Skip to content

Salesforce

Prerequisites

  1. Salesforce Admin Portal Access.
  2. Accops HySecure Gateway with Public DNS name and valid SSL Certificate.
  3. Management Console of the HySecure Gateway with Security Officer level credentials.
  4. Shell Access to the Hysecure Gateway.

Configurations

Configure HySecure as IdP for SAML Application.

Note

This configuration is applicable for HySecure 5427 with the Hotfix 0006 and above.

Configuration Steps

  1. Configure HySecure gateway as SAML identity provider.

    img

    1. Login into the HySecure management console.
    2. Navigate to Settings > Services Config > SAML Identity Provider.
    3. Create a new SAML Identity Provider.
    4. Enter the following details:
      • Domain Name: Select the configured HySecure domain that is used to authenticate the use from the authentication server.
      • Entity ID: Enter the unique shared data between IdP and SP in the format https://hostname
      • Single Sign On Service Endpoint: Enter the IdP URL (HySecure) where SP will connect for SAML SSO.
      • Single Logout Service Endpoint: Enter the IdP Logout URL where SP will connect for SAML Logout.
      • NameId Format: Select the name identifier for the providers to communicate with each other regarding the user.
      • Certificate Signing Options: Select the available SAML Signing Options (The default value is Sign SAML Assertion).
      • Certificate signing Algorithm: Select the SAML assertion signing Algorithm (Default value is SHA 1).
      • CA Certificate for Signing: Select the CA Certificate used to sign the SAML assertion (Use the certificate that is configured in SP if the HySecure certificate is used in SAML SP we can leave this with the default value).

  2. Publish the SAML SSO-based HTTPS application in the HySecure gateway.

  3. Select the SAML identity provider that is created.
  4. Select the preconfigured service provider.
  5. Verify the mapping attributes. Use the following for Office 365:
    • Object GUID: NameID
    • EmailID: IDPEmail

Important

SAML Certificates are stored at the location: /home/fes/fescommon/certs/saml_certs/{IDP_Name}

Set up HySecure Identity Provider (IdP) for Salesforce

  1. Log in with a digital certificate to the Accops HySecure Gateway using a Security Officer's account.

    img

  2. Navigate to Apps > Apps and click Add to create a new application named Salesforce.

    Important

    Go to the Salesforce Portal via this link: https://login.salesforce.com/ and log in with the Global Admin and get information for the Salesforce Tenant.

    • Type: HTTPS
    • Name: Salesforce
    • Description: Salesforce
    • Application Server Address: accops-dev-ed.lightning.force.com
    • Application Port: 443
    • Protocol: TCP
    • Web URL: https://accops-dev-ed.lightning.force.com/lightning/setup/SetupOneHome/home
    • Use Reverse Proxy: No
    • Hidden Application: No
    • Hide Access Pop-up : No
    • Enable App Tunnling : Yes
    • Enable L3 VPN Tunneling : No
    • Enable Single Sign-on : Yes
    • Authentication Type : SAML Based
    • Preconfigured Service Provider : Salesforce
    • Select Identity Provider: Select the created SAML IdP
    • Service Provider Login URL: https://accops-dev-ed.my.salesforce.com
    • Service Provider Logout URL : https://accops-dev-ed.my.salesforce.com/services/auth/sp/saml2/logout
    • Audience : https://saml.salesforce.com
    • Issuer : https://sso.accops.cloud (HySecure Gateway Address)
    • Service Provider Relay State: Enter Relay State if the application is configured with any relay state.
    • Mapping Attributes: Add mapping approbated which will be sent in SAML response to the Application.

    img

  3. Add the Salesforce application into a New/Existing Application Group.

  4. Create/Update an Application Access in the New/Existing Access Controls.

  5. Verify the SAML SSO Certificate in the Accops HySecure Gateway. Ensure the following files are available in the Accops HySecure Gateway:

    Certificate Path: /home/fes/fescommon/certs/

    -rw-r--r-- 1 apache apache 1024 Aug 20 16:49 CA_Certificate_TestIDP.crt

    -rw-r--r-- 1 apache apache 1024 Aug 20 16:49 CA_Decryption_Certificate_TestIDP.crt

    -rw-r--r-- 1 apache apache 1674 Aug 20 16:49 Encrypt_Private_Key_TestIDP.pem

    -rw-r--r-- 1 apache apache 1674 Aug 20 16:49 Private_Key_TestIDP.pem

    Note

    The TestIDP.cert is the name of the SAML Identity Provider that was created in the previous step.

  6. Navigate to Settings > Services Config > SAML Identity Provider and download the certificate for the identity provider attached to the Google Suite Application.

    img

    For any HySecure gateway version 5427 with hotfix below 0006

    • Ensure that the following files are available in the Accops HySecure gateway:

    -rw-r--r-- 1 apache fes 2029 Mar 11 11:08 SAML_Signing_Certificate

    -rw------- 1 apache fes 2498 Mar 11 11:09 SAML_Signing_Private_Key

    If the above mentioned files are not present, make sure to create them using the command given below:

    [root@sso1 ~]# cd /home/fes/fescommon/certs/

    openssl x509 -inform PEM -in "sslcert.cer" -out SAML_Signing_Certificate

    openssl rsa -in "sslcert.pem" -out SAML_Signing_Private_Key

    Note

    The command should be used after changing the Working Directory to /home/fes/fescommon/certs/.

  7. Copy the content of the SAML SSO Certificate SAML_Signing_Certificate from the Accops Gateway.

    Warning

    Ensure that no new lines are added when copying the content in the SAML SSO Certificate

    cat /home/fes/fescommon/certs/SAML_Signing_Certificate

    -----BEGIN CERTIFICATE-----
MIIFrDCCBJSgAwIBAgISBGJHkNGfVYEtgk7jonYIws6FMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTAxMjcxMDA1NDBaFw0yMTA0MjcxMDA1NDBaMBcxFTATBgNVBAMT
DGFjY29wcy5jbG91ZDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJYh
aZIcaKxjsQc0pheAN1qDTHUnfRIny3W6dShVEcdHBtVDqLo8BaFZ5elEhRZHt5u9
G1FTtN9r3YN8EyVqGG+VoHFZLs53nT2pKXe+OqtqKtW4sTOEWyVER3lFRRKgL1sx
D8OZwjsDHtPubK9vcTwPE64+nfAcBGj+1tTETgXgsorZXmtybXiexwZxad4tFrFW
XIm0aVB8FwRLiKhNZ5eK6c7+dKwQPkYuS6n60Psg9v/MBzxEE87nHbK5tDMmTotN
xIn8uyi+l7ArPFvIWKIN8O/Qnrym7RH1L73jAuykhwEDXBkNysjpKkTuvthJCeGw
oab9jcbVX5Vx0WCsuwTkvikJbp1NkI9pJcm97ST1d7NOkkIaI9Fq4TgucX2b0ZPr
zCwaIRHXgII9eB9BO7idUi4u+23hB+jZYzGSVBz0lOPs90mW9jaFbPCt8CoX/Pm9
GAq0uFb/ceNrRKtk3gAX9J2/XHqk1rlnCwauT4qo7gfuqW4ygtwkYCSMHPPG+wID
AQABo4ICVTDCAlEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQKDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQ2EBlrVJBjq2oHXam7
Xzv5IVqm/jUfBgNVHSpEGDAWgBQULrMXt1hWy65QCUDmH6+dixTCxjBVBggrBgEF
BQcBAQRJMEMwIQYIKwYBBQUHMAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggr
BgEFBQcwAoAWaHR0cDovL3IzLmkubGVuY3Iub3JnLzAnBgNVHREEIDAegg4qLmFj
Y29wcy5jbGR1ZIIMYWNjb3BzLmNsb3VkMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcG
CysGAQQBgtNTAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5
cHQub3JnMIOBAgYKKwYBBAHWeQIEAgSB8wSB8ADuAHUAlCC8Ho7VjWyIcx+CiyIs
DdHaTV5sT5W9YdtOL1hNosIAAAF3Q4U54wAABAMARjBEAiBXSdXt8+QVBFC4sy3j
FpJYds7BIMYysomjQXY4EM+AiwIgUOtBJPV6s9mT3VdQOz4+R3CYD08Zu72+bahC
oyT2/+gAdQO2XJQv0XcwIhRUGAgwlFaO400TGTO/3wwvIAvMTvFk4wAAAXdDhTof
AAAEAwBGMEUCIEC8Gb+EDzePNEuEE5pOT0jnV2M41Jj94DTwKEoqjoRxAiAZZUX5
tG4mCC+G4pCRIHhrbxdPoBXj7UsWPzkHiHnZxjANBgkqhkiG9w0BAQsFAAOCAQEA
BV6d943HCsAesV1SiT7+hsBZQsDy7+KcPiSkfq50qMFuD1S2m1PE/Y0tNULT2DxB
fEPGsJrVubND+wJrufAljenEZZzivdrxjAMBBuybqzFlNQoMmIJa7V7xnE9pCSPb
k0UGYKSgHxSsqKxzLiRuneicVyMwyD/LxdF/QbxPfVWnt+mi1rduQk9yhoT6wubq
T99qVOIzPnEkM1MO5qm0mD/xirlO5bbVDqJClGR0ifnrHN5ueWTgbMT1ruCyFcx5
zDPB+7NWzyELdQ82I9UNCZ+/8GNu7bQX6p/w0BzDLwv3i3B5So8QetouPBF4Zpu1
Ejb8AQeQjIMJCWtYHdO4Fg==
-----END CERTIFICATE-----

Set up HySecure in Salesforce (Service Provider)

  1. Go to Salesforce with Administrator level access via this link: https://login.salesforce.com Alternatively, use link: https://domain.my.salesforce.com

    img

  2. After logging in to the Salesforce Portal, go to Settings.

    img

  3. Go to Settings > Identity > Single Sign-On Settings.

    img

  4. Click New.

    img

  5. Fill in the required details:

    • Name: Accops_IDP_Server
    • API Name: Accops_IDP_Server
    • SAML Version: 2.0
    • Issuer: https://sso.accops.cloud Replace sso.accops.cloud with your Accops IDP Server
    • Entity ID: https://saml.salesforce.com
    • Identity Provider Certificate: Import SAML SSO Certificate from Accops HySecure Gateway. (As per the prerequisites)
    • Request Signature Method: RSA-SHA256
    • Assertion Decryption Certificate: Assertion not encrypted
    • SAML Identity Type: Assertion contains the User's Salesforce username
    • SAML Identity Location: Identity is in the NameIdentifier element of the Subject statement
    • Service Provider Initiated Request Binding: HTTP POST
    • Identity Provider URL: https://sso.accops.cloud/saml-sso/salesforce Replace sso.accops.cloud with your Accops IDP Server
    • Custom Logout URL: https://sso.accops.cloud/saml-slo/salesforce Replace sso.accops.cloud with your Accops IDP Server

    img

  6. Verify the IdP settings and endpoint details for Salesforce.

    *Your Organization

    Login URL - https://accops-dev-ed.my.salesforce.com

    Logout URL - https://accops-dev-ed.my.salesforce.com/services/auth/sp/saml2/logout

    img

    Click Download Metadata to configure the Identity Provider Server (if it is not already configured).

Sign in to your Salesforce

Using IdP initiated login

  1. Go to the Accops Workspace Portal (https://sso.accops.cloud)

    Enter the sAMAccountName of the user.

    For Example: 

    Username: xyz.abc
Password: xxxxxx
Domain: accops.cloud

  2. Enter the login credentials. Choose the domain and click Sign In.

    img

  3. Verify using Multi-Factor Authentication.

    img

  4. Upon successful Authentication and Authorization, the user will be redirected to the Accops Workspace Portal.

    img

  5. Click the Salesforce icon to launch the Single Sign On access to the Salesforce Portal.

    img

Using SP initiated login

  1. Go to Salesforce via this link: https://accops-dev-ed.my.salesforce.com .

  2. Login using Accops SSO .

    img

  3. The Authentication request will be redirected to the organization's Sign In page (Accops IdP Login Portal). Enter the Authentication details. Click Sign-In.

    Enter the sAMAccountName of the user.

    For Example: 

    Username: xyz.abc
Password: xxxxxx

    img

  4. On the next screen, the Accops IdP Server will prompt if more Authentication is required. Choose Send Push to Mobile/Desktop and Authorize the desktop to push to log in.

    img

  5. Upon successful authorization you can access the Salesforce Portal.

    img