4.8.5.4. SAML2 scenario with eXo Platform and Salesforce

In this section, you will set up two SAML2 scenarios with eXo Platform and Salesforce:

Note

Configurations and UI at Salesforce side can be changed by Salesforce and may depend on your Salesforce edition and license. If you have problems when following the instruction here, please consult Salesforce support and documentation, and leave a feedback to help us keep eXo documentation up-to-date.

In this guideline, let's assume that you start from the beginning and register a free Salesforce developer account to test, as follows:

Sign up at http://developer.force.com/.
Set up your domain by selecting Setup → Domain Management → My Domain.

eXo Platform as IDP and Salesforce as SP

Configuring Salesforce as SAML2 SP

Set up SSO by clicking Setup → Security Controls → Single Sign-On Settings, then check SAML Enabled.
Create a new SAML Single Sign-On Setting and complete the screen as below:
- Issuer: The eXo Platform IDP URL, like http://www.idp.com/portal/dologin.
- SAML Identity Type: Select Assertion contains the Federation ID from the User object.
- SAML Identity Location: Select Identity is in the NameIdentifier element of the Subject statement.
- Identity Provider Login(/Logout) URL: http://www.idp.com/portal/dologin.
- Entity ID: Now, it should be https://saml.salesforce.com.
- Certificate: Export a .crt file from your keystore to be uploaded here. The command to export:
  keytool -export -keystore secure-keystore.jks -alias secure-key -file test-certificate.crt
  Note
  If you are using default jbid_test_keystore.jks (for testing only), the keystore password is store123.
Back to the My Domain screen and edit the Login Page Branding section. Check your SSO Setting item(s) in the Authentication Service.

The default "Login Page" allows you to log in Salesforce in case the IDP is not available, so it is safe in testing. Depending on Salesforce, you may have the ability to enable/disable SSO for individual users (via User Profile and Permission Set). For now, do not uncheck Login Page.

Configurations at eXo Platform

Configure eXo Platform IDP as described in eXo Platform as SAML2 IDP. Note that you need to add salesforce.com as trusted domain and saml.salesforce.com (Entity ID that you configured at Salesforce side) as SP host. Instead of adding via configuration.properties, you should directly modify the picketlink-idp.xml file:
For SP domains:
```
<Trust>

    <Domains>${gatein.sso.sp.domains},saml.salesforce.com</Domains>

</Trust>
```
For SP hosts:
```
<KeyProvider ...>

    <ValidatingAlias Key="${gatein.sso.sp.host}" Value="secure-key"/>

    <ValidatingAlias Key="saml.salesforce.com" Value="salesforce-cert"/>

</KeyProvider>
```
- "salesforce-cert" is the alias that you will import to your keyfile in later step.
Download SP Metadata file from your Salesforce SSO Setting page, by clicking Download Metadata. See the screenshot below:

Save the file as WEB-INF/conf/sso/saml/sp-metadata.xml inside standalone/deployments/platform.ear/exo.portal.web.portal.war.

Modify the WEB-INF/conf/sso/saml/picketlink-idp.xml file inside standalone/deployments/platform.ear/exo.portal.web.portal.war to add MetaDataProvider element as follows:


<PicketLinkIDP ...>

    ...

    <MetaDataProvider ClassName="org.picketlink.identity.federation.core.saml.md.providers.FileBasedEntitiesMetadataProvider">

        <Option Key="FileName" Value="/WEB-INF/conf/sso/saml/sp-metadata.xml"/>

    </MetaDataProvider>

</PicketLinkIDP>

Download and import Salesforce client certificate.
- The link to download new certificate should be found at this page. At the moment, you can use this link: http://s3.amazonaws.com/dfc-wiki/en/images/3/34/New_proxy.salesforce.com_certificate_chain.zip. Download and unzip it, you will see a file named proxy-salesforce-com.123.
- Import the certificate into your keystore file with the command below:
  keytool -import -keystore secure-keystore.jks -file proxy-salesforce-com.123 -alias salesforce-cert

Testing the scenario

Create some users in Salesforce and eXo Platform IDP for testing. The users mapping uses Federation ID, that means the username "john" in eXo Platform must be the same as the Federation ID "john" in Salesforce.
Log out Salesforce, then re-login using your domain (https://exodoc-dev-ed.my.salesforce.com/ for example).
Now, you will see a link to IDP Login page in the login screen, like "eXo Doc SSO" (Name of your Salesforce SSO Setting above) in the screenshot:
Click the link. You will be redirected to the eXo Platform login screen.
Log in as one of testing users. You will get access to your Salesforce domain.

eXo Platform as SP and Salesforce as IDP

Note

Remember to disable SSO if you have enabled as described in Configuring Salesforce as SAML2 SP.

Configuring Salesforce as SAML2 IDP

Enable Identity Provider by clicking Setup → Security Controls → Identity Provider, then click Enable Identity Provider.

Accept the default certificate by clicking Save. You can change it later if you need.
Create Connected Apps, as follows:
- i. Click the link in the Service Providers section:
- ii. Fill in all required information. In the Web App Settings section, check Enable SAML and complete the following information:
  - Entity ID: The SP login URL, like http://www.sp.com:8080/portal/dologin.
  - ACS URL: The URL of the Assertion Consumer Service. In this scenario, it is http://www.sp.com:8080/portal/dologin too.
  - Subject Type: Select Federation ID.
  - Name ID Format: Select urn:oasis:names:tc:SAML:2.0:nameid-format:transient.
  - Issuer: Use your domain like https://exodoc-dev-ed.my.salesforce.com.
Note
You can also create Connected Apps by selecting Build → Create → Apps.
Make sure your connected application can be accessed by users who have the "Standard Platform User" profile, as follows:
- i. Click Manage Apps → Connected Apps.
- ii. Find your app and click to view it. In the Profiles section, you can manage Profiles that have access to your app. At this time, make sure you see the "Standard Platform User" because this is needed for testing later.

Configurations at eXo Platform

Configure eXo Platform as described in eXo Platform as SAML2 SP. Notice some values below:

gatein.sso.idp.host=exodoc-dev-ed.my.salesforce.com
gatein.sso.idp.url=https://exodoc-dev-ed.my.salesforce.com/idp/endpoint/HttpPost
gatein.sso.sp.url=http://www.sp.com:8080/portal/dologin

The ValidatingAlias is "salesforce-idp" that you will import in next step:


<ValidatingAlias Key="${gatein.sso.idp.host}" Value="salesforce-idp"/>

Download and import Salesforce IDP certificate to your keystore. The Salesforce IDP certificate is downloaded from the Identity Provider page:

The command to import looks like this:
keytool -import -keystore secure-keystore.jks -file SelfSignedCert_27Nov2013_105525.cer -alias salesforce-idp
Note that if you are using the default jbid_test_keystore.jks, the store password is store123.

Testing the scenario

Create some users in Salesforce and eXo Platform SP for testing. The users mapping uses Federation ID, that means the username "john" in eXo Platform must be the same as the Federation ID "john" in Salesforce. Also, make sure the Salesforce user has the "Standard Platform User" profile (to have access to the Connected App, as explained before).

Now, access eXo Platform. You will be redirected to the Salesforce login page. After getting authenticated with Salesforce username (like john@example.com), you get access to eXo Platform.