Configuring SAML SSO for Salesforce

These steps will guide you through setting up the single sign-on (SSO) functionality between ADSelfService Plus and Salesforce.

Prerequisite

1. Make sure that HTTPS has been enabled on the ADSelfService Plus server.
2. Log in to ADSelfService Plus as an administrator.
3. Navigate to Configuration > Self-Service > Password Sync/Single Sign On > Add Application, and select Salesforce from the applications displayed.
Note: You can also find the application that you need from the search bar located in the left pane or the alphabet-wise navigation option in the right pane.
4. Click IdP details in the top-right corner of the screen.
5. In the pop-up that appears, copy the Entity ID, Login URL and Logout URL, and download the metadata file by clicking on Download IdP Metadata.

SalesForce (Service Provider) configuration steps

1. Log in to Salesforce with administrator credentials.
Note: The steps below pertain to the Salesforce Lightning platform.
2. Click the Gear icon from the top-right corner.



3. Navigate to Settings (from the left panel menu) > Identity > Single Sign-On Settings.



4. Click Edit.
5. Select SAML Enabled, then click Save.



6. Now click New from Metadata File from the SAML Single Sign-On Settings.



7. Upload the metadata file downloaded in the Step 5 of the prerequisite, then click Create.
8. Modify the Name and API Name with easily recognizable names (for instance, SelfService) for reference.



9. Click Save.
10. Once done, copy the Login URL under Endpoints and click on Download Metadata to copy the Salesforce SP metadata.



11. Open the metadata file in a text editor. Locate the AssertionConsumerService parameter and copy it.



12. To map the SSO Login URL to a specific domain login page:
    • Navigate to Settings (from the left panel menu) > Company Settings > My Domain.
    • Click Edit in the Edit Authentication Configuration of the desired domain.

    

    • Enable the SSO Configuration as an Authentication Service.

    

    • Click Save.

ADSelfService Plus (Identity Provider) configuration steps

1. Now, switch to ADSelfService Plus’ Salesforce configuration page.



2. Enter the Application Name and Description.
3. Enter the Domain Name of your Salesforce account. For example, if you use johndoe@thinktodaytech.com to log in to Salesforce, then thinktodaytech.com is the domain name.
4. In the Assign Policies field, select the policies for which SSO need to be enabled.
Note: ADSelfService Plus allows you to create OU and group-based policies for your AD domains. To create a policy, go to Configuration > Self-Service > Policy Configuration > Add New Policy.
5. Under the SSO tab, select Enable Single Sign-On.
6. Choose SAML from the Select Sign-on Method drop-down.
7. Fill the SP Login Initiate URL field with the Login URL copied in step 10 of the SP configuration.
8. Enter the Assertion Consumer Service URL copied in step 11 of the SP configuration in the Assertion Consumer Service URL field.
Note: If your Salesforce metadata contains multiple Assertion Consumer URLs, click the + button next to the text field to add all of them.
9. In the Name ID Format field, choose the format for the user login attribute value specific to the application.
Note: Use Unspecified as the default option if you are unsure about the format of the login attribute value used by the application.
10. Click Add Application.
11. Your users should now be able to sign in to Salesforce through ADSelfService Plus.