Single Sign-On, Active Directory, and Salesforce · PDF filePAGE 1 OF 34 FOR INTERNAL USE ONLY...

Knowledgebase Article

Single Sign-On, Active Directory, and Salesforce BMC Remedyforce

Virginia Leandro

28 November 2011

PAGE 1 OF 34 FOR INTERNAL USE ONLY

Single Sign-On, Active Directory and Salesforce BMC Remedyforce

Table of Contents Single Sign-On, Active Directory & Salesforce ________________________________________________________________ 3

Requirements ___________________________________________________________________________________________ 3

Install Microsoft Windows 2008 R2 _________________________________________________________________________ 4

Install Microsoft Active Directory ___________________________________________________________________________ 5

Installing Microsoft Certificate Server and IIS _________________________________________________________________ 7

Configure Active Directory Certificate Services ..................................................................................................................................... 7

Configure Web Server (IIS) .................................................................................................................................................................... 8

Install Microsoft Active Directory Federations Services 2.0 _____________________________________________________ 8

Create and Configure a Server Authentication Certificate in IIS __________________________________________________ 9

Initial Configuration of ADFS 2.0 __________________________________________________________________________ 11

Salesforce Configuration ________________________________________________________________________________ 12

ADFS 2.0 Configuration __________________________________________________________________________________ 20

Testing Staff Access ____________________________________________________________________________________ 22

Configure Single Sign On for Self Service / Customer Portal ___________________________________________________ 24

Gather Salesforce Data & Configure Sites ...................................................................................................................................... 24

Portal ID: ....................................................................................................................................................................................... 24

Organization ID: .......................................................................................................................................................................... 25

Site URL: ...................................................................................................................................................................................... 25

Configure Site Page .................................................................................................................................................................... 26

AD FS Preparation .............................................................................................................................................................................. 26

Get Group SID ............................................................................................................................................................................. 27

Define Additional AD FS Claims ....................................................................................................................................................... 28

Define Portal Rule ....................................................................................................................................................................... 28

Define Organization Rule ........................................................................................................................................................... 29

Define siteURL Rule.................................................................................................................................................................... 30

Define SelfService Logout Rule ................................................................................................................................................ 31

References: ___________________________________________________________________________________________ 32

Credits: _______________________________________________________________________________________________ 32



Document Information

Version: 4.0

Created by: Virginia Leandro

Last Modified on: 28 November 2011

Modified by: Virginia Leandro



Single Sign-On, Active Directory & Salesforce The intent of this document is to walk someone through complete setup and configuration of Active Directory, Single Sign-On and Salesforce within a lab or test environment.

There are numerous resources on the internet and on Salesforce that cover much of this information, however, we have tried to pull together a complete step by step guide from start to finish.

This document is provided “as is” with no express or implied warranty. This is based on the author’s

experience in setting up this configuration in a controlled lab environment. Production environments,

depending on needs, could vary. What this document does is provide the basics. Anyone with questions or

wanting further details about Microsoft AD FS 2.0 should contact Microsoft or a Microsoft AD FS expert.

Requirements • Windows 2008 R2 (and all Microsoft Security Updates)

o Domain joined o For purpose of this document, our Windows 2008 R2 Server will be hosting its own domain and be a

domain controller

• Microsoft Active Directory Federation Services 2.0

mengxin

高亮

mx

高亮



Install Microsoft Windows 2008 R2 1. Take the defaults for the first screen listing the Language to install, Time and currency format, and Keyboard or

input method. Click Next.

2. Click Install Now.

3. Select Windows Server 2008 R2 Enterprise (Full Installation). Click Next.

4. Accept the license terms and click Next.

5. Select Custom install.

6. Allocate your disk space. We won’t go into details here on this as you can just as easily dedicate the full drive to the server. Click Next.

7. The system has all it needs to begin copying files and fire off the installation of Windows 2008 R2.

8. Once the system reboots, provide your new Administrator password. This gets set at this time. Once the password is set and you’re logged in, the system will open the Initial Configuration Tasks console to continue system configuration.

9. Activate Windows. Follow the prompts and enter the data to activate Windows.

10. Set the time zone.

11. Rename the computer if you so choose. Note: the computer will require you to reboot. Please proceed with the reboot and then pick up with the next step after logging into the system.

12. Download and install any service packs and all security updates. This will most likely take a while. We suggest you run the updates until no more updates are left. This may require you to download and install updates, reboot, run updates, and install another set of updates, and so on.



Install Microsoft Active Directory 1. From the console called “Initial Configuration Tasks”, under “Customize This Server”, select “Add Roles”.

2. On the “Before You Begin” page click Next.

3. On “Select Server Roles”, select the following:

a. Active Directory Domain Services Note: This will also require .NET Framework 3.5.1 Features. Simply click on “Add Required Features”. Also note that no other features can be selected when installing and configuring

the Active Directory environment.

Click Next.

4. On the “Active Directory Domain Services” page click Next.

5. Click Install on the “Confirm Installation Selections” page.

6. Once installation is complete click the link “Close this wizard and launch the Active Directory Services Installation Wizard (dcpromo.exe)”.

You should now be in a wizard entitled “Active Directory Domain Services Installation Wizard.” Click Next.

mengxin

高亮

mengxin

高亮

mengxin

高亮

mx

高亮



7. On the Operating System Compatibility window click Next.

8. For this lab experiment we will create a new domain. So, on the “Choose a Deployment Configuration”

window select “Create a new domain in new forest” and click Next. Note: If you have an existing domain, then you would select that option instead.

9. Provide the FQNDN of the forest root domain. For this example, we’ll create a domain called rfplano.bmc.com. Click Next.

10. On the “Set Forest Functional Level” select Windows 2008 R2. Click Next. Note: While we have not tested a Windows 2008 R2 server with the Forest Functional Level set to

Windows 2003 the assumption is that if you have a Windows 2003 environment then you would select

that for compatibility purposes.

11. On the “Additional Domain Controller Options” page, the wizard will have auto selected DNS and Global Catalog. Retain these defaults and click Next.

12. Accept the defaults on the “Location for Database, Log Files, and SYSVOL”. Click Next.

13. Provide a password for the Directory Services Restore Mode. Click Next.

14. On the Summary page click Next.

15. Once the installation is complete, click Finish. You’ll be required to restart the server. Once the system reboots, log into your new domain. Important: As part of the Active Directory installation and configuration DNS is installed and configured. DNS configuration is beyond the scope of this document. For our testing, the default settings in DNS were sufficient to test.

mengxin

高亮

mengxin

高亮

mengxin

高亮



Installing Microsoft Certificate Server and IIS 1. In Initial Configuration Tasks under “Customize This Server”, select “Add Roles”.

2. Click Next.

3. On “Select Server Roles” select the following roles and then click Next:

a. Active Directory Certificate Services b. Web Server (IIS)

4. On the “Introduction to Active Directory Certificate Services” click Next.

5. On “Select Role Services” select the following and click Next.

a. Certification Authority (this is selected by default)

b. Certification Authority Web Enrollment

Note: When you select the Certification Authority Web Enrollment, there will be a number of other required roles that are required. Simply click on “Add Required Role Services”. Once you’re returned to the Select Role Services page, click Next.

Configure Active Directory Certificate Services

6. On the “Specify Setup Type” page Enterprise is selected. Leave that selection and click Next.

7. On the “Specify CA Type” page leave “Root CA” selected and click Next.

8. On the “Set Up Private Key” page select “Create a new private key” (selected by default). Click Next.

9. On the “Configure Cryptography for CA” leave the defaults and click Next. Note: Covering the various cryptographies is beyond this scope of this exercise. The default (for reference) is: CSP: RSA#Microsoft Software Key Storage Provider Hash: SHA1 Key character length: 2048

10. On the Configure CA Name, change the Common name for this CA from the default to the name of the server. In our example, the default showed “rfplano-VLW2K8-CA”. We’ll change this to be just the name of the server which is VLW2K8.

11. Leave the “Distinguished name suffix” alone. Click Next.

12. Accept the default of 5 Years for the validity period and click Next.

13. Accept the default database and database log locations and click Next.

mengxin

高亮

mengxin

高亮

mengxin

高亮

mengxin

高亮

mengxin

高亮

mengxin

高亮

mengxin

高亮

mx

高亮

Hash:sha256



Configure Web Server (IIS)

14. On the “Web Server (IIS)” page click Next.

15. On the “Select Role Services” page accept the role services selected by default and add the following:

a. Application Development i. ASP.NET ii. .NET Extensibility iii. ISAPI Filters

b. IIS 6 Management Compatibility i. IIS 6 WMI Compatibility

Where additional role services are required, click on “Add Required Role Services”. Once you’ve made the necessary selections click Next.

16. Click Install on the “Confirm Installation Selections” page.

17. Once the installation is complete, click on Close.

Install Microsoft Active Directory Federations Services 2.0

1. Download AD FS 2.0 from this link: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=10909 Make sure you select the download appropriate to your environment. Since we are working with Windows 2008 R2 (x64), then we selected:

RTW\W2K8R2\adm64\AdfsSetup.exe

2. Once the file is downloaded, go to the directory where the file resides and double click on the file AdfsSetup.exe.

3. Once the installation wizard starts, click Next.

4. Accept the License Agreement and click Next.

5. On the “Server Role” page select the default of Federation server and click Next.

6. Click Next on the “Install Prerequisite Software” page.

7. Once the installation is complete, deselect the checkbox next to “Start the AD FS 2.0 Management snap-in when this wizard closes”. Click Finish.

mengxin

高亮

mengxin

高亮

mengxin

高亮

mengxin

高亮



Create and Configure a Server Authentication Certificate in IIS 1. On the Start menu, navigate to All Programs | Administrative Tools | Internet Information Servers (IIS)

Manager.

2. In the console tree, click on the root node that contains the name of the server.

3. Under IIS, double-click on “Server Certificates”.

4. Under Actions click “Create Self-Signed Certificate…”

5. On the “Specify Friendly Name” provide the fully qualified name of the server and click OK. In our example it would be: vlw2k8.rfplano.bmc.com

mengxin

高亮

mengxin

高亮



6. In the console tree view, under your Server, navigate to Sites | Default Web Site.

7. In Actions, click on Bindings…

8. In Site Bindings click on Add…

9. Change Type: to be “https”.

10. For SSL certificate: click the drop down and select the self-signed certificate that you created earlier.

11. Click OK.

12. Click Close.

13. You can now exit Internet Information Services (IIS) Manager.

mengxin

高亮

mx

高亮



Initial Configuration of ADFS 2.0 1. If AD FS 2.0 is not already open, then from the Start menu navigate to All Programs | Administrative Tools | AD

FS 2.0 Management.

2. Under “Configure this Federation Server” click on the link “AD FS 2.0 Federation Server Configuration Wizard”.

3. Select “Create a new Federation Service” and click Next.

4. For this exercise on the “Select Stand-Alone or Farm Deployment” page, select “Stand-alone federation server”. Click Next.

5. On the “Specify the Federation Service Name” page accept the default and click Next.

6. On the “Specify a Service Account” page click Browse.

7. On the “Select User” window, click on Advanced…

8. Click Find Now or if you want to narrow down your query simply use the Common Queries section of the form.

9. For this exercise, select Administrator and click OK.

You can find more information about the required permission for this service by clicking on “Learn more about the permissions that will be granted to this service account”.

10. Click OK on the “Select User” window.

11. Once you’re returned to the “Specify a Service Account” page, provide the Administrator password and click Next.

12. Click Next on the “Ready to Apply Settings” page.

mengxin

高亮

mengxin

高亮



13. Once the configuration is complete, click on Close.

Salesforce Configuration 1. In AD FS 2.0, expand Service and click on Certificates.

2. Double click on the certificate listed under “Token-signing”.

3. If the CA Root certificate is not trusted it’ll look something like this:

4. Click Install Certificate…

5. Click Next on the Welcome to the Certificate Import Wizard.

6. Select “Place all certificates in the following store” and click Browse…

mengxin

高亮

mengxin

高亮

mengxin

高亮

mx

高亮

mx

高亮



7. In the “Select Certificate Store”, select “Trusted Root Certification Authorities”. Click OK. Your returned to the import wizard, click Next.

8. Click Finish.

9. You’ll get a Security Warning dialog box stating you’re about to install the certificate. Click Yes.

10. Click OK on the message indicating that the import was successful.

11. Click OK and close the Certificate dialog.

12. Double click again on the certificate listed under Token-signing. The certificate should now be trusted.

13. Click on the Details tab.

mx

高亮



14. Click on “Copy to File…”

15. Click Next on the Welcome to the Certificate Export Wizard window.



16. Keep the default “DER encoded binary X.509(.CER). Click Next.

17. Specify a filename and a directory where the file will be created. In our example it’s D:\Temp\vlw2k8.cer. Click Next.

18. Click Finish.

19. You should get a dialog box stating that the export was successful. Click OK.

20. Click OK to close the Certificate dialog.

21. In the AD FS 2.0 tree click on Service | Endpoints.

mengxin

高亮

mx

高亮



22. Under Metadata, locate the listing that has a type called Federation Metadata. Make a note of the URL path.

23. Launch your browser and provide the appropriate URL. In our example our server is vlwk28.rfplano.bmc.com so the URL would be:

https://vlw2k8.rfplano.bmc.com/FederationMetadata/2007-06/FederationMetadata.xml

mengxin

高亮



24. In the XML file, we need to copy the entityID. In this example that would be:

http://vlw2k8.rfplano.bmc.com/adfs/services/trust

25. Log into your Salesforce organization as your System Administrator.

26. In Salesforce navigate to Setup | Administration Setup | Security Controls | Single Sign-On Settings.

27. Click Edit.

mx

高亮

mx

高亮



28. Check the box next to “SAML Enabled”. Other fields will now appear. Complete these fields as follows: SAML Version: 2.0 Issuer: Copy the entityID from Step #24 above. In this case it would be: http://vlw2k8.rfplano.bmc.com/adfs/services/trust Identity Provider Certificate: Click Browse and find the certificate you exported earlier. This is the

D:\Temp\vlw2k8.cer. Custom Error URL: For now leave blank. SAML User ID Type: Assertion contains the Federation ID from the User object. SAML User ID Location: User ID is in the NameIdentifier element of the Subject statement. User Provisioning Enabled: Leave unchecked.

mengxin

高亮

mx

高亮

mx

高亮



29. Click Save.

30. Click on “Download Metadata”.

31. Save the resulting XML file to a directory. In this example we’ll save it in our D:\Temp directory.

mx

高亮

mx

高亮



ADFS 2.0 Configuration In this section we’ll build a trust relationship between Salesforce and ADFS 2.0.

1. In ADFS 2.0 click on the root AD FS 2.0.

2. Under Required Configuration Incomplete, click on the link “Required: Add a trusted relying party”.

3. On the Welcome page, click Start.

4. On Select Data Source, click on “Import data about the relying party from a file”. Click Browse… Select the Metadata XML that you exported from Salesforce. Click Open. Click Next.

5. Provide a Display name. For example, Salesforce. Add any additional notes you might like. Click Next.

6. On Choose Issuance Authorization Rules, select “Permit all users to access this relying party”. Click Next.

7. On Ready to Add Trust, click Next.

8. Make sure that the checkbox next to “Open the Edit Claim Rules dialog for this relying party trust when the wizard closes” is checked. Click Close.

9. In the Edit Claim Rules for Salesforce, click on Add Rule…

10. For the Claim rule template, select “Send LDAP Attributes as Claims”. Click Next.

11. Provide a Claim rule name. In this example “Send UPN as Name ID”.

12. Under Attribute store, select Active Directory.

mengxin

高亮

mengxin

高亮

mengxin

高亮

mengxin

高亮

mengxin

高亮

mengxin

高亮



13. Select the LDAP Attribute “User-Principal-Name”.

14. Select for Outgoing Claim Type “Name ID”.

15. Click Finish.

16. Click Add Rule…

17. Under Claim rule template select “Send Claims Using a Custom Rule”. Click Next.

18. For the Claim rule name set it to “Send logout URL”.

mengxin

高亮

mengxin

高亮

mengxin

高亮



19. For Custom Rule, you’ll use the following:

=> issue(Type = "logoutURL", Value = "http://intranet.youcompany.com",

Properties

["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributenam

e"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified");

Replace http://intranet.yourcompany.com with your company’s intranet site.

20. Click Finish.

21. Click Apply and then OK.

Testing Staff Access Important: If you are using Internet Explorer, please make sure that User Authentication in Security Settings is

set to “Automatic logon with current user name and password”. If this is not set correctly, the user will be

challenged to provide their AD user name and password.

1. Log into Salesforce as the System Administrator.

2. Navigate to Setup | Administration Setup | Manage Users | Users.

3. Locate the user you’ll be using for testing and click on the user.

4. Click Edit.

5. Scroll down and find the section called “Single Sign On Information”. There will be a field called “Federation ID”. In this field type the fully qualified name of the user. In our example it would be [email protected].

6. Save the record.

7. Log into the domain as your test account.

8. Launch your browser and go to the ADFS IdP-initiated login URL which would be for our example:

https://vlw2k8.rfplano.bmc.com/adfs/ls/idpinitiatedsignon.aspx?loginToRp=https://saml.salesforce.com

mengxin

高亮

mengxin

高亮

mengxin

高亮

mengxin

高亮

mengxin

高亮



Remember: If you are using Internet Explorer and the user is challenged, they’ll see a Windows

Security window come up asking the person to resubmit their domain credentials:

This can mean a number of things, but usually it means IE is not configured correctly.

a. In IE, go to Tools | Internet Options.

b. Click on the Security tab.

c. Highlight Internet in the Zone area and then click on “Custom level…”

d. Scroll down to the bottom and find “User Authentication”. Under Logon, make sure this is set to

“Automatic logon with current user name and password”. Once the change is made click OK and

confirm you want to make the change.

e. Click Apply on Internet Options (if it’s enabled) and then OK to exit Internet Options.

mengxin

高亮

mengxin

高亮



Configure Single Sign On for Self Service / Customer Portal Previously we set up Single Sign On for your Salesforce/Remedyforce staff. Now we’ll walk through configuration for those users who will be accessing Self Service which is hosted through the Salesforce Customer Portal feature. Self Service is a feature provided for those who request services from your IT Service Desk. These Clients may call the Service Desk, send an email to the Service Desk requesting assistance, or they can access Remedyforce Self Service to actually log their own ticket.

Note: This section assumes you have SSO working correctly for your environment.

Gather Salesforce Data & Configure Sites In order for Customer Portal to work you’ll first need to specify additional claim rules to pass the following information:

• Portal ID • Organization ID • SiteURL

This section will walk you through gathering this information. Portal ID:

1. In Salesforce navigate to Setup | App Setup | Customize | Customer Portal | Settings.

2. Click on the Name link “Customer Portal”.

3. Locate the Portal ID under Portal Detail and copy this to a text editor such as Notepad:

mengxin

高亮

mengxin

高亮

mengxin

高亮

mengxin

高亮



Organization ID:

1. In Salesforce navigate to Setup | Administration Setup | Company Profile | Company Information.

2. Locate the Salesforce.com Organization ID and copy this information to Notepad.

Site URL:

1. In Salesforce navigate to Setup | App Setup | Develop | Sites.

2. Locate the Site Label for Self Service and click on the label link.

3. Copy the “Secure Web Address” to Notepad.

mengxin

高亮

mengxin

高亮

mengxin

高亮

mengxin

高亮



Configure Site Page

1. Assuming you are still on the SelfService Site Details page, click on Edit.

2. Change the Active Site Home Page from “SSSiteLogin” to “SelfServiceHome”.

3. Click Save.

AD FS Preparation When the SAML assertion is sent across to Salesforce from AD FS, all claims are sent at the same time. You may have Staff who need access to Salesforce but for Clients they need access to Self Service; this means that different assertion statements needs to be presented to Salesforce for Customer Portal. We need to add claims to pass along the additional information required for Portal access…but we need to limit who uses those claims. In this section we’ll walk through how to limit the three additional claims that we create so that those claims are only passed across when a Client is accessing Self Service. In this example, we’re going to use Group affiliation to differentiate Staff from Clients with Clients being in a specific Group. We have created an Active Directory group called SelfService. All clients who utilize Self Service are members of this Active Directory group.

mengxin

高亮

mengxin

高亮

mengxin

高亮

mengxin

高亮

mx

高亮

mx

高亮

mx

在文本上注释

isolated, client use platform license not portal license, see <BMCRF_SSO_SalesforcePlatformClients(mx)>



Get Group SID

1. You will need a tool called PSGetSid. This can be downloaded from here:

http://technet.microsoft.com/en-us/sysinternals/bb897417 Once the file is downloaded, extract it to a directory on the Active Directory domain server.

2. On your Active Directory domain server launch the Command Prompt and change into the directory where PSGetsid.exe resides.

3. Type the following: psgetsid <name of object> In our example, our group is called SelfService so: psgetsid SelfService You’ll get something like this returned:

You’ll want to copy the SID for the group and copy this to Notepad. You’ll need this information in a bit.

mengxin

高亮

mengxin

高亮

mengxin

高亮



Define Additional AD FS Claims Using the SID information for the group we can now define our additional claims.

Define Portal Rule 1. Launch the AD FS 2.0 Management console.

2. Expand Trust Relationships.

3. Click on Relying Party Trusts.

4. Highlight the relying trust you setup for Salesforce, right click and select Edit Claim Rules….

5. On the Issuance Transform Rules tab, click on Add Rule…

6. Under Claim Rule Template, select “Send Claims Using a Custom Rule”.

7. Click Next.

8. Provide a Claim Rule. For this example, we’ll first define the Portal ID so we’ll call this rule:

“Send Portal ID”

9. Now provide the details for the rule. In this example it would be: c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "^(?i)<insert groupsid>$"] => issue(Type = "portal_id", Value = "<enter portal id>"); So… let’s say the following : Group SID: S-1-5-21-166134431-523660225-3119196521-1107 Portal ID: 060A00000005DqB then the rule detail would be:

c:[Type ==

"http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",

Value =~ " (̂?i)S-1-5-21-166134431-523660225-3119196521-1107$"]

=> issue(Type = "portal_id", Value = "060A00000005DqB");

mengxin

高亮

mengxin

高亮

mengxin

高亮

mengxin

高亮

mengxin

高亮

mengxin

高亮



NOTE: The rule format can get a bit “cranky”. Here’s how we had to format it so that the system

accepted it. Apply this to any of the rules in this document.

10. Click Finish. Define Organization Rule

1. Still on the Issuance Transform Rules tab, click on Add Rule…


3. Click Next.

4. Provide a Claim Rule. For this example, we’re now defining the Organization ID so we’ll call this rule: “Send Org ID”

5. Now provide the details for the rule. In this example it would be: c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "^(?i)<insert groupsid>$"] => issue(Type = "organization_id", Value = "<inset organization id>"); So…using our examples here, let’s say the following : Group SID: S-1-5-21-166134431-523660225-3119196521-1107 Organization ID: 00DA0000000CjM6 then the rule detail would be:

c:[Type ==


Value =~ " (̂?i)S-1-5-21-166134431-523660225-3119196521-1107$"]

=> issue(Type = "organization_id", Value = " 00DA0000000CjM6");

6. Click Finish.

mengxin

高亮

mengxin

高亮

mengxin

高亮



Define siteURL Rule

1. Click on Add Rule…


3. Click Next.

4. Provide a Claim Rule. For this example we are defining the Site URL so we’ll call this rule: “Send siteURL”

5. Now provide the details for the rule. In this example it would be: c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "^(?i)<insert groupsid>$"] => issue(Type = "siteURL", Value = "<insert secure site url>"); So…using our examples here, let’s say the following : Group SID: S-1-5-21-166134431-523660225-3119196521-1107 Secure Site URL: https://bmcremedyforcetrial-130adcfdce5.secure.force.com then the rule detail would be:

c:[Type ==


Value =~ " (̂?i)S-1-5-21-166134431-523660225-3119196521-1107$"]

=> issue(Type = "siteURL", Value = "https://bmcremedyforcetrial-130adcfdce5.secure.force.com");

6. Click Finish.

mengxin

高亮

mengxin

高亮

mengxin

高亮



Define SelfService Logout Rule

1. Click on Add Rule…


3. Click Next.

4. Provide a Claim Rule. For this example we are defining the Site URL so we’ll call this rule: “Send SelfService Logout”

5. Now provide the details for the rule. In this example it would be: c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "^(?i)<insert groupsid>$"] => issue(Type = "logoutURL", Value = "http://intranet.youcompany.com", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"); Replace <insert groupsid> with your Group SID and replace http://intranet.yourcompany.com with your company’s intranet site or some other site you want Clients to be redirected to when they log out of Self Service. For example, the rule could look something like this:

c:[Type ==


Value =~ " (̂?i) S-1-5-21-166134431-523660225-3119196521-1107$"]

=> issue(Type = "logoutURL", Value = "http://intranet.acme.com",

Properties

["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename"] = "urn:oasis:names:tc:SAML:2.0:attrname-

format:unspecified");

6. Click Finish.

7. Click Apply and then OK.

At this point, you would make the SAML IdP-initiated login URL available on your intranet for your users to hit. The system will determine the Group SID and if it matches then they should find that they can easily log into Self Service without being challenged.

Note: We are currently evaluating a change to our SelfServiceHome page so that if a user inadvertently hits

that page and they are not authenticated that they will be directed back to our default SSSiteLogin page. This

is under evaluation only at this time. This means that for all Clients wishing to use Self Service, they must first

be authenticated to your Active Directory domain.

mengxin

高亮

mengxin

高亮

mengxin

高亮

mengxin

高亮

mengxin

高亮

mengxin

高亮

mengxin

高亮



References: Single Sign-On with Force.com and Microsoft Active Directory Federation Services

http://wiki.developerforce.com/index.php/Single_Sign-On_with_Force.com_and_Microsoft_Active_Directory_Federation_Services

Salesforce SSO with ADFS 2.0 – Everything you need to Know

http://blog.rhysgoodwin.com/cloud/salesforce-sso-with-adfs-2-0-everything-you-need-to-know/

AD FS 2.0 Content Map

http://social.technet.microsoft.com/wiki/contents/articles/2735.aspx

Install Certificate Services on Windows Server 2008 R2

http://d3planet.com/rtfb/2009/11/10/install-certificate-services-on-windows-server-2008-r2/

Windows Authentication but still getting Login box

http://www.velocityreviews.com/forums/t88516-windows-authentication-but-still-getting-login-box.html

Claim Types Fields

http://msdn.microsoft.com/en-us/library/ee733968.aspx

http://msdn.microsoft.com/en-us/library/microsoft.identitymodel.claims.claimtypes.groupsid.aspx

Credits: A special thanks to Rhys Goodwin and his Blog “I AM the system administrator. Who do I call?”

http://blog.rhysgoodwin.com/

Business runs on IT. IT runs on BMC Software.

Business thrives when IT runs smarter, faster, and stronger. That’s why the most demanding IT organizations in the world rely on BMC

Software across both distributed and mainframe environments. Recognized as the leader in Business Service Management, BMC offers a

comprehensive approach and unified platform that helps IT organizations cut cost, reduce risk and drive business profit. For the four fiscal

quarters ended September 30, 2008, BMC revenue was approximately $1.83 billion. Visit www.bmc.com for more information.

Date post:	24-Mar-2018
Category:	Documents
Upload:	vuongdiep
View:	219 times
Download:	2 times

Single Sign-On, Active Directory, and Salesforce · PDF filePAGE 1 OF 34 FOR INTERNAL USE ONLY...

Documents