Chapter 19. Using JBoss Portal SSO with Salesforce and Google Apps

19.1. JBoss Portal as the Identity Provider (IDP) and Salesforce as the Service Provider (SP)
19.1.1. IDP (JBoss Portal) and SP (Salesforce) Prerequisites
19.1.2. Obtain a Salesforce developerforce Account
19.1.3. Creating a Salesforce Domain
19.1.4. Configure SAML SSO SP Settings
19.1.5. Import Message Signing Certificate into Salesforce
19.1.6. Create Salesforce and Portal Users
19.1.7. Obtain the Salesforce Client Certificate
19.1.8. Configure JBoss Portal as the IDP
19.1.9. Test the IDP (JBoss Portal) and SP (Salesforce) Configuration
19.2. JBoss Portal as the Identity Provider (IDP) and Google Apps as the Service Provider (SP)
19.2.1. IDP (JBoss Portal) and SP (Google Apps) Prerequisites
19.2.2. Create A Google Apps for Business Account
19.2.3. Create Default Google Apps for Business Users
19.2.4. Configuring Google Apps as the SP
19.2.5. Configuring JBoss Portal as the IDP
19.2.6. Testing the IDP (JBoss Portal) and SP (Google Apps) Configuration
19.3. Salesforce as the Identity Provider (IDP) and JBoss Portal as the Service Provider (SP)
19.3.1. IDP (Salesforce) and SP (JBoss Portal) Prerequisites
19.3.2. Obtain a Salesforce developerforce Account
19.3.3. Creating a Salesforce Domain
19.3.4. Disable SP Single Sign-on in Salesforce
19.3.5. Create and Apply a Salesforce IDP Message Signing Certificate
19.3.6. Create Salesforce and Portal Users
19.3.7. Configuring Salesforce as the IDP
19.3.8. Configuring JBoss Portal as the SP
19.3.9. Testing the IDP (Salesforce) and SP (JBoss Portal) Configuration
The JBoss Portal SSO component contains support for Salesforce (http://www.salesforce.com) and Google Apps (http://www.google.com/enterprise/apps/business/ integration for SAML2 based SSO.
Three scenarios are described in this chapter, with links to sections detailing the configuration changes required to implement the scenarios.
Scenario One
Using JBoss Portal as the SAML Identity Provider (IDP) and Salesforce as the SAML Service Provider (SP).
Scenario Two
Using JBoss Portal as the IDP and Google Apps as the SP.
Scenario Three
Using Salesforce as the IDP and JBoss Portal as the SP.
A video showing the integration between Salesforce and Google Apps is available at http://vimeo.com/45895919. This is based on a community release of the GateIn Portal, so the configuration described in this video may vary slightly to enterprise configuration described in this chapter.
Report a bug

19.1. JBoss Portal as the Identity Provider (IDP) and Salesforce as the Service Provider (SP)

19.1.1. IDP (JBoss Portal) and SP (Salesforce) Prerequisites

This configuration uses JBoss Portal as the Identity Provider (IDP) and Salesforce as the Service Provider (SP). Ensure all prerequisites are completed before proceeding further with subsequent configuration.
To use Salesforce as a Service Provider (SP), specific configuration is required to Security Assertion Markup Language (SAML) Single Sign-on (SSO) within a Salesforce domain. An excellent overview that discusses how Federated Authentication operates is available at http://wiki.developerforce.com/page/Single_Sign-On_with_SAML_on_Force.com. Consider reading this to better understand information in the Salesforce configuration steps described in related tasks.

Prerequisites

Next Step in JBoss Portal as the Identity Provider (IDP) and Salesforce as the Service Provider (SP)

Report a bug

19.1.2. Obtain a Salesforce developerforce Account

Previous Step in JBoss Portal as the Identity Provider (IDP) and Salesforce as the Service Provider (SP)

Task: Create a new Salesforce developerforce Account

Create a developerforce account, which is required to provision a Salesforce domain for use as a SP or IDP.
  1. Visit http://developer.force.com/.
  2. Click Join Now to open the Sign up form.
  3. Complete the fields, and choose a user name to access the Developer Edition Account with.
  4. Click Sign me up to submit the registration details.
  5. Complete registration by clicking the confirmation link in the email sent to your specified email account.

Next Step in JBoss Portal as the Identity Provider (IDP) and Salesforce as the Service Provider (SP)

Report a bug

19.1.3. Creating a Salesforce Domain

Previous Step in JBoss Portal as the Identity Provider (IDP) and Salesforce as the Service Provider (SP)

Task: Create a Salesforce Domain

Create a Salesforce domain which supports SP-initiated SAML login workflow. This configuration will allow a user to access the Salesforce domain, and have Salesforce forward a SAML request to JBoss Portal for authentication.
  1. Log onto http://developer.force.com.
  2. Click the user name in the top right corner of the page.
  3. Click Setup+Company Profile+My Domain
  4. Specify the name of the Salesforce domain, following the suggested format in the My Domain screen.
  5. Save the details to complete domain registration.

Next Step in JBoss Portal as the Identity Provider (IDP) and Salesforce as the Service Provider (SP)

Report a bug

19.1.4. Configure SAML SSO SP Settings

Previous Step in JBoss Portal as the Identity Provider (IDP) and Salesforce as the Service Provider (SP)

Task: Configure Salesforce SAML SSO Settings

Configure the required values for SAML SSO in the Single Sign-on Settings page.
  1. Log onto http://developer.force.com.
  2. Click the user name in the top right corner of the page.
  3. Click Setup+Security Controls+Single Sign-On Settings
  4. Configure the following fields and settings:
    SAML Enabled
    Ensure the check box is marked.
    SAML Version
    Specify 2.0 as the value.
    Issuer
    Specify the issuer as http://www.idp.com:8080/portal/dologin, which is used as the Identity Provider for the Salesforce domain.
    Identity Provider Login URL
    Specify the Identity Provider as http://www.idp.com:8080/portal/dologin, which is the URL Salesforce SAML SSO sends the SAML Requests for authentication.
    Identity Provider Logout URL
    Set this value to http://www.idp.com:8080/portal/dologin. If you have a custom page that users are directed to when they log out, this field can contain the URL of the page.
    SAML User ID Type
    Set this value to User ID contains the Federation ID from the User object.
    SAML User ID Location
    Set this value to User ID is the NameIdentifier element of the Subject statement.
    Entity ID
    Set this value to https://saml.salesforce.com.
    Service Provider Initiated Request Binding
    Set this value to HTTP POST.

Next Step in JBoss Portal as the Identity Provider (IDP) and Salesforce as the Service Provider (SP)

Report a bug

19.1.5. Import Message Signing Certificate into Salesforce

Previous Step in JBoss Portal as the Identity Provider (IDP) and Salesforce as the Service Provider (SP)

Task: Import the JBoss Portal Message Signing Certificate into Salesforce

Import the message signing certificate from the JBoss Portal IDP server to the Salesforce server, which enables Salesforce to verify SAML responses sent from the JBoss Portal IDP.
  1. Use the secure-keystore.jks SAML message signing keystore in the JPP_IDP_HOME/gatein/gatein.ear/portal.war/WEB-INF/classes/sso/saml directory to create a certificate.
    1. In the /saml directory, run keytool -export -file portal-idp.crt -keystore secure-keystore.jks -alias secure-key.
    2. When prompted, provide the keystore password keystorepass.
      This password is the default suggested password created as part of the Section 18.4, “Implementing Keystores” process. If you chose a different password, ensure this is provided at the prompt.
    The command will generate a certificate named portal-idp.crt.
  2. Import the portal-idp.crt file into Salesforce.
    On http://developer.force.com, click the user menu, and then click SetupSecurity ControlsSingle Sign-On SettingsIdentity Provider Certificate.
    Import the portal-idp.crt certificate into Salesforce, and set the alias to secure-key.

Next Step in JBoss Portal as the Identity Provider (IDP) and Salesforce as the Service Provider (SP)

Report a bug

19.1.6. Create Salesforce and Portal Users

Previous Step in JBoss Portal as the Identity Provider (IDP) and Salesforce as the Service Provider (SP)

Create identical Salesforce and Portal Users

In order to test the SAML SSO configuration, users must be provisioned in both JBoss Portal and Salesforce that meet requirements for Federated ID matching.
  1. Create the following users in JBoss Portal, following the instructions in the Register New Accounts chapter in the User Guide.
    • Mary Citizen
      User name of Mary.
    • John Citizen
      User name of John.
  2. Create the following users in Salesforce, following the instructions in the Salesforce Wiki Documentation located at http://login.salesforce.com/help/doc/en/adding_new_users.htm.

    Important

    The Federation ID of users in Salesforce must be identical to the user name in JBoss Portal.

Next Step in JBoss Portal as the Identity Provider (IDP) and Salesforce as the Service Provider (SP)

Report a bug

19.1.7. Obtain the Salesforce Client Certificate

Previous Step in JBoss Portal as the Identity Provider (IDP) and Salesforce as the Service Provider (SP)

Task: Download the Salesforce Client Certificate

Download the Salesforce Client Certificate. proxy-salesforce-com.123 is required to sign SAML assertions, and the public key is required to verify the SAML assertions sent from Salesforce are genuine on the client side.
  1. Review the information on http://wiki.developerforce.com/page/Client_Certificate.
  2. Download the certificate from the link in the What do I do next? section of the wiki page.
  3. Extract the certificate chain archive to a working directory to gain access to the proxy-salesforce-com.123 file.

Next Step in JBoss Portal as the Identity Provider (IDP) and Salesforce as the Service Provider (SP)

Report a bug

19.1.8. Configure JBoss Portal as the IDP

Previous Step in JBoss Portal as the Identity Provider (IDP) and Salesforce as the Service Provider (SP)

Task: Configuring JBoss Portal as the Identity Provider for Salesforce

Set up JBoss Portal to act as the IDP for Salesforce.
  1. Login to http://developer.force.com.
  2. From the user menu, click SetupSecurity ControlsSingle Sign-on SettingsDownload Metadata to download the Service Provider metadata from Salesforce.
  3. Download the Salesforce metadata file to JPP_IDP_HOME/gatein/gatein.ear/portal.war/WEB-INF/sp-metadata.xml.
  4. In the directory where the proxy-salesforce.com.123 certificate is saved, run the keytool -import -keystore secure-keystore.jks -file proxy-salesforce-com.123 -alias salesforce-cert command to import the Salesforce client certificate into the portal keystore.
  5. Open JPP_IDP_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xml and add the following ValidatingAlias directive. 
    <ValidatingAlias Key="saml.salesforce.com" Value="salesforce-cert" />
  6. In the picketlink-idp.xml file, declare the Metadata Provider directive immediately after the </KeyProvider> directive. 
    <!-- Preceeding content removed for readability-->
         </KeyProvider>
 
         <MetaDataProvider ClassName="org.picketlink.identity.federation.core.saml.md.providers.FileBasedEntitiesMetadataProvider">
           <Option Key="FileName" Value="/WEB-INF/sp-metadata.xml"/>
         </MetaDataProvider>
  7. Open JPP_IDP_HOME/gatein/gatein.ear/portal.war/WEB-INF/sp-metadata.xml and add the single logout service and entities descriptor blocks. 
    
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
<!-- Comment #1 -->
Location="[Salesforce.com Single Logout URL]" 
index="0" isDefault="true"/>
<md:EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
  xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
  xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://saml.salesforce.com" 
  <!-- Comment #2 -->
  </md:EntityDescriptor>
</md:EntitiesDescriptor>
    Comment #1
    The Location URL is unique to every Salesforce domain. Obtain the URL specific to the configured domain from the Salesforce.com Single Logout URL field on the Salesforce Federated ID page.
    Comment #2
    Note that other entity descriptions may be present in this block. Examples of entity descriptions that would belong in this block include the Google Apps entity description, which is configured in another scenario.
  8. Declare the trusted domains sp.com and idp.com in JPP_IDP_HOME/standalone/configuration/gatein/configuration.properties 
    gatein.sso.sp.domains=sp.com,idp.com,salesforce.com

Next Step in JBoss Portal as the Identity Provider (IDP) and Salesforce as the Service Provider (SP)

Report a bug

19.1.9. Test the IDP (JBoss Portal) and SP (Salesforce) Configuration

Previous Step in JBoss Portal as the Identity Provider (IDP) and Salesforce as the Service Provider (SP)

Task: Testing the IDP and SP Configuration

Test the configuration using JBoss Portal as the SAML Identity Provider and Salesforce as the SAML Service Provider.

Note

In the Salesforce SSO menu, a basic tool is available that tracks the last SAML response sent to the Salesforce Service Provider. This tool can prove useful when analyzing the response and attempting to determine the root cause of an error.
  1. Visit the Salesforce domain. For example, https://yourdomain.my.salesforce.com.
  2. Once redirected to the JBoss Portal login screen (for example, http://www.idp.com:8080/portal/dologin), enter the user credentials for a user with a Salesforce Federated ID.
  3. Once redirected back to Salesforce, verify that the user is authenticated as their Salesforce Federated ID.

Note

SAML2 Single logout initiated by Salesforce is not supported. When you click "Sign out" in Salesforce, Salesforce will not send any SAML2 LogoutRequest to IDP, so you will be still logged on JBoss Portal IDP. Salesforce only supports handling SAML2 LogoutRequests sent from IDP. If you have deployment with one instance of JBoss Portal as SP, Salesforce as SP, and one instance of JBoss Portal as IDP, and trigger a log out request from JBoss Portal, the SP will log you out from all 3 applications (in this case Salesforce is not initiator of Single logout but it handles LogoutRequest sent from IDP).
Report a bug

19.2. JBoss Portal as the Identity Provider (IDP) and Google Apps as the Service Provider (SP)

19.2.1. IDP (JBoss Portal) and SP (Google Apps) Prerequisites

This scenario uses JBoss Portal as the Identity Provider (IDP) and Google Apps as the Service Provider (SP).

Prerequisites

Next Step in JBoss Portal as the Identity Provider (IDP) and Google Apps as the Service Provider (SP)

Report a bug

19.2.2. Create A Google Apps for Business Account

Previous Step in JBoss Portal as the Identity Provider (IDP) and Google Apps as the Service Provider (SP)

Creating a Google Apps for Business Account

Create a Google Apps for Business account for the purposes of testing SSO. The created account is initially provided as a full-featured trial for 30 days, after which time it can be converted to a paid account.
  1. Visit http://www.google.com/enterprise/apps/business/.
  2. Click Get Started.
  3. Complete the fields on the About you form as suggested by the field help.
  4. On the Your Business Domain Address screen, make a selection based on your requirements.
    Use your own domain
    Choose this option if you intend to configure Google Apps for Business for production use.
    mygbiz.com Domain (recommended for this example process)
    Choose this option if you are experimenting with SSO, and do not want to affect your primary business domain. You can upgrade the account to use a domain you own any time after testing out the functionality.
  5. If you choose the recommended free domain option, provide a unique name for the domain in the field, and click Next.
  6. On the Create your Google apps account form, provide the information requested.
  7. Click Accept and signup.
  8. Verify you can access your account by authenticating using the credentials you created as part of this procedure.
    If successful, the Google Admin Console will display.

Next Step in JBoss Portal as the Identity Provider (IDP) and Google Apps as the Service Provider (SP)

Report a bug

19.2.3. Create Default Google Apps for Business Users

Create Identical Google Apps for Business and Portal Users

In order to test the SAML SSO configuration, users must be provisioned in both JBoss Portal and Google Apps for Business that meet requirements for Federated ID matching.
  1. Create the following users in JBoss Portal, following the instructions in the Register New Accounts chapter in the User Guide.
    • Mary Citizen
      User name: mary
    • John Citizen
      User name: john
  2. From the Google Admin Console, click Users.
  3. Click Add more users, and select Add a user manually.
  4. Create the following users in Google Apps for Business.

    Important

    The user names set for users in Google Apps must be identical to those in JBoss Portal because the portal user name is connected with the Google Apps user name.
Report a bug

19.2.4. Configuring Google Apps as the SP

Previous Step in JBoss Portal as the Identity Provider (IDP) and Google Apps as the Service Provider (SP)

Task: Configuring Google Apps for Business as the Service Provider.

Configure Google Apps for Business to act as the Service Provider by changing the security settings of the test domain.
  1. Open https://admin.google.com and sign-in if necessary.
  2. If the Security icon is not visible, click More Controls and drag the Security icon onto the Admin console main screen.
  3. Click Security+Advanced SettingsSet up single sign-on (SSO).
  4. In the Set up single sign-on (SSO) form, configure the following fields and settings:
    Enable Single Sign-on
    Select the tick box.
    Sign-in page URL
    Specify the sign-in page as http://www.idp.com:8080/portal/dologin.
    Sign-out page URL
    Specify the sign-out page as http://www.idp.com:8080/portal/dologin.
    Change password URL
    Specify the change password page as http://www.idp.com:8080/portal/dologin.
    Verification certificate
    Export certificates from the JBoss Portal keystore into a file (for example, portal-idp.crt), and upload the certificate into the form.
    Exporting certificates from the JBoss Portal keystore is described in Section 19.1.5, “Import Message Signing Certificate into Salesforce”.
    Use a domain specific issuer
    Select the tick box.
  5. Verify all settings are correct, and click Save changes.

Next Step in JBoss Portal as the Identity Provider (IDP) and Google Apps as the Service Provider (SP)

Report a bug

19.2.5. Configuring JBoss Portal as the IDP

Previous Step in JBoss Portal as the Identity Provider (IDP) and Google Apps as the Service Provider (SP)

Task: Configuring JBoss Portal as the Identity Provider for Google Apps

Set up JBoss Portal to act as the IDP for Google Apps for Business.
  1. In the JPP_IDP_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xml file, declare the Metadata Provider directive immediately after the </KeyProvider> directive. 
    <!-- Preceeding content removed for readability-->
         </KeyProvider>
 
         <MetaDataProvider ClassName="org.picketlink.identity.federation.core.saml.md.providers.FileBasedEntitiesMetadataProvider">
           <Option Key="FileName" Value="/WEB-INF/sp-metadata.xml"/>
         </MetaDataProvider>
  2. Open JPP_IDP_HOME/gatein/gatein.ear/portal.war/WEB-INF/sp-metadata.xml and specify that SAML requests from the Google Apps for Business SP will not be signed. 
    
<md:EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
 xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
 xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
  <!-- Comment#1 -->
   <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="google.com/a/[domain.mygbiz.com]" validUntil="2022-06-13T21:46:02.496Z">
  <!-- Comment#2 -->
      <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" />
   </md:EntityDescriptor>
</md:EntitiesDescriptor>
    Comment #1
    The entityID="google.com/a/[domain.mygbiz.com]" [domain.mygbiz.com] value must be replaced with the domain name specified in Section 19.2.2, “Create A Google Apps for Business Account”
    Comment #2
    Adding the AuthnRequestsSigned attribute as described prevents SAMLRequests from being validated. This is necessary because Google Apps for Business does not add signatures to its SAML Requests.
  3. Declare the trusted domains sp.com, idp.com and google.com in JPP_IDP_HOME/standalone/configuration/gatein/configuration.properties. If other domains are declared for this parameter, append the trusted domains to the line. 
    gatein.sso.sp.domains=sp.com,idp.com,google.com
  4. In the JPP_IDP_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-idp.xml file, declare a ValidatingDomain directive. 
    <ValidatingAlias Key="127.0.0.1" Value="secure-key"/>

    Note

    Even though Google SAMLRequests are not signed, PicketLink requires that each SAMLRequest must have a key. When a key is not found for a specific domain (in this case google.com), PicketLink will search for keys with the alias 127.0.0.1

Next Step in JBoss Portal as the Identity Provider (IDP) and Google Apps as the Service Provider (SP)

Report a bug

19.2.6. Testing the IDP (JBoss Portal) and SP (Google Apps) Configuration

Prerequisites:

Previous Step in JBoss Portal as the Identity Provider (IDP) and Google Apps as the Service Provider (SP)

After configuring both the Identity Provider and the Service Provider, test the Google Apps configuration.

Procedure 19.1. 

  1. Visit the Google Apps domain configured in Section 19.2.2, “Create A Google Apps for Business Account”.
    The Google Apps domain URL takes the structure https://www.google.com/a/mydomain.mygbiz.com/ServiceLogin. Replace mydomain with the custom value of your domain.
  2. Once redirected to the JBoss Portal login screen (for example, http://www.idp.com:8080/portal/dologin), enter the JBoss Portal user credentials for a user created in Section 19.2.3, “Create Default Google Apps for Business Users”.
  3. Once redirected back to the Google Apps domain, verify that the JBoss Portal user is authenticated correctly.
Report a bug

19.3. Salesforce as the Identity Provider (IDP) and JBoss Portal as the Service Provider (SP)

19.3.1. IDP (Salesforce) and SP (JBoss Portal) Prerequisites

This configuration uses Salesforce as the Identity Provider (IDP) and JBoss Portal as the Service Provider (SP). Ensure all prerequisites are completed before proceeding further with subsequent configuration.
If you have experimented with the Section 19.1.1, “IDP (JBoss Portal) and SP (Salesforce) Prerequisites” process, some configuration can be reused, and is described in each task. The process steps assume you have not configured anything regarding Salesforce, and guide you through from start to finish.

Prerequisites

Next Step in Salesforce as the Identity Provider (IDP) and JBoss Portal as the Service Provider (SP)

Report a bug

19.3.2. Obtain a Salesforce developerforce Account

Previous Step in Salesforce as the Identity Provider (IDP) and JBoss Portal as the Service Provider (SP)

Task: Create a new Salesforce developerforce Account

Create a developerforce account, which is required to provision a Salesforce domain for use as a SP or IDP.
  1. Visit http://developer.force.com/.
  2. Click Join Now to open the Sign up form.
  3. Complete the fields, and choose a user name to access the Developer Edition Account with.
  4. Click Sign me up to submit the registration details.
  5. Complete registration by clicking the confirmation link in the email sent to your specified email account.

Next Step in Salesforce as the Identity Provider (IDP) and JBoss Portal as the Service Provider (SP)

Report a bug

19.3.3. Creating a Salesforce Domain

Previous Step in Salesforce as the Identity Provider (IDP) and JBoss Portal as the Service Provider (SP)

Task: Create a Salesforce Domain

Create a Salesforce domain which supports SP-initiated SAML login workflow. This configuration will allow a user to access the Salesforce domain, and have Salesforce forward a SAML request to JBoss Portal for authentication.
  1. Log onto http://developer.force.com.
  2. Click the user name in the top right corner of the page.
  3. Click Setup+Company Profile+My Domain
  4. Specify the name of the Salesforce domain, following the suggested format in the My Domain screen.
  5. Save the details to complete domain registration.

Next Step in Salesforce as the Identity Provider (IDP) and JBoss Portal as the Service Provider (SP)

Report a bug

19.3.4. Disable SP Single Sign-on in Salesforce

Previous Step in Salesforce as the Identity Provider (IDP) and JBoss Portal as the Service Provider (SP)

Task: Disabling Salesforce SAML SSO Settings

If you have previously configured Salesforce to act as a SAML SSO Service Provider, this configuration must be disabled before Salesforce can act as an Identity Provider.
  1. Log onto http://developer.force.com.
  2. Click the user name in the top right corner of the page.
  3. Click Setup+Security Controls+Single Sign-On Settings
  4. Clear the SAML Enabled tick box to disable all SAML SSO configuration.

Next Step in Salesforce as the Identity Provider (IDP) and JBoss Portal as the Service Provider (SP)

Report a bug

19.3.5. Create and Apply a Salesforce IDP Message Signing Certificate

Previous Step in Salesforce as the Identity Provider (IDP) and JBoss Portal as the Service Provider (SP)

Task: Generate a Salesforce IDP Message Signing Certificate, and apply it to Salesforce

Identity Provider message signing certificates are specific to each Salesforce domain. Create a Salesforce IDP certificate and apply the certificate to the Salesforce server.
  1. Log onto http://developer.force.com.
  2. Click the user name in the top right corner of the page.
  3. Click SetupSecurity ControlsIdentity ProviderEnable Identity Provider.
    Any certificates already generated by Salesforce are displayed.
  4. Click Create a new certificate..., and specify the following values:
    Label
    salesforce-idp-cert
    Unique Name
    salesforce-idp-cert
  5. Download the created certificate by clicking the Download Certificate button on the Identity Provider screen. Save the certificate to /tmp/salesforce_idp_cert.cer.
  6. To apply the created certificate navigate back to the Enable Identity Provider screen and apply the certificate created in the previous step.

Next Step in Salesforce as the Identity Provider (IDP) and JBoss Portal as the Service Provider (SP)

Report a bug

19.3.6. Create Salesforce and Portal Users

Previous Step in Salesforce as the Identity Provider (IDP) and JBoss Portal as the Service Provider (SP)

Create identical Salesforce and Portal Users

In order to test the SAML SSO configuration, users must be provisioned in both JBoss Portal and Salesforce that meet requirements for Federated ID matching.
  1. Create the following users in JBoss Portal, following the instructions in the Register New Accounts chapter in the User Guide.
    • Mary Citizen
      User name of Mary.
    • John Citizen
      User name of John.
  2. Create the following users in Salesforce, following the instructions in the Salesforce Wiki Documentation located at http://login.salesforce.com/help/doc/en/adding_new_users.htm.

    Important

    The Federation ID of users in Salesforce must be identical to the user name in JBoss Portal.

Next Step in Salesforce as the Identity Provider (IDP) and JBoss Portal as the Service Provider (SP)

Report a bug

19.3.7. Configuring Salesforce as the IDP

Previous Step in Salesforce as the Identity Provider (IDP) and JBoss Portal as the Service Provider (SP)

Task: Configuring Salesforce as the Identity Provider

Configure Salesforce as the Identity Provider, in preparation for JBoss Portal to act as the Service Provider.
  1. On the Salesforce home page, click the user name and then click SetupSecurity ControlsIdentity ProviderNew
  2. Configure the following fields and settings:
    Name
    Specify portal-sp as the value.
    ACS URL
    Specify the Assertion Consumer Service URL as http://www.sp.com:8080/portal/dologin
    This value is the address of the Service Provider, in this case the JBoss Portal instance on the sp.com domain.
    Entity ID
    Specify http://www.sp.com:8080/portal/dologin as the value.
    Start URL
    Leave this parameter blank.
    Subject Type
    Set this value to Federation ID.
    Service Provider Certificate
    Use the certificate exported in Section 18.4, “Implementing Keystores”, if you are using the same certificate for the Service Provider and the Identity Provider. For reference, Section 19.1.5, “Import Message Signing Certificate into Salesforce” describes the commands to export the message signing certificate.
    If not, export the portal-idp.crt certificate from the keystore file in JPP_SP_HOME/gatein/gatein.ear/portal.war/WEB-INF/classes/saml/sso/secure-keystore.jks.

Next Step in Salesforce as the Identity Provider (IDP) and JBoss Portal as the Service Provider (SP)

Report a bug

19.3.8. Configuring JBoss Portal as the SP

Previous Step in Salesforce as the Identity Provider (IDP) and JBoss Portal as the Service Provider (SP)

Configuring JBoss Portal as the Salesforce Service Provider

Make the required changes to the security policy and configuration to set JBoss Portal as the Salesforce Service Provider.
  1. Import the certificate created by Salesforce into the JBoss Portal keystore located in JPP_SP_HOME/gatein/gatein.ear/portal.war/WEB-INF/classes/saml/sso/secure-keystore.jks.
    Use the command keytool -import -file /tmp/salesforce_idp_cert.cer -keystore secure-keystore.jks -alias salesforce-idp to import the certificate.
  2. Open JPP_SP_HOME/standalone/configuration/gatein/configuration.properties and change the gatein.sso properties to values corresponding to the Salesforce domain, and the Portal Platform SP URL. 
    gatein.sso.idp.url=https://[yourdomain].my.salesforce.com/idp/endpoint/HttpPost
gatein.sso.sp.url=http://www.sp.com:8080/portal/dologin
  3. Open JPP_SP_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/sso/saml/picketlink-sp.xml and add the ValidatingAlias directive. 
    <ValidatingAlias Key="[yourdomain].my.salesforce.com" Value="salesforce-idp" />

    Note

    Because the JBoss Portal Service Provider obtains role information from the Picketlink Identity Management database, specific roles-mapping configuration normally configured for delivery in the SAML response is not required.

Next Step in Salesforce as the Identity Provider (IDP) and JBoss Portal as the Service Provider (SP)

Report a bug

19.3.9. Testing the IDP (Salesforce) and SP (JBoss Portal) Configuration

Prerequisites:

Previous Step in Salesforce as the Identity Provider (IDP) and JBoss Portal as the Service Provider (SP)

Procedure 19.2. Testing the IDP (Salesforce) and SP (JBoss Portal) Configuration

  1. Start JBoss Portal on the host (assuming the host set to www.sp.com).
  2. Open http://www.sp.com:8080/portal, and click Sign in.
    JBoss Portal sends the SAML Request to Salesforce, and redirects to the Salesforce login screen.
  3. Log onto Salesforce, using valid user name and password information.
    After providing correct credentials, you are redirected back to the portal home screen. You are authenticated with Salesforce login credentials because your portal user name is mapped to the Federated ID in Salesforce.
Report a bug