It can be useful to open the web application and Admin Portal simultaneously and have them both open, perhaps side by side. As part of the SSO configuration process, you ll need to copy and paste settings between the two browser windows. Salesforce allows you to specify multiple identity providers for SSO. To configure Salesforce for SSO: 1 In your web browser, log in to the Salesforce web site. 2 Navigate to Administration Setup, then Security Controls, then Single Sign-On Settings and click Edit. 3 Under Federated Single Sign-On Using SAML, select SAML Enabled. 4 Click Save. 5 In the Single Sign-On Settings page, click New. The SAML Single Sign-On Setting Edit page displays. Use this page to configure the application for single sign-on from the user portal. 6 Specify the following: Required or optional Set it to Name Required samsungemm The name of your identity provider, such as Samsung. API Name Required samsungemm SAML version Required 2.0 The cloud service uses SAML 2.0. User Provisioning enabled Deselected For details about configuring Salesforce for user provisioning, see Configuring user provisioning for Salesforce. Chapter 94 Configuring Salesforce 799
Configuring Salesforce for SSO Required or optional Set it to Issuer Required [a name of your choosing; recommended to use urn:cloud.samsungemm. com ] The contents of this field must exactly match the Issuer field for this application in Admin Portal and the Issuer field in the Salesforce website. Entity ID Required If using a customized subdomain in Salesforce, set it to that domain. Otherwise, use https:// saml.salesforce.com. Identity provider certificate Signing Certificate Assertion Decryption Certificate Default Certificate Assertion not encrypted SAML Identity Type Required Assertion contains User s Salesforce.com user name SAML Identity Location Required User ID is in the NameIdentifier element of the Subject statement Either use the standard certificate that you downloaded from the Admin Portal, or upload your own certificate (without the key). After you upload the certificate, the certificate information appears in the Current Certificate area. Encrypted assertions are not currently supported by the cloud service. Admin Portal user s guide 800
Configuring Salesforce for SSO Identity Provider Login URL Identity Provider Logout URL 7 Click Save. al [leave this field blank for IdP-initiated only SSO. For SP-initiated, paste the Identity Provider Login URL from the application settings in Admin Portal] If specified, Salesforce uses SP-initiated SAML SSO. Copy the Identity Provider Login URL from Admin Portal to this field. When specifying the URL, the URL must contain the appkey and customerid, such as the following: https:// cloud.samsungemm.com/ run?appkey=salesforce&cust omerid=ab123. Note that appkey is casesensitive. This item can be blank. If you want users to log out of the user portal when they log out of Salesforce, copy the URL from the Salesforce Application Settings in the Admin Portal and paste the URL here. If you want to keep users logged into the user portal after they log out of Salesforce, leave this field as is. Custom Error URL al This item can be blank. If specified, a custom error page displays when a user encounters an error in Salesforce. Service Provider Initiated Request Binding Required or optional Required for SP-initiated SSO Set it to HTTP Post The Error URL is a customized page that displays when a user encounters an error in Salesforce. If desired, paste the Error URL contents from the Salesforce application settings in the Admin Portal. Chapter 94 Configuring Salesforce 801
Configuring Salesforce for SSO 8 If you re going to use SP-initiated SSO, go to Setup, Domain Management, then My Domain, and then under Login Page Branding, click Edit. Note Make sure that you ve deployed your custom domain to users. Otherwise, the user authentication service settings are not available to you in Salesforce. 9 In the Login Page Branding screen, in the Authentication Service section, select both options: Login Page and Samsung. These authentication service options allow your users the option to log in by way of the user portal or by entering their Salesforce user name and password. Selecting the Login Page option provides you and all your users the option to log in using your Salesforce user name and password. If you do not select Login Page, only users who are in Admin Portal and assigned to a role that you ve assigned to Salesforce can access Salesforce. At this time, Salesforce does not yet provide a way to restrict the user name and password login to a subset of users. Tip 10 Click Save. As a best practice, keep Login Page selected. Creating a custom domain in Salesforce You can use a custom domain in Salesforce, if desired. In order to use SP-initiated SSO with Salesforce, you must have a custom domain. For more information, see the following Salesforce information: https://cs1.salesforce.com/help/doc/ user_ed.jsp?section=help&target=domain_name_testing_and_rollout.htm&loc=help&has h=topic-title To register a domain in Salesforce: 1 Log in to your Salesforce account. 2 Go to Setup (under your name in the top, blue bar)> Domain Management > My Domain > Choose your company s domain name. 3 Enter a potential domain name and click Check Availability. 4 If the domain is available, click the Terms and Conditions check box, and click Register domain. Your subdomain is now ready for testing. 5 Click the Click here to login link to log in to your subdomain. To deploy the subdomain, you must be logged in. The login address now includes your newly created subdomain. For example: https://griffin--lg.cs1.my.salesforce.com/?login=1 Admin Portal user s guide 802
Configuring Salesforce mobile applications for SSO 6 In the login screen for your subdomain, enter your normal Salesforce user name and password. 7 Test the domain by clicking tabs and buttons to make sure the Salesforce functionality works as expected. 8 When you re finished testing the domain, deploy it to your users. While logged in to your subdomain, go to Setup, then Domain Management, then My Domain. Click Deploy to Users. 9 Salesforce displays a warning message - once you create the domain, you can t reverse it. All users will be pointed to the new domain after you deploy the domain. Click OK to continue. Salesforce deploys the domain for you and displays your current domain settings, such as the login policy, redirect policy, and domain name. For more information, consult the Salesforce documentation. Configuring Salesforce mobile applications for SSO Salesforce provides mobile applications for both ios and Android devices. To configure the Salesforce mobile app for SSO: 1 Complete SSO configuration as described in "Configuring Salesforce in Admin Portal" on page 94-794 and "Configuring Salesforce for SSO" on page 94-799. 2 Install the Salesforce1 app for your mobile device from itunes or Google Play. 3 Open the app and click the Settings icon. 4 Tap the +. 5 Enter a host name. 6 (al) Enter a label, for example Samsung. 7 Tap Done. 8 Tap Samsung in the Choose Connection box. 9 Sign in with your Salesforce user name and password. 10 Tap Allow to give Salesforce permission to access your account information. If it is the first time you have signed in to this account, the app will ask you to enter an activation code that is emailed to you. Chapter 94 Configuring Salesforce 803
For more information about Salesforce For more information about Salesforce For additional information, see the following: https://na6.salesforce.com/help/doc/user_ed.jsp?loc=help&target=sso_saml.htm& https://na14.salesforce.com/help/doc/ user_ed.jsp?loc=help&target=sso_saml.htm§ion=security https://help.salesforce.com/apex/htviewhelpdoc?id=sso_tips.htm&language=en_us Admin Portal user s guide 804