Karim Elatov

RSA SecurID Access SAML Salesforce Rich Client Discoveries

Blog Post created by Karim Elatov Employee on Nov 23, 2015

I wanted to try out the Salesforce Mobile App with SAML enabled and here is what I discovered.

Enable SP-Initiated Mode in Salesforce

Reading over Single Sign-On for Desktop and Mobile Applications using SAML and OAuth, I saw the following:

 

The Force.com 'My Domain' feature allows you to select a custom domain name for your application. A 'My Domain' URL looks like https://customer.my.salesforce.com/ (for a production org) or https://customer-developer-edition.my.salesforce.com/ (for a Developer Edition). A benefit of configuring 'My Domain' is that it enables support for SP-initiated single sign-on, improving the user experience, and allowing users to access 'deep links' into their environment via SSO.

You may configure 'My Domain' in Setup | Company Profile | My Domain. As users may be un-authenticated when they arrive at Force.com, a unique domain is the mechanism by which a specific organization's SAML configuration can be discovered. In order to take advantage of SAML for desktop and mobile apps you must deploy My Domain. In addition, this will greatly improve the user-experience for web browser based single sign-on. This is considered a best practice if you deploy SAML with Force.com.

 

 

So we need to enable "My Domain" and then configure SAML to be SP-Initiated.

Configure My Domain in Salesforce

After you login as the administrator to Salesforce navigate to Administer -> Domain Management -> My Domain and pick a name for your Domain to make sure it's available:

sf-check-dom-avail.png

After click Register Domain and it will take some time to enable all the DNS settings and you will see the following:

sf-domain-pending.png

After the registration is complete you will receive an email similar to this:

sf-domain-reg.png

After that if you go back to the domain settings you will see that the domain is ready for use:

sf-domain-ready-for-testing.png

Configure an SP-Initiated SAML Setup

Now login to your access console and configure a SAML application and get all the necessary information:

  1. Issuer (Issuer Entity ID)
  2. Entity Id ( Audience (Service Provider Entity ID) )
  3. Identity Provider Certificate (cert.pem from the Certificate Bundle)
  4. Identity Provider Login URL (Identity Provider URL)

Then from Salesforce as an administrator go to Administer -> Security Controls -> Single Sign-On Settings and add a new SAML config. Here is one I ended up with:

sf-saml-config-sp.png

Make sure you enter an Identity Provider Login URL or the configuration won't be seen as SP-Initiated.

Modify Authentication Configuration for the Custom Domain

The last thing we need to do is enable the SAML configuration to be used as an Authentication service. So again from the salesforce portal go to Administer -> Domain Management -> My Domain -> Authentication Configuration -> Edit, and enable your SAML configuration:

sf-ac-saml-enabled.png

You can have both enabled (the Login page and the SAML configuration). With both enabled people can see the login page and choose to either use the SAML configuration or to use their passwords. If you just leave the SAML configuration, then it auto start the login process and forward you to the IdP as soon as you visit the login page for your custom domain.

Salesforce Mobile Client Testing

At this point, I installed the Salesforce1 Application on my Android phone:

sf-mob-app.png

After installing it, I launched the application and I saw the login page:

sf-mob-login-page.png

From here click on the option menu and choose change server:

sf-mob-ch-ser.png

Then click Add Connection and enter the custom domain that you created in salesforce:

sf-mob-app-new-conn.png

and then choose that connection and click Apply:

sf-mob-con-added.png

Then it will take you to the login page and you will see a button to use the IDP for the login:

sf-mobile-app-saml-idp-seen.png

Upon clicking that it took me to the IDP and I was able to enter my AD credentials:

sf-in-idp-login.png

After you get authenticated it will confirm that you want to provide the necessary access to this application:

sf-confirm-mob-app.png

And then you will gain access to the application:

sf-mob-app-win1.png

And here are the options for my chatter user:

sf-mob-app-win2.png

Outcomes