Karim Elatov

RSA SecurID Access Salesforce JIT Configuration

Blog Post created by Karim Elatov Employee on Nov 16, 2015

Just-In-Time Provisioning

There is actually a pretty good description from the Salesforce About Just-in-Time Provisioning for SAML

With Just-in-Time provisioning, you can use a SAML assertion to create regular and portal users on the fly the first time they try to log in. This eliminates the need to create user accounts in advance. For example, if you recently added an employee to your organization, you don't need to manually create the user in Salesforce. When they log in with single sign-on, their account is automatically created for them, eliminating the time and effort with on-boarding the account. Just-in-Time provisioning works with your SAML identity provider to pass the correct user information to Salesforce in a SAML 2.0 assertion. You can both create and modify accounts this way. Because Just-in-Time provisioning uses SAML to communicate, your organization must have SAML-based single sign-on enabled.

It's a pretty awesome feature so let's see how to utilize it with RSA SecurID Access.

Just-In-Time Attributes For Salesforce

Looking over the Salesforce Just-in-Time Provisioning Requirements it looks like we case use the following SAML Attributes in the Assertion for Just-In-Time Provisioning:

 

Field

 

Required

Comments

AboutMe
AliasIf not present, a default is derived from FirstName and LastName.
CallCenter
City
CommunityNicknameIf not present, a default is derived from the UserName.
CompanyName
Country
DefaultCurrencyIsoCodeDerived from organization settings.
DelegatedApproverId
Department
Division
EmailYFor example,User.Email=test2@salesforce.com
EmailEncodingKeyIf not present, a default is derived from the organization settings.
EmployeeNumber
Extension
Fax
FederationIdentifier (insert only)If present, it must match the SAML subject, or the SAML subject is taken instead. Can't be updated with SAML.
FirstName
ForecastEnabled
IsActive
LastNameY
LanguageLocaleKey
LocaleSidKeyIf not present, a default is derived from the organization settings.
Manager
MobilePhone
Phone
ProfileIdYFor example,User.ProfileId=Standard User
ReceivesAdminInfoEmails
ReceivesInfoEmails
State
Street
TimeZoneSidKeyIf not present, a default is derived from the organization settings.
Title
Username (insert only)YFor example,User.Username=test2@test.com. Can't update using SAML.
UserRoleIdDefaults to “no role” if blank.
Zip

From the same page it looks like we need to prepend each SAML attribute with User.:

 

To correctly identify which object to create in Salesforce, you must use the User. prefix for all fields passed in the SAML assertion. In this example, the User. prefix has been added to the Username field name.
<saml:Attribute

   Name="User.Username"

   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

      <saml:AttributeValue xsi:type="xs:anyType">testuser@123.org</saml:AttributeValue>

</saml:Attribute>

 

 

 

Enable JIT for the SAML Salesforce Configuration

Login as a Salesforce Administration and navigate to Administer -> Security Controls -> Single SignOn Settings and you will see your SAML configurations:

sf-saml-configs.png

Then click Edit on your desired configuration and ensure the User Provisioning Enabled checkbox is checked and the standard option is used:

sf-saml-jit-enabled.png

Also make sure you select Assertion contains the Federation ID from the User object:

sf-saml-config-fed-id.png

Configure Extended Attributes for the Salesforce Connector in Via Admin Console

The basic configuration for salesforce is found at RSA Via Access Salesforce SAML Implementation Guide. After you have that configured let's modify the Extended Attributes section to have the following Attributes (the first two will already be there, I am just including them for completion):

 

Attribute Source

 

Attribute Name

User Store

Property

ConstantlogoutURLN/Ahttps://portal.PDN.com
ConstantssoStartPageN/A

https://portal.PDN/IdPServlet?idp_id=APP_ID

UserStoreUser.EmailADmail
UserStoreUser.LastNameADsn
ConstantUser.ProfileIdN/A

Chatter Free User
NOTE: If you have an attribute within AD that contains this information, then you can use that

UserStoreUser.UserNameAD

Here is how it looks like:

sf-ac-ex-at-sf-con.png

Just-In-Time Provisioning Testing

I created a new user in AD:

sf-new-user-added.png

I also double checked and no such user existed in Salesforce, you can confirm by going to Administer -> Manage Users -> Users:

sf-users.png

Then I logged into the portal as the velma user and clicked on the Salesforce Application and I logged in successfully:

velma-logged-in.png

If you look at the SAML assertion that RSA Via Access sent, it will look similar to this:

 

<saml2:AttributeStatement>

    <saml2:Attribute Name="User.Email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

        <saml2:AttributeValue xsi:type="xs:string">velma@demorsa.com</saml2:AttributeValue>

    </saml2:Attribute>

    <saml2:Attribute Name="User.UserName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

        <saml2:AttributeValue xsi:type="xs:string">velma@demorsa.com</saml2:AttributeValue>

    </saml2:Attribute>

    <saml2:Attribute Name="logoutURL" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

        <saml2:AttributeValue xsi:type="xs:string">https://portal.singlepoint66.com/</saml2:AttributeValue>

    </saml2:Attribute>

    <saml2:Attribute Name="User.LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

        <saml2:AttributeValue xsi:type="xs:string">Tech</saml2:AttributeValue>

    </saml2:Attribute>

    <saml2:Attribute Name="ssoStartPage" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

        <saml2:AttributeValue xsi:type="xs:string">https://portal.singlepoint66.com/IdPServlet?idp_id=sp66sales</saml2:AttributeValue>

    </saml2:Attribute>

    <saml2:Attribute Name="User.ProfileId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

        <saml2:AttributeValue xsi:type="xs:string">Chatter Free User</saml2:AttributeValue>

    </saml2:Attribute>

</saml2:AttributeStatement>

Confirming Just-In-Time Provisioning

I then logged in to salesforce as the administrator and saw the user created:

sf-velma-created.png

Also if you check out the Audit Logs (Under Administer -> Security Controls -> View Setup Audit Trail), you will see something like this:

sf-audit-log.png

Outcomes