SafeNet Trusted AccessRelease 1.0.0

Alex Basin

Apr 26, 2021

CONTENTS

1 Overview 1

2 Prerequisites 2

3 Solution Overview 3

4 Configuration Steps 4

5 Salesforce Configuration 55.1 Modify the configured Single Sign-on policy to enable Provisioning . . . . . . . . . . . . . . . . . 55.2 Identify the Profile to be configured for provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . 7

6 SafeNet Trusted Access configuration 86.1 Modify SafeNet Trusted Access - Salesforce application . . . . . . . . . . . . . . . . . . . . . . . . 8

7 Testing the solution 10

8 Troubleshooting 12

i

CHAPTER

ONE

OVERVIEW

This guide documents the procedure to enable Just-in-Time (JIT) Provisioning of users from SafeNet Trusted Accessto Salesforce. This procedure allows automatic user account creation in Salesforce after successful, SAML based,authentication using SafeNet Trusted Access

Note: This guide assumes Salesforce is federated to SafeNet Trusted Access using SAML, the integration can befound here

1

CHAPTER

TWO

PREREQUISITES

• Salesforce is configured using My Domain configuration

• Salesforce is federated to SafeNet Trusted Access using SAML (Single Sign-On)

• A user with a SafeNet Trusted Access authenticator is enrolled

• Users can authenticate using SafeNet Trusted Access

2

CHAPTER

THREE

SOLUTION OVERVIEW

With Just-in-Time (JIT) provisioning, SafeNet Trusted Access passes user information to your Salesforce org in aSAML assertion to automatically create user accounts. SafeNet Trusted Access sends user information to your org inan Attributes statement in the SAML assertion. When a user logs in to an org with standard JIT provisioning enabled,Salesforce pulls user data from the identity provider and stores it in a new User object.

3

CHAPTER

FOUR

CONFIGURATION STEPS

The configuration requires the following steps:

In Salesforce

• Modify the configured Single Sign-on policy to enable Provisioning

• Identify the Profile to be configured for provisioning

In SafeNet Trusted Access

• Modify Salesforce application in STA to add SAML Return Attributes

4

CHAPTER

FIVE

SALESFORCE CONFIGURATION

5.1 Modify the configured Single Sign-on policy to enable Provision-ing

In order to enable Just in Time (JIT) Provisioning in Salesforce, we have to modify the existing Single Sign-on policy

In Salesforce Console, modify the policy by following these steps:

1. Login to Salesforce as a System Administrator

2. Navigate to Identity and click on Single Sign-On Settings

3. Click Edit to edit your existing SAML Configuration

4. Change SAML Identity Type to Assertion contains the Federation ID from the User object

5

SafeNet Trusted Access, Release 1.0.0

5. Under Just-in-time User Provisioning, enable User Provisioning Enabled

6. Make sure Standard is selected

7. Click Save to save the configuration

Note: For greater control over the provisioning process, Salesforce supports Custom SAML JIT with Apex handler,more information can be found here

Warning: Once the federation SAML Identity Type is changed, users without Federation ID will fail to au-thenticate using SafeNet Trusted Access. To overcome this, open the user’s account object under Users and set theFederation ID in Single Sign On Information to the user’s email address

Salesforce is ready for Just-in-Time (JIT) User Provisioning.

5.1. Modify the configured Single Sign-on policy to enable Provisioning 6

SafeNet Trusted Access, Release 1.0.0

5.2 Identify the Profile to be configured for provisioning

To set the provisioning of users to the correct Salesforce Profile we need to identify the Profile ID in Salesforce. Theeasiest way to achieve this is by opening the desired profile and copying the Profile ID from the URL

In Salesforce Console, open and identify the Profile by following these steps:

1. Login to Salesforce as a System Administrator

2. Navigate to Users and click on Profiles

3. Find the Profile you would like to be used for Provisioning (for example: Standard User)

4. Click on the Profile Name (for example: Standard User)

5. In the browser address bar, look at the end of the URL, the Profile ID is the value following address=%2F,starting with 00

6. Copy the value and save it for later use in SafeNet Trusted Access Configuration

5.2. Identify the Profile to be configured for provisioning 7

CHAPTER

SIX

SAFENET TRUSTED ACCESS CONFIGURATION

Note: Open SafeNet Trusted Access Console (you can use the following direct links based on your availability zone,opens in a new tab)

6.1 Modify SafeNet Trusted Access - Salesforce application

In order to be able to provide the needed information for user creation in Salesforce, SafeNet Trusted Access - Sales-force application we’ve created to establish SAML based authentication, has to be modified by adding SAML ReturnAttribues.

In the STA Console, modify the Salesforce application by following these steps:

1. Go to the Applications tab

2. Click Salesforce Application

3. Under Return Attribues, click on Add Attribue

4. Add the following Attributes and Mappings:

Note: Return Attribues are key sensative (use copy to copy the values)

8

SafeNet Trusted Access, Release 1.0.0

Return Attribute User Attribute (Mapping) Custom Value

User.Username

Email address

User.LastName

Last Name

User.Email

Email address

User.FederationIdentifier

Email address

User.Alias

SAS User ID

User.ProfileId

Single Custom Value. . . Salesforce Profile ID(saved in this section)

Example:

5. Save the updated Salesforce application

SafeNet Trusted Access is ready for Salesforce Just-in-Time (JIT) User Provisioning

6.1. Modify SafeNet Trusted Access - Salesforce application 9

CHAPTER

SEVEN

TESTING THE SOLUTION

Login to Salesforce using your direct URL or using the published application in SafeNet Trusted Access User Portal,with an account that does not yet exist in Salesforce. After succesful authentication, the user’s account is automaticallycreated and the user is logged in. Verify the user account creation in Salesforce Console - Users

Before provisioning:

User Login:

After provisioning:

10

SafeNet Trusted Access, Release 1.0.0

11

CHAPTER

EIGHT

TROUBLESHOOTING

Salesforce provides error messages in the URL after a failed login. You can check the end of the URL for the errormessage or use SAML Tracer to see the error as a clear text for easier parsing.

Browser - SAML Login Error:

Browser - URL Error Details:

SAML Tracer - Error Details:

12

SafeNet Trusted Access, Release 1.0.0

13