Step by Step Guide for Single Sign On Salesforce as IDP using Community Users

Salesforce began with the vision of reinventing Customer Relationship Management (CRM). Since then salesforce has changed the way enterprise software is delivered and used, changing the industry forever. All Salesforce products run entirely in the cloud so there are no expensive setup costs, no maintenance, and employees can work from any device with an internet connection – smartphone, tablet or laptop.

Salesforce makes CRM easy to use for small businesses and large-scale enterprises. The platform also enables you to manage all interactions with your customers and prospects, so your organization can grow and succeed.

Salesforce as IdP (Identity Provider)

Salesforce can act as a single sign-on (SSO) identity provider to service providers, allowing end users to easily and securely access many web and mobile applications with one login. When using SAML for federated authentication, enable Salesforce as an identity provider and then set up connected apps. However, the OpenID Connect protocol for SSO authentication doesn’t require enabling Salesforce as an identity provider.

Salesforce as IdP can also be used for configuring multiple community users.

Follow step by step guide for Salesforce as IdP for Community Users

Step 1: Create domain in salesforce

Under Administrator click on Domain Management » Domains.

Click on Create New View

Enter domain credentials. View Name and View Unique Name is required.

Step 2: Enable salesforce as IdP

Under Administrator, click on Security Controls.

Select Identity Provider

Click on Enable Identity Provider button.

Step 3: Login to salesforce and create an app.

Log into salesforce and go to Setup.

From the left pane, select App Setup » Create » Apps.

Under Connected Apps, select New.

Step 4: Configure the app.

Enter Connected App Name, API Name and Contact Email to configure the app.

Step 5: Under Web App Settings, check the Enable SAML checkbox and enter the following values.

ACS URL	ACS (AssertionConsumerService) URL from Step1 of the plugin under Identity Provider Tab.
Entity Id	SP-EntityID / Issuer from Step1 of the plugin under Identity Provider Tab.
Subject Type	Username
Name Id Format	urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

Step 6: Assign profile.

Now from left pane, under Administration Setup, select Manage Apps » Connected Apps

Click on the App you just created.
Under Manage Profiles, Select the profiles you want to give access to login through this app.

Step 7: Download metadata for communities.

Under SAML Login Information, click on Download Metadata.
Open the downloaded file in some browser like chrome, firefox, IE
Search for "ds:X509Certificate" tab and copy the entire string under this tag. String would be like this: "MII...."
Keep this certificate value handy for next steps

Step 8: In miniOrange SAML plugin, go to Service Provider tab and enter the following details

Identity provider Name:	Salesforce
SAML Login URL	https://<your domain>.my.salesforce.com /idp/endpoint/HttpRedirect
IdP Entity ID or Issuer	https://<your domain>.my.salesforce.com
X.509 Certificate	Paste the certificate value you copied from the Metadata file.
Response Signed	Checked
Assertion Signed	UnChecked