Set up SAML SSO with Salesforce
This article reviews how MindTouch supports SAML SSO with Salesforce as an identity provider (IdP).
The following information is based on the Salesforce 14 release and is intended to supplement a Salesforce administrator's expertise. It is assumed that future Salesforce updates may change the accuracy of this documentation.
Prerequisites
- Admin access to MindTouch
- Admin access to Salesforce
- Working knowledge of SAML SSO and SLO scenarios
- Understand how enabling SAML SSO may affect your implementation or workflows
- Determine if you can use Salesforce as an IdP
- Understand SAML SSO features supported for Salesforce
To ensure you are meeting Salesforce requirements, contact Salesforce to confirm your domain setup.
Limitation
At this time, Salesforce does NOT send public group membership information over SAML to the service provider (SP). Therefore, syncing Salesforce public groups with MindTouch groups is NOT possible.
How to configure Salesforce as a SAML SSO IdP
Step 1: Set Salesforce up as an identity provider
- In Salesforce, navigate to Administration Setup > Security Controls > Identity Provider.
- Under Identity Provider Setup, configure your example.salesforce.com domain as a SAML SSO identity provider (IdP) and create a new public X.509 certificate for establishing trust with the MindTouch service provider (SP).
- Click Download Metadata. (You will need the metadata later to configure MindTouch).
Step 2: Configure Salesforce as a MindTouch identity provider
- In MindTouch, navigate to Site tools > Control panel > Authentication > Single Sign-On > SAML.
- Check the Enable Single Sign-On with SAML checkbox.
- In the Upload Identity Provider Metadata section, upload the metadata file you previously downloaded in Salesforce.
- Click Save.
Step 3: Retrieve the MindTouch SP metadata
Once SAML SSO is enabled in MindTouch, download your MindTouch SP metadata at http://example.com/@app/saml/metadata (whereby example.com is the hostname of your MindTouch site). You will need the metadata later to add MindTouch to Salesforce as a Connected App.
Step 4: Generate your private key and x.509 public certificate
For the Salesforce IdP to verify requests from the MindTouch SP, and for the MindTouch SP to decrypt responses from the IdP, generate an SP private key and x.509 public certificate. You will need the certificate information later to configure MindTouch and Salesforce.
Step 5: Add MindTouch SAML SSO as a Salesforce app
- In Salesforce, under Service Providers, click the link to create MindTouch as a Connected App in Salesforce:
- Configure the following fields:
- Start URL. The homepage URL of your MindTouch site.
- Enable SAML. Check to enable SAML.
- Entity Id. Find this unique identifier
EntityDescriptor/@entityID
for your MindTouch SP in the SP metadata. - ACS URL. Find the endpoint
EntityDescriptor/SPSSODescriptor/AssertionConsumerService/@Location
to which SAML assertions are sent as HTTP POST in the SP metadata. - Subject Type. Select Persistent ID from the drop-down list to create a unique user ID by which to identify the user on the IdP and SP.
- Name ID Format. Select urn:oasis:names:tc:SAML:2.0:nameid-format:persistent from the drop-down list.
- Issuer. If the value is not already set, find the issuer ID
EntityDescriptor/@entityID
in the IdP metadata. - Verify Request Signatures. Check this box and upload your SP x.509 public certificate (recorded in Step 4).
- Encrypt SAML Response. Check this box and upload your SP x.509 public certificate (recorded in Step 4).
Important: Make sure the EntityID is "http://example.com/", including the trailing slash. Otherwise, you may get an error like "Unable to recognize Service Provider" or similar when logging in.
Step 6: Allow access to the MindTouch SP
After saving your changes, perform the following steps to allow users to access MindTouch:
- Navigate to Administration Setup > Manage Users > Permission Sets.
- Assign your MindTouch app as a Connected App:
Additional help
- For detailed articles describing how to assign user permissions to Connected Apps, visit the Salesforce help center.
- To update settings or retrieve configuration information refer to our article on managing MindTouch as a connected app in Salesforce.
- If you need more information on setting up SAML SSO with Salesforce, contact MindTouch Support.