sso salesforce.com hub and spoke
TRANSCRIPT
-
7/30/2019 SSO Salesforce.com Hub and Spoke
1/6
Page 1 of6
SSO: Salesforce.com as Identity Provider and Service Provider
Sample Use Case
A Customer has multiple Salesforce instances with a common set of administrators. Theadministrators are currently required to remember the username/password for each
instance.
It would be ideal to have each admin login to one instance and have the ability to launch
other instances without having to login again. Furthermore, it should be possible to
navigate back to the home org or toggle from one instance to another.
Preparation
1. Determine which application will play the role of the Identity Provider (IdP). Thiswill be the application that will authenticate the user and log him/her into theService Providers (SP).
2. Provide each user with a Federation ID (unique identifier for the user across allapplications)
Hub-and-spoke model
The IdP and participating SPs are represented in the hub-and-spoke diagram below.
HubIdentity
Provider
Service
Provider 1
Service
Provider 2
Service
Provider 3
In this example, the Federation ID [email protected] is used to log the user into all the
participating SPs.
The rest of the document provides step-by-step instructions to set up one Salesforce org as
the IdP and another as an SP.
-
7/30/2019 SSO Salesforce.com Hub and Spoke
2/6
Page 2 of6
IdP and SP Configuration
1. Get both configured for 'My Domain'.2. Setup your Identity Provider in the IdP Org.
3. Get your IdP's certificate, 'issuer', and SP initiated POST endpoint.
4. Go to your SP Org, and setup Single Sign-On. Enable SAML 2.0, import your cert,and paste in the issuer from your IDP org. Use federation ID located in the SAML
subject. Choose your My Domain as your entity ID.
-
7/30/2019 SSO Salesforce.com Hub and Spoke
3/6
Page 3 of6
5. Once that's configured, get your ACS URL, and go back to your IDP Org. Create aservice provider with your ACS URL and entity ID.
6. Assign profile(s) to the SP.
7. Create a user in both orgs with the same Federation ID and make sure that user is inthe proper profile in the IdP. For example:[email protected].
mailto:[email protected]:[email protected]:[email protected]:[email protected] -
7/30/2019 SSO Salesforce.com Hub and Spoke
4/6
Page 4 of6
8. Launch the URL to the SP. You should be automatically taken to the login URL forthe IdP. After authenticating in the IdP, you will land in the SP Org.
Home Page Layout of IdP instance
This section provides the configurations required on the home page layout to provide the
admin with the ability to navigate to other SP instances.
Upon clicking a link in the Spokes section, the corresponding instance is launched in a new
window.
-
7/30/2019 SSO Salesforce.com Hub and Spoke
5/6
Page 5 of6
Toggling between instances
The Home Page Layout configuration approach can be expanded to provide the ability to
toggle between instances as shown below. The main difference is that the instances will
have to be opened in the same window.
-
7/30/2019 SSO Salesforce.com Hub and Spoke
6/6
Page 6 of6
References
1. Online help page -https://na1.salesforce.com/help/doc/user_ed.jsp?section=help&target=identity_pr
ovider_examples.htm&loc=help&hash=heading_2_1
https://na1.salesforce.com/help/doc/user_ed.jsp?section=help&target=identity_provider_examples.htm&loc=help&hash=heading_2_1https://na1.salesforce.com/help/doc/user_ed.jsp?section=help&target=identity_provider_examples.htm&loc=help&hash=heading_2_1https://na1.salesforce.com/help/doc/user_ed.jsp?section=help&target=identity_provider_examples.htm&loc=help&hash=heading_2_1https://na1.salesforce.com/help/doc/user_ed.jsp?section=help&target=identity_provider_examples.htm&loc=help&hash=heading_2_1https://na1.salesforce.com/help/doc/user_ed.jsp?section=help&target=identity_provider_examples.htm&loc=help&hash=heading_2_1