Skip to main content

Set up SAML SSO with Salesforce

This page applies to:MindTouch Responsive

Salesforce loge

This article reviews how MindTouch supports SAML SSO with Salesforce as an identity provider (IdP).
 

The following information is based on the Salesforce 14 release and is intended to supplement a Salesforce administrator's expertise. It is assumed that future Salesforce updates may change the accuracy of this documentation.

 

Prerequisites


To ensure you are meeting Salesforce requirements, contact Salesforce to confirm your domain setup.

 

 

Limitation


At this time, Salesforce does NOT send public group membership information over SAML to the service provider (SP). Therefore, syncing Salesforce public groups with MindTouch groups is NOT possible. 
 

How to configure Salesforce as a SAML SSO IdP


Step 1: Set Salesforce up as an identity provider

  1. In Salesforce, navigate to Administration Setup > Security Controls > Identity Provider.

Screenshot of identity provider option in the Salesforce admin setup menu

  1. Under Identity Provider Setup, configure your example.salesforce.com domain as a SAML SSO identity provider (IdP) and create a new public X.509 certificate for establishing trust with the MindTouch service provider (SP).
  1. Click Download Metadata. (You will need the metadata later to configure MindTouch).

Screenshot of the download metadata in the the salesforce identity provider setup dialog

Step 2: Configure Salesforce as a MindTouch identity provider

  1. In MindTouch, navigate to Site toolsControl panelAuthentication > Single Sign-On > SAML.
  2. Check the Enable Single Sign-On with SAML checkbox.
  3. In the Upload Identity Provider Metadata section, upload the metadata file you previously downloaded in Salesforce.
  4. Click  Save.

Step 3: Retrieve the MindTouch SP metadata

Once SAML SSO is enabled in MindTouch, download your MindTouch SP metadata at http://example.com/@app/saml/metadata (whereby example.com is the hostname of your MindTouch site).  You will need the metadata later to add MindTouch to Salesforce as a Connected App.

Step 4: Generate your private key and x.509 public certificate

For the Salesforce IdP to verify requests from the MindTouch SP, and for the MindTouch SP to decrypt responses from the IdP, generate an SP private key and x.509 public certificate. You will need the certificate information later to configure MindTouch and Salesforce.

Step 5: Add MindTouch SAML SSO as a Salesforce app

  1. In Salesforce, under Service Providers, click the link to create MindTouch as a Connected App in Salesforce:

Screenshot of the connected apps link in the the salesforce identity provider setup dialog

  1. Configure the following fields:
  • Start URL. The homepage URL of your MindTouch site.
  • Enable SAML. Check to enable SAML.
  • Entity Id. Find this unique identifier EntityDescriptor/@entityID for your MindTouch SP in the SP metadata.
  • ACS URL. Find the endpoint EntityDescriptor/SPSSODescriptor/AssertionConsumerService/@Location to which SAML assertions are sent as HTTP POST in the SP metadata.
  • Subject Type. Select Persistent ID from the drop-down list to create a unique user ID by which to identify the user on the IdP and SP.
  • Name ID Format. Select urn:oasis:names:tc:SAML:2.0:nameid-format:persistent from the drop-down list.
  • Issuer. If the value is not already set, find the issuer ID EntityDescriptor/@entityID in the IdP metadata.
  • Verify Request Signatures. Check this box and upload your SP x.509 public certificate (recorded in Step 4).
  • Encrypt SAML Response. Check this box and upload your SP x.509 public certificate (recorded in Step 4).

Screenshot of web app settings dialog in Salesforce

Step 6: Allow access to the MindTouch SP

After saving your changes, perform the following steps to allow users to access MindTouch:

  1. Navigate to Administration Setup > Manage Users > Permission Sets.

Screenshot of the permission sets option in the Salesforce admin setup menu

  1. Assign your MindTouch app as a Connected App:

Screenshot of assigned connected apps in Salesforce
 

Additional help