miniOrange provides secure access to Salesforce for enterprises and full control over access of applications, Single Sign On (SSO) into your Salesforce Account with one set of login credentials.
Single Sign On
miniOrange Single Sign On (SSO) Solution provides easy and seamless access to all enterprise resources with one set of credentials, miniOrange provides Single Sign On (SSO) to any type of devices or applications whether they are in the cloud or on-premise.
Strong Authentication
Secure your Salesforce app from password thefts using multi factor authentication methods with 15+ authentication types provided by miniOrange. Our multi factor authentication methods prevent unauthorized users from accessing information and resources having password alone as authentication factor. Enabling second factor authentication for Salesforce protects you against password thefts.
Fraud Prevention
miniOrange prevents frauds with its dynamic risk engine in conjunction with enterprise specific security policy. We support a combination of the Device Id, Location and Time of access as multi-factor authentication that can detect and block fraud in real-time, without any interaction with the user.
miniOrange supports both IdP (Identity Provider) and SP (Service Provider) initiated Single Sign On (SSO)
IdP Initiated Single Sign On (SSO)
In IdP Initiated Login, SAML request is initiated from miniOrange IdP.
- Enduser first authenticates through miniOrange Idp by login in to miniOrange Self Service Console.
- The Enduser will be redirected to their Salesforce account by clicking the Salesforce icon on the Enduser Dashboard - there is no need to login again.
SP Initiated Single Sign On (SSO)
In SP Initiated Login, SAML request is initiated by Salesforce.
- An Enduser tries to access their Salesforce domain.
- They will be redirected to miniOrange Self Service Console.
- Here they can enter the miniOrange login credentials and login to their Salesforce Account.
Follow the Step-by-Step Guide given below for Salesforce Single Sign On (SSO)
Step 1: Creating your own Salesforce domain (skip this step if you already have a Salesforce domain)
- Login to your Salesforce account.
- Go to Setup in the top-right section of page.
- Now in the left pane, select Domain Management.
- Select My Domain.
- Choose your domain name, check for availability and if available, proceed by clicking the Register Domain button.
- Test your domain once it is ready, by clicking the link and then click Deploy to Users.
Step 2: Configure Single Sign On (SSO) Settings
- Login to miniOrange Admin Console.
- Go to Apps >> Manage Apps . Click Configure Apps button.
- Click on SAML tab. Select Salesforce and click Add App button.
- Make sure the SP Entity ID or Issuer is in the format: https://[yourdomain].my.salesforce.com/?so=[organization_id].
- Make sure the ACS URL is in the format: https://[yourdomain].my.salesforce.com/?so=[organization_id].
- Make sure the Single Logout URL is in the format: https://customdomain.my.salesforce.com.
- Leave the Attributes section empty.
- Click on Save to configure Salesforce.
- Download the certificate to be uploaded in Salesforce Single Sign On(SSO) settings.
- Login to your Salesforce account.
- Go to Setup.
- From the left pane, select Single Sign On (SSO) Settings from Security Controls
- Click on Edit for Single Sign-On (SSO) settings.
- Now enable Federated Single Sign On (SSO) Using SAML in Single Sign-On Settings and Save settings.
- In the SAML Single Sign On (SSO) Settings, select New
- Configure with the following values and Save:
| Issuer | https://auth.miniorange.com/moas |
| Entity ID | https://[yourdomain].my.salesforce.com |
| Identity Provider Certificate | Upload the certificate downloaded from miniOrange Admin Console |
| Signing Certificate | Default Certificate |
| Assertion Decryption Certificate | Assertion not encrypted |
| SAML Identity Type | Assertion contains User’s salesforce.com username |
| SAML Identity Location | Identity is in the NameIdentifier element of the subject statement |
| Identity Provider Login URL | https://auth.miniorange.com/moas/idp/samlsso |
| Identity Provider Logout URL | https://[yourdomain].my.salesforce.com |
| Service Provider Initiated Request Binding | HTTP Redirect |
Refer below for further queries. The input fields Issuer, Entity ID, Identity Provider, Signing Certificate, Assertion Decryption Certificate,SAML Identity Type, SAML Identity Location, Identity Provider Login URL and Service Provider Initiated Request Binding in the image should be entered as described in table above.
Step 3: Create a policy for Salesforce
- Login to miniOrange Admin Console.
- Go to Policies >> App Authentication Policy.
- Add a new policy for Salesforce.
- Select Salesforce from Application dropdown.
- Select a Group Name from dropdown - the group for which you want to add Salesforce policy.
- Give a policy name for Salesforce in Policy Name field.
- Select the First Factor Type for authentication.
- Enable Second Factor for authentication if required.
- Click on Save button to add policy for Salesforce Single Sign On (SSO).
- Now click on Onboard users into our system from View Policy Tab.
Step 4: Onboard users into our system.
- Download sample csv format from our console and create a CSV file containing your users in this format.
- Upload your CSV in our console via Bulk Upload.
- After uploading the CSV file successfully, you will see a success message.
- From Users/Groups menu, select Manage Users/Groups and go to On Boarding Status. Select users to send activation mail and click on send activation mail. An activation mail will be sent to the selected users.
Step 5: Register users into our system (End Users)
- Sign In to your mail and click on registration link that is valid only for 5 days. You will be redirected to our registration page.
- Configure your basic details.
- Configure any strong authentication method.
- Configure KBA (Security Questions) as your fallback method, in case you lost your phone this will get invoked and save your details.
- After successful registration, you will see a registration successful message.
Step 6: Now sign in to your Salesforce account with miniOrange IdP by either of the two steps:
- Login to your Salesforce account
- Go to Setup
- In the left pane, select Domain Management.
- Select My Domain
- In the Login Page Branding section, select Edit
- Now Deselect Login Page and select your Single Sign On (SSO) settings and click Save.
- Now go to https://[yourdomain].my.salesforce.com and enter your credential. Now you will be redirected to miniOrange IdP Sign On Page.
- Enter your miniOrange login credential and click on Login. You will be automatically logged in to your Salesforce account.
- Login to your miniOrange Self Service Console as an End User and click on the Salesforce icon on your Dashboard.
1. Using SP initiated login :-
2. Using IdP initiated login :-
Step-by-Step Guide to implement Salesforce as an Identity Provider (IdP) and Google Apps as a Service Provider
Step 1: Creating your own Salesforce domain (skip this step if you already have a Salesforce domain)
- Login to your Salesforce account.
- Go to Setup in the top-right section of page.
- Now in the left pane, select Domain Management.
- Select My Domain.
- Choose you domain name, check for availability and if available, proceed by clicking the Register Domain button.
- Test your domain once it is ready, by clicking the link and then click Deploy to Users.
Step 2: Enable Identity Provider in Salesforce
- In the left pane, select Identity Provider from Security Controls.
- Under Identity Provider Setup, click Enable Identity Provider.
- Choose or Create a new certificate and Save.
- Click on Download Certificate. You will need to upload this certificate in Google Apps admin console.
Step 3: Creating Connected App in Salesforce
- In the left pane, select Apps under App Setup | Create
- Under Connected Apps, click New
- Enter the following values:
- Click on Save
- Now click on Manage Profiles under Profiles
- Associate the User Profiles you would like to give access to this app and Click Save.
- Thing to note:
- IdP-Initiated Login URL under SAML Login Information. You’ll need to enter this URL in Google Apps admin console.
- Issuer under SAML Login Information.
| Connected App Name | Google Apps |
| Contact Email | Enter your support team email |
| Enable SAML | Select this check box |
| Entity ID | https://www.google.com/a/<YOUR_GOOGLE_APPS_DOMAIN>/acs |
| ACS URL | https://www.google.com/a/<YOUR_GOOGLE_APPS_DOMAIN>/acs |
Step 4: Configure Single Sign On Settings in Google Apps admin console
- Login to Google Apps admin console. Google Admin Console
- Select Security.
- Select Set up single sign-on (SSO)
- Enable Setup SSO with third party identity provider
- Enter the following URLs:
- Click on Save Changes.
| Sign-in page URL | Copy the Idp-Initiated Login URL you copied while configuring Connected App in Salesforce. |
| Sign-out page URL | <ISSUER_VALUE_IN_CONNECTED_APP>/secur/logout.jsp |
| Change password URL | Copy the Idp-Initiated Login URL you copied while configuring Connected App in Salesforce. |
| Verification Certificate | Upload the certificate you downloaded from Salesforce while enabling Identity Provider. |
Follow the Step-by-Step Guide given below for Salesforce Single Sign On (SSO) with OpenID Connect
Step 1: Creating your own Salesforce domain (skip this step if you already have a Salesforce domain)
- Login to your Salesforce account.
- Go to Setup in the top-right section of page.
- Now in the left pane, select Domain Management.
- Select My Domain.
- Choose you domain name, check for availability and if available, proceed by clicking the Register Domain button.
- Test your domain once it is ready, by clicking the link and then click Deploy to Users.
Step 2: Configure Single Sign On (SSO) Settings
- Login to miniOrange Admin Console, go to Apps Tab from the menu and select Configure Apps.
- Select the Application Name OpenID Connect from the drop down menu.
- Enter the client information, example
Client Name is Salesforce OpenID.
Redirect URI enter https://login.salesforce.com/services/authcallback
Description Enter the description. - Note the client details(client id and client secret) by clicking on Edit App from the Apps page.
- Login to your Salesforce account.
- In the left pane, select Auth. Providers from Security Controls.
- Click on New to create a new Auth. Provider.
- In Auth Provider screen select Provider Type as OpenID Connect.
- Configure with the following values and Save:
- After saving the Auth Provider. Open the AuthProvider again and click the Auto created Registration Handler E.g. "AutocreatedRegHandler1431346140269"
Now click on Edit. And replace the function createUser with the following code and save.
global User createUser(Id portalId, Auth.UserData data){
//The user is authorized, so create their Salesforce user
User u = new User();
Profile p = [SELECT Id FROM profile WHERE name='Standard User'];
//TODO: Customize the username. Also check that the username doesn't already exist and
//possibly ensure there are enough org licenses to create a user. Must be 80 characters
//or less.
u.username = data.username + '@myorg.com';
u.email = data.email;
u.lastName = data.lastName;
u.firstName = data.firstName;
String alias = data.username;
//Alias must be 8 characters or less
if(alias.length() > 8) {
alias = alias.substring(0, 8);
}
u.alias = alias;
u.languagelocalekey = UserInfo.getLocale();
u.localesidkey = UserInfo.getLocale();
u.emailEncodingKey = 'UTF-8';
u.timeZoneSidKey = 'America/Los_Angeles';
u.profileId = p.Id;
return u;
}
Please note down the Client ID and Client Secret
| Provider Type | OpenId Connect |
| Name | miniOrange |
| Consumer Key | Enter the Client ID noted in Step 4. |
| Consumer Secret | Enter the Client Secret noted in Step 4. |
| Authorize Endpoint URL | https://auth.miniorange.com/moas/idp/openidsso |
| Token Endpoint URL | https://auth.miniorange.com/moas/rest/token/accesstoken |
| User Info Endpoint URL | https://auth.miniorange.com/moas/rest/protected/userinfo |
| Registration Handler | Automatically create a Registration Handler |
| Execute Registration As | Select User |
Step 3: Create a policy for Salesforce
- Login as a customer from Admin Console of miniOrange's Administrator Console, now go to Policies from menu and select App Authentication Policy from the dropdown menu.
- Add a new policy for the Salesforce Application that you have created for OpenID Connect in Step 2.
- Now click on Onboard users into our system from View Policy Tab.
Step 4: Redirecting Salesforce login to miniOrange IdP for Single Sign On (SSO)
- Login to your Salesforce account
- Go to Setup
- In the left pane, select Domain Management.
- Select My Domain
- In the Login Page Branding section, select Edit
- Now Deselect Login Page and select your Single Sign On (SSO) settings and click Save.
- Now go to https://[yourdomain].my.salesforce.com and enter your credential. Now you will be redirected to miniOrange IdP Sign On Page.
- Enter your miniOrange login credential and click on Login. You will be automatically logged in to your Salesforce account.
Using Two Factor Authentication for Salesforce
The most practical way to strengthen authentication is to require a second factor after the username/password stage. Since a password is something that a user knows, ensuring that the user also has something or using biometrics thwarts attackers that steal or gain access to passwords.
Traditional two-factor authentication solutions use hardware tokens (or "fobs") that users carry on their keychains. These tokens generate one-time passwords for the second stage of the login process. However, hardware tokens can cost up to $40 each. It takes time and effort to distribute them, track who has which one, and replace them when they break. They're easy to lose, hard to use, and users consistently report high levels of frustration with token-based systems.
Your choice of second factor
miniOrange authentication service has 15+ authentication methods.
- One time passcodes (OTP) over SMS
- OTP over Email
- OTP over SMS and Email
- Out of Band SMS
- Out of Band Email
- Soft Token
- Push Notification
- USB based Hardware token
- Security Questions
- Mobile Authentication
- Voice Authentication (Biometrics)
- Phone Verification
- Device Identification
- Location
- Time of Access
- User Behavior
You can choose from any of the above authentication methods to augment your password based authentication. miniOrange authentication service works with all phone types, from landlines to smart-phone platforms. In the simplest case, users just answer a phone call and press a button to authenticate. miniOrange authentication service works internationally, and has customers authenticating from many countries around the world.
For further details refer :
https://developer.salesforce.com/page/Single_Sign-On_with_SAML_on_Force.com
https://developer.salesforce.com/page/How_to_Implement_Single_Sign-On_with_Force.com
https://help.salesforce.com/HTViewHelpDoc?id=sso_provider_openid_connect.htm&language=en_US
Business trial for free
If you don't find what you are looking for, please contact us at info@miniorange.com or call us at +1 978 658 9387 to find an answer to your question about Salesforce Single Sign On (SSO).