PingOne for Enterprise

Adding Salesforce to Your PingOne for Enterprise Dock

Add the Salesforce application your PingOne for Enterprise Dock from the application catalog.

Steps

  1. In the PingOne for Enterprise admin console, go to Applications → Application Catalog.

  2. Optional: In the Search field, search for the application.

  3. Click the Salesforce application line to expand it, and then and click Setup.

  4. On the SSO Instructions tab, click Download to download the signing certificate.

  5. In a separate tab or window, sign on to the Salesforce admin portal.

  6. In Salesforce, go to Setup → Administer → Security Controls → Single Sign-On Settings.

  7. Select the SAML Enabled check box.

  8. In the Name field, enter a name for the connection to PingOne.

  9. In the Issuer field, enter the Issuer value from PingOne.

  10. On the Identity Provider Certificate line, click Browse to upload the signing certificate you downloaded in step 4.

  11. From the SAML Identity Type list, select Assertion contains User’s salesforce.com username.

  12. From the SAML Identity Location list, select Identity is in the NameIdentifier element of the Subject Statement.

  13. In the API Name field, enter a unique name for the API.

  14. In the Entity ID field, enter https://saml.salesforce.com

    If you have a Salesforce.com My Domain URL, you can enter it into this field instead.

  15. Optional: In the Identity Provier Login URL, enter https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=<IdP ID>, replacing <IdP ID> with the IdP ID value from PingOne.

  16. Optional: In the Identity provider Logout URL field, enter https://sso.connect.pingidentity.com/sso/terminatesession.aspx?page=https://www.salesforce.com.

  17. Optional: In the Custom Error URL, enter a URL to redirect users to when an error occurs.

    If your identity bridge is AD Connect with IIS, you can enter https://<AD Connect IIS Server URL>/ADconnect/error.aspx.

  18. Click Save.

    Keep the Salesforce tab open, as you will need values from it for the next steps.

Next steps

In PingOne for Enterprise, click Continue to Next Step.

Salesforce Connection Configuration

Steps

  1. Import the metadata for Salesforce:

    Choose from:

    • Click Select File to upload the metadata file.

    • Click Or use URL to enter the URL of the metadata.

  2. In the ACS URL field, enter the Salesforce Login URL value from Salesforce.

  3. In the Entity ID field, enter the Entity ID value from Salesforce.

  4. In the Target Resource field, enter a URL to redirect the user to after IdP-initiated single sign-on (SSO).

  5. In the Single Logout Endpoint field, enter a URL for PingOne to send single logout (SLO) requests to.

  6. In the Single Logout Response Endpoint field, enter a URL for PingOne to send SLO responses to.

  7. To add a Primary Verification Certificate, click Browse to locate and upload a local certificate file used to verify SLO requests and responses coming from Salesforce.

  8. To add a Secondary Verification Certificate, click Browse to locate and upload a local certificate used to verify SLO requests and responses if the primary certificate fails.

  9. Select the Force Re-authentication check box to require your identity bridge to re-authenticate users with an active SSO session.

  10. Select the Encrypt Assertion check box to encrypt outgoing SAML assertions.

  11. On the Signing line:

    Choose from:

    • Click Sign Assertion to have PingOne sign outgoing SAML assertions. This is the default option.

    • Click Sign Response to have PingOne sign responses to incoming SAML assertions.

  12. From the Signing Algorithm list, select an algorithm with which to sign SAML assertions.

  13. Select the Use Custom URL check box to enter a customer URL to launch Salesforce from the dock.

  14. Select the Set Up Provisioning check box to configure user provisioning to Salesforce.

Next steps

Click Continue to Next Step.

Salesforce Provisioning

Before you begin

Ensure that popups are permitted in your browser.

About this task

If you don’t need to set up user provisioning, proceed to Salesforce Attribute Mapping.

If you selected Set Up Provisioning on the Connection configuration tab:

Steps

  1. In PingOne, click Continue to Next Step to proceed to the Application Configuration tab.

  2. Chose how Salesforce will deprovision:

    Choose from:

    • Select the FREEZE_USER_FLAG check box to freeze a deprovisioned user account.

    • Leave the check box clear to deactivate a deprovisioned user account.

  3. In the SUBDOMAIN field, your Salesforce subdomain

    Example:

    If your Salesforce URL is example.my.salesforce.com, your subdomain is example.my.

  4. From the PERMISSION_SET_MANAGEMENT list, select how to handle permission sets provisioned from PingOne to Salesforce:

    Choose from:

    • Select Merge with permission sets in Salesforce to add provisioned PingOne user permissions to existing permission sets in Salesforce.

    • Select Overwrite permission sets in Salesforce to overwrite permissions in Salesforce with the provisioned permissions from PingOne.

  5. Click Continue to Next Step.

  6. On the Connection Configuration tab, click Activate.

    Result:

    PingOne opens the Salesforce sign-on page in a pop-up window.

  7. Sign on to Salesforce as an administrative user.

  8. Click Allow.

Next steps

In PingOne, click Continue to Next Step.

Salesforce Attribute Mapping

About this task

PingOne will automatically populate required SAML attributes.

For Salesforce, the required attribute is SAML_SUBJECT.

Steps

  1. To add an additional optional attribute, click Add new attribute.

  2. In the Application Attribute field, enter the attribute name as it appears in the application.

  3. In the Identity Bridge Attribute or Literal Value field, choose one of the following:

    Choose from:

    • To map to the application attribute: Enter or select a directory attribute.

    • To assign to the application attribute: Select As Literal, then enter a literal value.

  4. To create advanced attribute mappings, click Advanced.

    For more information, see Create advanced attribute mappings.

Next steps

Click Continue to Next Step.

Salesforce Customization

Steps

  • To change the application icon, click Select image and upload a local image file.

    The image file must be:

    • PNG, GIF, or JPG format

    • 312 x 52 pixels maximum

    • 2 MB maximum file size

      Images are scaled to 64 x 64 pixels for display.

  • To change the name of the application displayed on the dock, in the Name field, enter a new name.

  • To change the description of the application, in the Description field, enter the new description text.

  • To change the category to which the application is assigned on the dock, in the Category list, select a category.

    For information about creating custom application categories, see Creating a custom application category.

Next steps

Click Continue to Next Step.

Salesforce Group Access

About this task

The Group Access tab shows every user group that you have created.

For more information about creating user groups, see Add user groups.

Steps

  • To add a group’s access to the application, on the line for that group, click Add.

  • To remove a group’s access, on the line for that group, click Remove.

  • When you’re finished assigning groups, click Continue to Next Step.

Next steps

On the Review Setup tab, review your configuration, and click Finish to add the application to your PingOne Dock.