SafeNet Trusted AccessRelease 1.0.0
Alex Basin
Apr 26, 2021
CONTENTS
1 Overview 1
2 Prerequisites 2
3 Solution Overview 3
4 Configuration Steps 4
5 Salesforce Configuration 55.1 Modify the configured Single Sign-on policy to enable Provisioning . . . . . . . . . . . . . . . . . 55.2 Identify the Profile to be configured for provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . 7
6 SafeNet Trusted Access configuration 86.1 Modify SafeNet Trusted Access - Salesforce application . . . . . . . . . . . . . . . . . . . . . . . . 8
7 Testing the solution 10
8 Troubleshooting 12
i
CHAPTER
ONE
OVERVIEW
This guide documents the procedure to enable Just-in-Time (JIT) Provisioning of users from SafeNet Trusted Accessto Salesforce. This procedure allows automatic user account creation in Salesforce after successful, SAML based,authentication using SafeNet Trusted Access
Note: This guide assumes Salesforce is federated to SafeNet Trusted Access using SAML, the integration can befound here
1
CHAPTER
TWO
PREREQUISITES
• Salesforce is configured using My Domain configuration
• Salesforce is federated to SafeNet Trusted Access using SAML (Single Sign-On)
• A user with a SafeNet Trusted Access authenticator is enrolled
• Users can authenticate using SafeNet Trusted Access
2
CHAPTER
THREE
SOLUTION OVERVIEW
With Just-in-Time (JIT) provisioning, SafeNet Trusted Access passes user information to your Salesforce org in aSAML assertion to automatically create user accounts. SafeNet Trusted Access sends user information to your org inan Attributes statement in the SAML assertion. When a user logs in to an org with standard JIT provisioning enabled,Salesforce pulls user data from the identity provider and stores it in a new User object.
3
CHAPTER
FOUR
CONFIGURATION STEPS
The configuration requires the following steps:
In Salesforce
• Modify the configured Single Sign-on policy to enable Provisioning
• Identify the Profile to be configured for provisioning
In SafeNet Trusted Access
• Modify Salesforce application in STA to add SAML Return Attributes
4
CHAPTER
FIVE
SALESFORCE CONFIGURATION
5.1 Modify the configured Single Sign-on policy to enable Provision-ing
In order to enable Just in Time (JIT) Provisioning in Salesforce, we have to modify the existing Single Sign-on policy
In Salesforce Console, modify the policy by following these steps:
1. Login to Salesforce as a System Administrator
2. Navigate to Identity and click on Single Sign-On Settings
3. Click Edit to edit your existing SAML Configuration
4. Change SAML Identity Type to Assertion contains the Federation ID from the User object
5
SafeNet Trusted Access, Release 1.0.0
5. Under Just-in-time User Provisioning, enable User Provisioning Enabled
6. Make sure Standard is selected
7. Click Save to save the configuration
Note: For greater control over the provisioning process, Salesforce supports Custom SAML JIT with Apex handler,more information can be found here
Warning: Once the federation SAML Identity Type is changed, users without Federation ID will fail to au-thenticate using SafeNet Trusted Access. To overcome this, open the user’s account object under Users and set theFederation ID in Single Sign On Information to the user’s email address
Salesforce is ready for Just-in-Time (JIT) User Provisioning.
5.1. Modify the configured Single Sign-on policy to enable Provisioning 6
SafeNet Trusted Access, Release 1.0.0
5.2 Identify the Profile to be configured for provisioning
To set the provisioning of users to the correct Salesforce Profile we need to identify the Profile ID in Salesforce. Theeasiest way to achieve this is by opening the desired profile and copying the Profile ID from the URL
In Salesforce Console, open and identify the Profile by following these steps:
1. Login to Salesforce as a System Administrator
2. Navigate to Users and click on Profiles
3. Find the Profile you would like to be used for Provisioning (for example: Standard User)
4. Click on the Profile Name (for example: Standard User)
5. In the browser address bar, look at the end of the URL, the Profile ID is the value following address=%2F,starting with 00
6. Copy the value and save it for later use in SafeNet Trusted Access Configuration
5.2. Identify the Profile to be configured for provisioning 7
CHAPTER
SIX
SAFENET TRUSTED ACCESS CONFIGURATION
Note: Open SafeNet Trusted Access Console (you can use the following direct links based on your availability zone,opens in a new tab)
6.1 Modify SafeNet Trusted Access - Salesforce application
In order to be able to provide the needed information for user creation in Salesforce, SafeNet Trusted Access - Sales-force application we’ve created to establish SAML based authentication, has to be modified by adding SAML ReturnAttribues.
In the STA Console, modify the Salesforce application by following these steps:
1. Go to the Applications tab
2. Click Salesforce Application
3. Under Return Attribues, click on Add Attribue
4. Add the following Attributes and Mappings:
Note: Return Attribues are key sensative (use copy to copy the values)
8
SafeNet Trusted Access, Release 1.0.0
Return Attribute User Attribute (Mapping) Custom Value
User.Username
Email address
User.LastName
Last Name
User.Email
Email address
User.FederationIdentifier
Email address
User.Alias
SAS User ID
User.ProfileId
Single Custom Value. . . Salesforce Profile ID(saved in this section)
Example:
5. Save the updated Salesforce application
SafeNet Trusted Access is ready for Salesforce Just-in-Time (JIT) User Provisioning
6.1. Modify SafeNet Trusted Access - Salesforce application 9
CHAPTER
SEVEN
TESTING THE SOLUTION
Login to Salesforce using your direct URL or using the published application in SafeNet Trusted Access User Portal,with an account that does not yet exist in Salesforce. After succesful authentication, the user’s account is automaticallycreated and the user is logged in. Verify the user account creation in Salesforce Console - Users
Before provisioning:
User Login:
After provisioning:
10
SafeNet Trusted Access, Release 1.0.0
11
CHAPTER
EIGHT
TROUBLESHOOTING
Salesforce provides error messages in the URL after a failed login. You can check the end of the URL for the errormessage or use SAML Tracer to see the error as a clear text for easier parsing.
Browser - SAML Login Error:
Browser - URL Error Details:
SAML Tracer - Error Details:
12
SafeNet Trusted Access, Release 1.0.0
13