Set up SAML SSO with Salesforce

Last updated
Save as PDF
Share
1. Share
2. Share
3. Tweet
4. Share

This page applies to:MindTouch (current)

This article reviews how MindTouch supports SAML SSO with Salesforce as an identity provider (IdP).

The following information is based on the Salesforce 14 release and is intended to supplement a Salesforce administrator's expertise. It is assumed that future Salesforce updates may change the accuracy of this documentation.

Prerequisites

Admin access to MindTouch
Admin access to Salesforce
Working knowledge of SAML SSO and SLO scenarios
Understand how enabling SAML SSO may affect your implementation or workflows
Determine if you can use Salesforce as an IdP
Understand SAML SSO features supported for Salesforce

To ensure you are meeting Salesforce requirements, contact Salesforce to confirm your domain setup.

Limitation

At this time, Salesforce does NOT send public group membership information over SAML to the service provider (SP). Therefore, syncing Salesforce public groups with MindTouch groups is NOT possible.

How to configure Salesforce as a SAML SSO IdP

Step 1: Set Salesforce up as an identity provider

In Salesforce, navigate to Administration Setup > Security Controls > Identity Provider.

Screenshot of identity provider option in the Salesforce admin setup menu

Under Identity Provider Setup, configure your example.salesforce.com domain as a SAML SSO identity provider (IdP) and create a new public X.509 certificate for establishing trust with the MindTouch service provider (SP).

Click Download Metadata. (You will need the metadata later to configure MindTouch).

Screenshot of the download metadata in the the salesforce identity provider setup dialog

Step 2: Configure Salesforce as a MindTouch identity provider

In MindTouch, navigate to Site tools > Control panel > Authentication > Single Sign-On > SAML.
Check the Enable Single Sign-On with SAML checkbox.
In the Upload Identity Provider Metadata section, upload the metadata file you previously downloaded in Salesforce.
Click Save.

Step 3: Retrieve the MindTouch SP metadata

Once SAML SSO is enabled in MindTouch, download your MindTouch SP metadata at http://example.com/@app/saml/metadata (whereby example.com is the hostname of your MindTouch site). You will need the metadata later to add MindTouch to Salesforce as a Connected App.

Step 4: Generate your private key and x.509 public certificate

For the Salesforce IdP to verify requests from the MindTouch SP, and for the MindTouch SP to decrypt responses from the IdP, generate an SP private key and x.509 public certificate. You will need the certificate information later to configure MindTouch and Salesforce.

Step 5: Add MindTouch SAML SSO as a Salesforce app

In Salesforce, under Service Providers, click the link to create MindTouch as a Connected App in Salesforce:

Screenshot of the connected apps link in the the salesforce identity provider setup dialog

Configure the following fields:

Start URL. The homepage URL of your MindTouch site.
Enable SAML. Check to enable SAML.
Entity Id. Find this unique identifier EntityDescriptor/@entityID for your MindTouch SP in the SP metadata.
ACS URL. Find the endpoint EntityDescriptor/SPSSODescriptor/AssertionConsumerService/@Location to which SAML assertions are sent as HTTP POST in the SP metadata.
Subject Type. Select Persistent ID from the drop-down list to create a unique user ID by which to identify the user on the IdP and SP.
Name ID Format. Select urn:oasis:names:tc:SAML:2.0:nameid-format:persistent from the drop-down list.
Issuer. If the value is not already set, find the issuer ID EntityDescriptor/@entityID in the IdP metadata.
Verify Request Signatures. Check this box and upload your SP x.509 public certificate (recorded in Step 4).
Encrypt SAML Response. Check this box and upload your SP x.509 public certificate (recorded in Step 4).

Screenshot of web app settings dialog in Salesforce

Important: Make sure the EntityID is "http://example.com/", including the trailing slash. Otherwise, you may get an error like "Unable to recognize Service Provider" or similar when logging in.

Step 6: Allow access to the MindTouch SP

After saving your changes, perform the following steps to allow users to access MindTouch:

Navigate to Administration Setup > Manage Users > Permission Sets.

Screenshot of the permission sets option in the Salesforce admin setup menu

Assign your MindTouch app as a Connected App:

Screenshot of assigned connected apps in Salesforce

Additional help

For detailed articles describing how to assign user permissions to Connected Apps, visit the Salesforce help center.
To update settings or retrieve configuration information refer to our article on managing MindTouch as a connected app in Salesforce.
If you need more information on setting up SAML SSO with Salesforce, contact MindTouch Support.

What's next?

Learn how to configure your custom display name.