Salesforce SSO Just-in-Time Provisioning for SAML with AXIOM
With Just-in-Time provisioning, you can use a SAML assertion to create regular and portal users on the fly the first time they try to log in. This eliminates the need to create user accounts in advance. For example, if you recently added an employee to your organization, you don’t need to manually create the user in Salesforce. When they log in with single sign-on, their account is automatically created for them, eliminating the time and effort with on-boarding the account. Just-in-Time provisioning works with your SAML identity provider to pass the correct user information to Salesforce in a SAML 2.0 assertion. You can both create and modify accounts this way. Because Just-in-Time provisioning uses SAML to communicate, your organization must have SAML-based single sign-on enabled.
Step 1: Enable the custom Domain
Note: If you have already custom domain you can ignore this step.
Go to setup –> My Domain –> create your domain and deploy to users.
Step 2: Get an Identity Provider Certificate
In order to configure the salesforce SSO, you need have certificate from the IDP, for testing purpose i am using AXIOM
download the Download the Identity Provider Certificate
If you are using any other solutions like Okta, OneLogin… download the IDP certificate.
Step 3 : Come back to Salesforce → Single Sign-On Settings
Navigate to “Setup →Security Controls →Single Sign-On Settings” and check “SAML Enabled” option.
Step 4: Configure SAML Single Sign-On Settings
Complete the details as describes below
- Name :- < Any Name is fine > . In this example Axiom Just IN
- API Name :- < Auto populate from Name >
- SAML Version :- Default 2.0 Salesforce won’t support SAML 1.0
- Issuer:- https://axiomsso.herokuapp.com
- Entity Id:-https://saml.salesforce.com
- Identity Provider Certificate: — Upload the Axiom Certificate which is downloaded in step 2
- SAML Identity Type: — Select Assertion contains the Federation ID from the User object
- SAML Identity Location : — Select Identity is in the NameIdentifier element of the Subject statement
- Service Provider Initiated Request Binding: — Select Http Post
- Identity Provider Login URL:- http://axiomsso.herokuapp.com/RequestSamlResponse.action
- Under “Just-in-time User Provisioning” section
Check “User Provisioning Enabled” checkbox and select User Provisioning type as standard.
Step 5 : Configure the IDP at AXIOM
go to https://axiomsso.herokuapp.com/Home.action expand “SAML Identity Provider & Tester ” section. Click on the “generate a SAML Response” link to configure the IDP
- SAML Version:- 2.0
- Username OR Federated ID: — TestUserforDemo
- User ID Location: — Subject
- Issuer:- https://axiomsso.herokuapp.com
- Entity Id:- https://saml.salesforce.com
- SSO Start Page:- http://axiomsso.herokuapp.com/RequestSamlResponse.action
- Recipient URL:-
https://[my domain].my.salesforce.com?so=[Org ID] - User Type: — Standard. you can choose based on your requirement, settings will be common
9. in “Additional Attributes” add the User information to create a salesforce user on the fly.
Click On “Request SAML response” to see the to generate SAML response. After Click on “Request SAML response,” you will see output as shown below
Now to test the SSO Click on “Login ” Button. It will create a new user in the salesforce upon login on the fly.
if you are passing an existing federation id, then user will logged in automatically.
Note:
If you are facing any issues like this
SAML errors are returned in the URL parameter, for example:
http://login.salesforce.com/identity/jit/saml-error.jsp?
ErrorCode=5&ErrorDescription=Unable+to+create+user&ErrorDetails=
INVALID_OR_NULL_FOR_RESTRICTED_PICKLIST+TimeZoneSidKey
Just-in-Time Provisioning Errors
Following are the error codes and descriptions for Just-in-Time provisioning for SAML.
Error Messages
