This contributed articole if written by Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Imperva, Samsung NEXT, NetApp and Check Point, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership. Today he heads Agile SEO, the leading marketing agency in the technology industry.
What Is Single Sign-On (SSO) and Why Is It Important?
Single Sign-On (SSO) is a user authentication process that allows a user to access multiple applications or systems with one set of credentials. This means that after logging in once, the user can access all associated systems without needing to log in again for each one. SSO is crucial for enhancing user experience by reducing password fatigue—the need to remember and enter different passwords for various services. Additionally, it improves security by minimizing the chances of password theft, as users are less likely to reuse or write down passwords.
From an administrative perspective, SSO authentication simplifies management of user accounts and permissions. It allows IT departments to manage access to all services through a single interface, making it easier to revoke access when an employee leaves the company or changes roles. Furthermore, SSO can help organizations meet compliance requirements by providing centralized audit trails of user access and activities across multiple systems. Implementing SSO can lead to increased productivity, as users spend less time logging in and more time focusing on their work tasks.
Options for SSO in Salesforce
There are three main options for setting up SSO in Salesforce:
1. Salesforce as the Service Provider or Relying Party
In this setup, Salesforce acts as the service provider, meaning that it relies on an external identity provider (IdP) to authenticate users. For instance, if your organization uses Google Workspace, you could set up Google as the IdP, and Salesforce would trust the authentication from Google. This means that users can sign in to Google and then access Salesforce without having to log in again.
2. Salesforce as the Identity Provider or OpenID Connect Provider
Conversely, Salesforce can also act as the IdP itself. In this scenario, Salesforce authenticates the user and provides identity services to other applications. This means that a user could log in to Salesforce and then access other applications (that trust Salesforce as the IdP) without having to log in again. It’s a powerful feature that can make Salesforce the hub of your organization’s digital workspace.
3. Salesforce as Both Service and Identity Provider
In some cases, Salesforce can take on both roles – acting as both the service provider and the IdP. This is particularly useful in scenarios where an organization uses multiple Salesforce instances. One instance can act as the IdP, and the others as service providers, creating a seamless user experience across all instances.
4. Salesforce and Delegated Authentication
Finally, Salesforce also supports delegated authentication, where Salesforce can delegate the authentication process to your organization’s authentication system. This means that Salesforce calls a web service hosted by your organization each time a user tries to log in, and the web service determines whether the user is allowed access.
Example: Configure SSO from Salesforce to Amazon Web Services
Here is an example of how to set up single sign-on across Salesforce and AWS.
Get a SAML IdP Certificate
The first step in this process is to get a SAML Identity Provider (IdP) certificate. The SAML IdP certificate is used to establish trust between Salesforce and AWS. It’s similar to an SSL certificate, proving the identity of the server and encrypting communication between the server and the client.
You can generate a self-signed SAML IdP certificate or receive one from a certificate authority. The certificate should be saved on a local machine.
Download the Metadata Document
The metadata document is an XML file that contains the information AWS needs to trust Salesforce as an IdP. It includes details such as the Entity ID, which is a unique identifier for the IdP, and the location of the SSO service.
To download the metadata document, navigate to the Identity Provider setup page in Salesforce and click on the Download Metadata button. This will generate an XML file that you need to save on your local machine. You will upload this file to AWS in the next step.
Create a SAML Provider on AWS
Now, in AWS Console, you need to create a new SAML provider and upload the Metadata Document you downloaded from Salesforce.
In the AWS Management Console, navigate to the IAM dashboard and click on Identity Providers. Follow the instructions for creating a SAML provider. These include uploading the metadata document, creating roles with user policies, including a role for identity provider access, and granting WebSSO access to the SAML provider.
AWS will generate an ARN (Amazon resource number). Save this ARN for future reference.
Create and Configure a Connected Application on Salesforce
A connected app is a framework that allows external applications to integrate with Salesforce using APIs and standard protocols.
If using Salesforce Classic, go to Setup and search for the Apps page, then click on New under Connected Apps.
If using Salesforce Lightning Experience, navigate to the App Manager and click on New Connected App. Here, you need to provide the necessary details for your app. Make sure to enable SAML in the Web App Settings and configure it using the details from the AWS SAML provider you created earlier.
On successful configuration, Salesforce will provide an SSO URL that you can use to log in to AWS through Salesforce.
Conclusion
In conclusion, Salesforce Single Sign-On (SSO) offers a robust and flexible solution for managing user access across a wide range of applications and services. By allowing users to authenticate once and gain access to multiple systems, Salesforce SSO enhances both user experience and security. Organizations can leverage Salesforce as a Service Provider, an Identity Provider, or even both, depending on their specific needs. Additionally, the option for delegated authentication further extends the versatility of Salesforce SSO, enabling seamless integration with external authentication systems.
Through the example of configuring SSO from Salesforce to AWS, we’ve seen the practical steps involved in establishing a trust relationship between Salesforce and external services. Consult Salesforce’s documentation to learn how to integrate Salesforce SSO with a wide range of services beyond AWS, to use Salesforce as a centralized hub for digital identity management.