• Home
• Login with External IDP
• Salesforce as IDP Setup Guide

Single Sign-On (SSO) for Apps Using Salesforce as IDP

---

Configure Salesforce as IDP to Single Sign-On (SSO) into multiple applications by loging using Salesforce as Identity Provider. Here, users can login to all applications (SPs) using their Salesforce login credentials by configuring Salesforce as an Identity Provider (IdP). miniOrange will act as an Identity Broker which forms a trusted connection between IDP and multiple SPs by enabling cross-protocol authentication. This provides easy and secure login access to users by using only one set of login credentials.

Prerequisites

• You must have an active Salesforce account.
• You must be registered with miniOrange and have your branding set up.

Follow the Step-by-Step Guide given below to Configure Salesforce as an Identity Provider (IDP)

Mentioned below are steps to configure Salesforce as IDP via SAML and OAuth configuration. Follow the steps accordingly based on your requirement (SAML or OAuth).

1. Retrieve Configuration Details from miniOrange

• SAML
• OAuth

• Go to miniOrange Admin console and navigate to Identity Providers in the left navigation menu. Then, click on Add Identity Provider button.



• In Choose Identity Provider, select SAML from the dropdown.



• Search for Salesforce in the list. If you don’t find it, search for SAML Provider and set up your application there.



• Now click on the Click here link to get miniOrange metadata as shown in Screen below.



• For SP initiated SSO section Select Show Metadata Details.



• Copy Entity ID or Issuer and ACS URL (For SP-Initiated SSO) values and keep them handy. This will require configuring the application on the Salesforce side.

• Go to miniOrange Admin Console.
• From the left navigation bar select Identity Providers >> click Add Identity Provider.



• In Choose Identity Provider, select OAuth/OpenID from the dropdown.



• Search for Salesforce in the list. If you don’t find it, search for OAuth Provider and set up your application there.



• Keep the OAuth Callback URL, which we will use to configure Salesforce as the OAuth Server/Provider.

2. Configure Salesforce as an Identity Provider

• SAML
• OAuth

• Log in to Salesforce Portal to access the dashboard.



• Click the gear icon in the top-right corner and select Open Advanced Setup.



• From the left panel, select Settings Tab and navigate to Identity >> Identity Provider.



• Click on Enable Identity Provider button. After enabling the Identity Provider, you should be able to see Salesforce metadata endpoints and certificate details.



• In the Service Provider section, click on the link to create the Service Provider using Connected Apps.



• Enter Connected App Name, API Name and Contact Email.



• Under Web App Settings, check the Enable SAML checkbox.
• For Basic SAML configuration, you need to paste ACS URL and SP Entity ID copied in the previous step from miniOrange and click on Save.



• Click on Manage.



• After completing connected app setup you will be redirected to your connected app.
• Now Under Profiles section, click on Manage Profiles button.



• Under the Profiles section, click on the Manage Profiles button and select the profiles you want to give access to login through this app.
  Note: If you want to test connection using administrator account you need to check System administrator.



• Under SAML Login Information, click on Download Metadata button to download the IDP metadata.

• Now, Login to your SalesForce portal in a new tab to access the dashboard.



• Click the gear icon in the top-right corner and select Open Advanced Setup.



• Search for apps in search bar at top left corner and navigate to App Manager >> New Connected App button at top right corner.



• Select Create a Connected App and click on Continue.



• You will be taken to the application settings page. Enter the required details such as Connected App Name, API Name and Contact Email.



• Check the Enable OAuth Settings under API(Enable OAuth Settings) section and you will be shown more options to configure.
• Paste the Callback uri copied earlier from the previous step and select the Scopes as required, uncheck Required Proof Key for Code Exchange and save the settings.



• Scroll down and click Save.
• You will be taken to the Application Management page. Under Api section, Click on Manage Consumer Details.



• Here, you will find Consumer key (Client ID) and Consumer Secret (Client Secret). Copy these Consumer key and Consumer Secret.

3. Configure miniOrange as the Service Provider

• SAML
• OAuth

Now we'll complete the miniOrange IDP configuration using the Salesforce metadata obtained from Step 2.

• Return to the miniOrange Admin Console (you should have kept it open from Step 1).
• Click on Import IDP metadata.



• Choose an appropriate IDP name. Browse for the file we downloaded in the previous step and Click on Import.



• Select the appropriate option from the SSO Binding dropdown according to the URL you are configuring. (Default value is HTTP-POST)



• Click on Save and you will be redirected back to the Identity Providers page.

• Return to the miniOrange Admin Console (you should have kept it open from Step 1).
• Enter the following values.

Display Name	Choose appropriate Name
Client ID	Consumer key from step 2
Client Secret	Consumer secret from step 2
Scopes	email profile openid




• Click on Save.
• You will be redirected back to the Identity Providers page.

4. Test Salesforce IDP Connection

Wait for 10 mins before testing the connection. Changes can take up to 10 minutes to take effect.

• Go to Identity Providers tab.
• Search for your app, click the three dots in the Actions menu, and select Test Connection against the Identity Provider (IDP) you configured.





• On entering valid Salesforce credentials you will see a pop-up window which as shown in below screen.



• Hence your configuration of Salesforce as IDP in miniOrange is successfully completed.

External References

• Know More about Single Sign On (SSO)
• Configure Salesforce Single Sign-On (SSO)
• SP-Initiated v/s IdP-Initiated SSO
• Configure Scim Provisioning for Salesforce Apps
• Configure Salesforce User Provisioning and Deprovisioning