miniOrange provides secure access to Salesforce for enterprises and full control over access of applications, Single Sign On (SSO) into your Salesforce Account with one set of login credentials.

• Single Sign On

  miniOrange Single Sign On (SSO) Solution provides easy and seamless access to all enterprise resources with one set of credentials, miniOrange provides Single Sign On (SSO) to any type of devices or applications whether they are in the cloud or on-premise.

• Strong Authentication

  Secure your Salesforce app from password thefts using multi factor authentication methods with 15+ authentication types provided by miniOrange. Our multi factor authentication methods prevent unauthorized users from accessing information and resources having password alone as authentication factor. Enabling second factor authentication for Salesforce protects you against password thefts.

• Fraud Prevention

  miniOrange prevents frauds with its dynamic risk engine in conjunction with enterprise specific security policy. We support a combination of the Device Id, Location and Time of access as multi-factor authentication that can detect and block fraud in real-time, without any interaction with the user.

miniOrange supports both IdP (Identity Provider) and SP (Service Provider) initiated Single Sign On (SSO)

• IdP Initiated Single Sign On (SSO)

  In IdP Initiated Login, SAML request is initiated from miniOrange IdP.

• Enduser first authenticates through miniOrange Idp by login in to miniOrange Self Service Console.
• The Enduser will be redirected to their Salesforce account by clicking the Salesforce icon on the Enduser Dashboard - there is no need to login again.

• SP Initiated Single Sign On (SSO)

  In SP Initiated Login, SAML request is initiated by Salesforce.

• An Enduser tries to access their Salesforce domain.
• They will be redirected to miniOrange Self Service Console.
• Here they can enter the miniOrange login credentials and login to their Salesforce Account.

Follow the Step-by-Step Guide given below for Salesforce Single Sign On (SSO)

Step 1: Creating your own Salesforce domain (skip this step if you already have a Salesforce domain)

• Login to your Salesforce account.
• Go to Setup in the top-right section of page.



• Now in the left pane, select Domain Management.
• Select My Domain.
• Choose your domain name, check for availability and if available, proceed by clicking the Register Domain button.



• Test your domain once it is ready, by clicking the link and then click Deploy to Users.

Step 2: Configure Single Sign On (SSO) Settings

• Login to miniOrange Admin Console.
• Go to Apps >> Manage Apps . Click Configure Apps button.
• Click on SAML tab. Select Salesforce and click Add App button.



• Make sure the SP Entity ID or Issuer is in the format: https://[yourdomain].my.salesforce.com/?so=[organization_id].
• Make sure the ACS URL is in the format: https://[yourdomain].my.salesforce.com/?so=[organization_id].
• Make sure the Single Logout URL is in the format: https://customdomain.my.salesforce.com.
• Leave the Attributes section empty.
• Click on Save to configure Salesforce.
• Download the certificate to be uploaded in Salesforce Single Sign On(SSO) settings.



• Login to your Salesforce account.
• Go to Setup.



• From the left pane, select Single Sign On (SSO) Settings from Security Controls
• Click on Edit for Single Sign-On (SSO) settings.



• Now enable Federated Single Sign On (SSO) Using SAML in Single Sign-On Settings and Save settings.



• In the SAML Single Sign On (SSO) Settings, select New



• Configure with the following values and Save:

Issuer	https://auth.miniorange.com/moas
Entity ID	https://[yourdomain].my.salesforce.com
Identity Provider Certificate	Upload the certificate downloaded from miniOrange Admin Console
Signing Certificate	Default Certificate
Assertion Decryption Certificate	Assertion not encrypted
SAML Identity Type	Assertion contains User’s salesforce.com username
SAML Identity Location	Identity is in the NameIdentifier element of the subject statement
Identity Provider Login URL	https://auth.miniorange.com/moas/idp/samlsso
Identity Provider Logout URL	https://[yourdomain].my.salesforce.com
Service Provider Initiated Request Binding	HTTP Redirect

Refer below for further queries. The input fields Issuer, Entity ID, Identity Provider, Signing Certificate, Assertion Decryption Certificate,SAML Identity Type, SAML Identity Location, Identity Provider Login URL and Service Provider Initiated Request Binding in the image should be entered as described in table above.

Step 3: Create a policy for Salesforce

• Login to miniOrange Admin Console.
• Go to Policies >> App Authentication Policy.
• Add a new policy for Salesforce.
1. Select Salesforce from Application dropdown.
2. Select a Group Name from dropdown - the group for which you want to add Salesforce policy.
3. Give a policy name for Salesforce in Policy Name field.
4. Select the First Factor Type for authentication.
5. Enable Second Factor for authentication if required.
6. Click on Save button to add policy for Salesforce Single Sign On (SSO).



• Now click on Onboard users into our system from View Policy Tab.

Step 4: Onboard users into our system.

• Download sample csv format from our console and create a CSV file containing your users in this format.



• Upload your CSV in our console via Bulk Upload.
• After uploading the CSV file successfully, you will see a success message.
• From Users/Groups menu, select Manage Users/Groups and go to On Boarding Status. Select users to send activation mail and click on send activation mail. An activation mail will be sent to the selected users.

Step 5: Register users into our system (End Users)

• Sign In to your mail and click on registration link that is valid only for 5 days. You will be redirected to our registration page.
• Configure your basic details.



• Configure any strong authentication method.



• Configure KBA (Security Questions) as your fallback method, in case you lost your phone this will get invoked and save your details.



• After successful registration, you will see a registration successful message.

Step 6: Now sign in to your Salesforce account with miniOrange IdP by either of the two steps:

1. Using SP initiated login :-

1. Login to your Salesforce account
2. Go to Setup





3. In the left pane, select Domain Management.
4. Select My Domain
5. In the Login Page Branding section, select Edit



6. Now Deselect Login Page and select your Single Sign On (SSO) settings and click Save.



7. Now go to https://[yourdomain].my.salesforce.com and enter your credential. Now you will be redirected to miniOrange IdP Sign On Page.
8. Enter your miniOrange login credential and click on Login. You will be automatically logged in to your Salesforce account.




2. Using IdP initiated login :-

1. Login to your miniOrange Self Service Console as an End User and click on the Salesforce icon on your Dashboard.

Step-by-Step Guide to implement Salesforce as an Identity Provider (IdP) and Google Apps as a Service Provider

Step 1: Creating your own Salesforce domain (skip this step if you already have a Salesforce domain)

• Login to your Salesforce account.
• Go to Setup in the top-right section of page.






• Now in the left pane, select Domain Management.
• Select My Domain.
• Choose you domain name, check for availability and if available, proceed by clicking the Register Domain button.





• Test your domain once it is ready, by clicking the link and then click Deploy to Users.

Step 2: Enable Identity Provider in Salesforce

• In the left pane, select Identity Provider from Security Controls.
• Under Identity Provider Setup, click Enable Identity Provider.
• Choose or Create a new certificate and Save.
• Click on Download Certificate. You will need to upload this certificate in Google Apps admin console.

Step 3: Creating Connected App in Salesforce

• In the left pane, select Apps under App Setup | Create
• Under Connected Apps, click New
• Enter the following values:

Connected App Name	Google Apps
Contact Email	Enter your support team email
Enable SAML	Select this check box
Entity ID	https://www.google.com/a/<YOUR_GOOGLE_APPS_DOMAIN>/acs
ACS URL	https://www.google.com/a/<YOUR_GOOGLE_APPS_DOMAIN>/acs

• Click on Save
• Now click on Manage Profiles under Profiles
• Associate the User Profiles you would like to give access to this app and Click Save.
• Thing to note:
  
  
  • IdP-Initiated Login URL under SAML Login Information. You’ll need to enter this URL in Google Apps admin console.
  • Issuer under SAML Login Information.

Step 4: Configure Single Sign On Settings in Google Apps admin console

• Login to Google Apps admin console. Google Admin Console
• Select Security.




• Select Set up single sign-on (SSO)




• Enable Setup SSO with third party identity provider
• Enter the following URLs:

Sign-in page URL	Copy the Idp-Initiated Login URL you copied while configuring Connected App in Salesforce.
Sign-out page URL	<ISSUER_VALUE_IN_CONNECTED_APP>/secur/logout.jsp
Change password URL	Copy the Idp-Initiated Login URL you copied while configuring Connected App in Salesforce.
Verification Certificate	Upload the certificate you downloaded from Salesforce while enabling Identity Provider.

• Click on Save Changes.

Follow the Step-by-Step Guide given below for Salesforce Single Sign On (SSO) with OpenID Connect

Step 1: Creating your own Salesforce domain (skip this step if you already have a Salesforce domain)

• Login to your Salesforce account.
• Go to Setup in the top-right section of page.






• Now in the left pane, select Domain Management.
• Select My Domain.
• Choose you domain name, check for availability and if available, proceed by clicking the Register Domain button.





• Test your domain once it is ready, by clicking the link and then click Deploy to Users.

Step 2: Configure Single Sign On (SSO) Settings

• Login to miniOrange Admin Console, go to Apps Tab from the menu and select Configure Apps.
• Select the Application Name OpenID Connect from the drop down menu.




• Enter the client information, example
  Client Name is Salesforce OpenID.
  Redirect URI enter https://login.salesforce.com/services/authcallback
  Description Enter the description.


• Note the client details(client id and client secret) by clicking on Edit App from the Apps page.




Please note down the Client ID and Client Secret


• Login to your Salesforce account.


• In the left pane, select Auth. Providers from Security Controls.


• Click on New to create a new Auth. Provider.




• In Auth Provider screen select Provider Type as OpenID Connect.




• Configure with the following values and Save:



Provider Type	OpenId Connect
Name	miniOrange
Consumer Key	Enter the Client ID noted in Step 4.
Consumer Secret	Enter the Client Secret noted in Step 4.
Authorize Endpoint URL	https://auth.miniorange.com/moas/idp/openidsso
Token Endpoint URL	https://auth.miniorange.com/moas/rest/token/accesstoken
User Info Endpoint URL	https://auth.miniorange.com/moas/rest/protected/userinfo
Registration Handler	Automatically create a Registration Handler
Execute Registration As	Select User



• After saving the Auth Provider. Open the AuthProvider again and click the Auto created Registration Handler E.g. "AutocreatedRegHandler1431346140269"
  Now click on Edit. And replace the function createUser with the following code and save.
  
  
global User createUser(Id portalId, Auth.UserData data){
//The user is authorized, so create their Salesforce user
User u = new User();
Profile p = [SELECT Id FROM profile WHERE name='Standard User'];
//TODO: Customize the username. Also check that the username doesn't already exist and
//possibly ensure there are enough org licenses to create a user. Must be 80 characters
//or less.
u.username = data.username + '@myorg.com';
u.email = data.email;
u.lastName = data.lastName;
u.firstName = data.firstName;
String alias = data.username;
//Alias must be 8 characters or less
if(alias.length() > 8) {
alias = alias.substring(0, 8);
}
u.alias = alias;
u.languagelocalekey = UserInfo.getLocale();
u.localesidkey = UserInfo.getLocale();
u.emailEncodingKey = 'UTF-8';
u.timeZoneSidKey = 'America/Los_Angeles';
u.profileId = p.Id;
return u;
}

Step 3: Create a policy for Salesforce

• Login as a customer from Admin Console of miniOrange's Administrator Console, now go to Policies from menu and select App Authentication Policy from the dropdown menu.
• Add a new policy for the Salesforce Application that you have created for OpenID Connect in Step 2.




• Now click on Onboard users into our system from View Policy Tab.

Step 4: Redirecting Salesforce login to miniOrange IdP for Single Sign On (SSO)

• Login to your Salesforce account
• Go to Setup






• In the left pane, select Domain Management.
• Select My Domain
• In the Login Page Branding section, select Edit



• Now Deselect Login Page and select your Single Sign On (SSO) settings and click Save.



• Now go to https://[yourdomain].my.salesforce.com and enter your credential. Now you will be redirected to miniOrange IdP Sign On Page.
• Enter your miniOrange login credential and click on Login. You will be automatically logged in to your Salesforce account.

Using Two Factor Authentication for Salesforce

The most practical way to strengthen authentication is to require a second factor after the username/password stage. Since a password is something that a user knows, ensuring that the user also has something or using biometrics thwarts attackers that steal or gain access to passwords.

Traditional two-factor authentication solutions use hardware tokens (or "fobs") that users carry on their keychains. These tokens generate one-time passwords for the second stage of the login process. However, hardware tokens can cost up to $40 each. It takes time and effort to distribute them, track who has which one, and replace them when they break. They're easy to lose, hard to use, and users consistently report high levels of frustration with token-based systems.

Your choice of second factor

miniOrange authentication service has 15+ authentication methods.

• One time passcodes (OTP) over SMS
• OTP over Email
• OTP over SMS and Email
• Out of Band SMS
• Out of Band Email
• Soft Token
• Push Notification
• USB based Hardware token
• Security Questions
• Mobile Authentication
• Voice Authentication (Biometrics)
• Phone Verification
• Device Identification
• Location
• Time of Access
• User Behavior

You can choose from any of the above authentication methods to augment your password based authentication. miniOrange authentication service works with all phone types, from landlines to smart-phone platforms. In the simplest case, users just answer a phone call and press a button to authenticate. miniOrange authentication service works internationally, and has customers authenticating from many countries around the world.

For further details refer :
https://developer.salesforce.com/page/Single_Sign-On_with_SAML_on_Force.com
https://developer.salesforce.com/page/How_to_Implement_Single_Sign-On_with_Force.com
https://help.salesforce.com/HTViewHelpDoc?id=sso_provider_openid_connect.htm&language=en_US

Business trial for free

If you don't find what you are looking for, please contact us at info@miniorange.com or call us at +1 978 658 9387 to find an answer to your question about Salesforce Single Sign On (SSO).