SAML2 scenario with eXo Platform and Salesforce

In this section, you will set up two SAML2 scenarios with eXo Platform and Salesforce:


Configurations and UI at Salesforce side can be changed by Salesforce and may depend on your Salesforce edition and license. If you have problems when following the instruction here, please consult Salesforce support and documentation, and leave a feedback to help us keep eXo documentation up-to-date.

In this guideline, let's assume that you start from the beginning and register a free Salesforce developer account to test, as follows:

  1. Sign up at http://developer.force.com/.

  2. Set up your domain by selecting SetupDomain ManagementMy Domain.

eXo Platform as IDP and Salesforce as SP

Configuring Salesforce as SAML2 SP

  1. Set up SSO by clicking SetupSecurity ControlsSingle Sign-On Settings, then check SAML Enabled.

  2. Create a new SAML Single Sign-On Setting and complete the screen as below:

    • Issuer: The eXo Platform IDP URL, like http://www.idp.com/portal/dologin.

    • SAML Identity Type: Select Assertion contains the Federation ID from the User object.

    • SAML Identity Location: Select Identity is in the NameIdentifier element of the Subject statement.

    • Identity Provider Login(/Logout) URL: http://www.idp.com/portal/dologin.

    • Entity ID: Now, it should be https://saml.salesforce.com.

    • Certificate: Export a .crt file from your keystore to be uploaded here. The command to export:

      keytool -export -keystore secure-keystore.jks -alias secure-key -file test-certificate.crt


      If you are using default jbid_test_keystore.jks (for testing only), the keystore password is store123.

  3. Back to the My Domain screen and edit the Login Page Branding section. Check your SSO Setting item(s) in the Authentication Service.

    The default "Login Page" allows you to log in Salesforce in case the IDP is not available, so it is safe in testing. Depending on Salesforce, you may have the ability to enable/disable SSO for individual users (via User Profile and Permission Set). For now, do not uncheck Login Page.

Configurations at eXo Platform

  1. Configure eXo Platform IDP as described in eXo Platform as SAML2 IDP. Note that you need to add salesforce.com as trusted domain and saml.salesforce.com (Entity ID that you configured at Salesforce side) as SP host. Instead of adding via configuration.properties, you should directly modify the picketlink-idp.xml file:

    For SP domains:


    For SP hosts:

    <KeyProvider ...>
        <ValidatingAlias Key="${gatein.sso.sp.host}" Value="secure-key"/>
        <ValidatingAlias Key="saml.salesforce.com" Value="salesforce-cert"/>
    • "salesforce-cert" is the alias that you will import to your keyfile in later step.

  2. Download SP Metadata file from your Salesforce SSO Setting page, by clicking Download Metadata. See the screenshot below:

    Save the file as WEB-INF/conf/sso/saml/sp-metadata.xml inside standalone/deployments/platform.ear/exo.portal.web.portal.war.

  3. Modify the WEB-INF/conf/sso/saml/picketlink-idp.xml file inside standalone/deployments/platform.ear/exo.portal.web.portal.war to add MetaDataProvider element as follows:

    <PicketLinkIDP ...>
        <MetaDataProvider ClassName="org.picketlink.identity.federation.core.saml.md.providers.FileBasedEntitiesMetadataProvider">
            <Option Key="FileName" Value="/WEB-INF/conf/sso/saml/sp-metadata.xml"/>
  4. Download and import Salesforce client certificate.

Testing the scenario

  1. Create some users in Salesforce and eXo Platform IDP for testing. The users mapping uses Federation ID, that means the username "john" in eXo Platform must be the same as the Federation ID "john" in Salesforce.

  2. Log out Salesforce, then re-login using your domain (https://exodoc-dev-ed.my.salesforce.com/ for example).

    Now, you will see a link to IDP Login page in the login screen, like "eXo Doc SSO" (Name of your Salesforce SSO Setting above) in the screenshot:

  3. Click the link. You will be redirected to the eXo Platform login screen.

  4. Log in as one of testing users. You will get access to your Salesforce domain.

eXo Platform as SP and Salesforce as IDP


Remember to disable SSO if you have enabled as described in Configuring Salesforce as SAML2 SP.

Configuring Salesforce as SAML2 IDP

  1. Enable Identity Provider by clicking SetupSecurity ControlsIdentity Provider, then click Enable Identity Provider.

    Accept the default certificate by clicking Save. You can change it later if you need.

  2. Create Connected Apps, as follows:

    • i. Click the link in the Service Providers section:

    • ii. Fill in all required information. In the Web App Settings section, check Enable SAML and complete the following information:

      • Entity ID: The SP login URL, like http://www.sp.com:8080/portal/dologin.

      • ACS URL: The URL of the Assertion Consumer Service. In this scenario, it is http://www.sp.com:8080/portal/dologin too.

      • Subject Type: Select Federation ID.

      • Name ID Format: Select urn:oasis:names:tc:SAML:2.0:nameid-format:transient.

      • Issuer: Use your domain like https://exodoc-dev-ed.my.salesforce.com.


    You can also create Connected Apps by selecting BuildCreateApps.

  3. Make sure your connected application can be accessed by users who have the "Standard Platform User" profile, as follows:

    • i. Click Manage AppsConnected Apps.

    • ii. Find your app and click to view it. In the Profiles section, you can manage Profiles that have access to your app. At this time, make sure you see the "Standard Platform User" because this is needed for testing later.

Configurations at eXo Platform

  1. Configure eXo Platform as described in eXo Platform as SAML2 SP. Notice some values below:


    The ValidatingAlias is "salesforce-idp" that you will import in next step:

    <ValidatingAlias Key="${gatein.sso.idp.host}" Value="salesforce-idp"/>
  2. Download and import Salesforce IDP certificate to your keystore. The Salesforce IDP certificate is downloaded from the Identity Provider page:

    The command to import looks like this:

    keytool -import -keystore secure-keystore.jks -file SelfSignedCert_27Nov2013_105525.cer -alias salesforce-idp

    Note that if you are using the default jbid_test_keystore.jks, the store password is store123.

Testing the scenario

Create some users in Salesforce and eXo Platform SP for testing. The users mapping uses Federation ID, that means the username "john" in eXo Platform must be the same as the Federation ID "john" in Salesforce. Also, make sure the Salesforce user has the "Standard Platform User" profile (to have access to the Connected App, as explained before).

Now, access eXo Platform. You will be redirected to the Salesforce login page. After getting authenticated with Salesforce username (like john@example.com), you get access to eXo Platform.

Copyright ©. All rights reserved. eXo Platform SAS
blog comments powered byDisqus