Open in app

Sign in

Write

Sign in

JIT provisioning to Salesforce using WSO2 Identity Server during SAML SSO login

Dewni Weeraman
7 min readJul 5, 2020

--

Photo by Herbert Goetsch on Unsplash

Just-in-Time (JIT) provisioning is a popular approach followed in federated identity provisioning. What makes JIT provisioning a widely adapted provisioning approach is the fact that it allows users to be created on-the-fly on the first time the user tries to log in to the system where the user needs to be provisioned. To understand the importance of JIT provisioning let’s look at a simple use-case.

Imagine, Google requires its employees to access a service offered by Salesforce. Usually, this would require manually creating and managing accounts for each employee in Google at Salesforce. In a small organization with a few employees, this would a practical approach but this would be a complex tedious task when it comes to managing a large number of user provisioning. Each time a new employee joins Google, the administration unit would require to create a new account for the user in Salesforce. With the use of JIT provisioning, Google doesn’t have to worry about creating user identities at Salesforce before users can actually access the service. As the users are created dynamically, JIT provisioning helps to lower the administrative cost and the time spent on creating accounts.

In this blog post, I will be guiding you on how to integrate Just-in-Time provisioning to an application using WSO2 Identity Server during SAML SSO login. The service provider used for this should support JIT. Here, I will be using Salesforce as the service provider. The WSO2 Identity Server (identity provider) will pass the information required to create the user account to Salesforce via the SAML protocol. The illustration provided below will give you a high-level understanding of the integration we will be trying out.

Prerequisites:

  • Download the latest WSO2 Identity Server from here. For details on running the Identity Server, see Running the Product.
  • Configure WSO2 Identity Server to enable users to log in using their email addresses. For step by step instructions refer here.
  • A Salesforce developer account.

Step 01 - Download SAML metadata from WSO2 Identity Server

  • Log in to WSO2 Identity Server management console with super admin credential.
  • On the Main tab, click Resident Identity Provider under Identity Providers.
  • Expand the Inbound Authentication Configuration section.
  • Select SAML2 Web SSO Configuration and Download SAML Metadata.

Step 02 - Configuring SSO settings in Salesforce

  • On the left navigation panel search for ‘Single Sign-On Settings’.
  • Under SAML Single Sign-On Settings click New from Metadata File.
  • Upload the SAML metadata downloaded in Step 02.
  • In the next view for Name provide the value as WSO2 Identity Server (this name will be displayed in the Salesforce login page as a SSO login option).
  • For SAML Identity Type select Assertion contains the Federation ID from the User object.
  • Disable Single Logout Enabled.
  • For Custom Logout URL provide the URL in the following format. Fill the placeholders with the appropriate values.

https://localhost:9443/samlsso?slo=true&spEntityID=https://<your salesforce domain> &returnTo=https://<your salesforce domain>

Tip: To check your domain name, on the left navigation panel search for ‘My Domain’.

  • In the Just-in-time User Provisioning tick User Provisioning Enabled and User Provisioning Type as Standard.
  • Save the configurations.
  • The final SSO settings view would be similar to the given below. Make sure all attributes are configured properly.
  • Click on Download Metadata.
  • In the main view of Single Sign-On Settings, check SAML Enabled under Federated Single Sign-On Using SAML section.

Step 03 - Configuring WSO2 Identity Server as an Authentication Service for Salesforce

  • Navigate to My Domain settings and click Edit in the Authentication Configuration section.
  • Select WSO2 Identity Server as an Authentication Service.
  • Save the changes.

Step 04 - Adding Salesforce as a SAML SSO service provider in WSO2 Identity Server

  • Log into the WSO2 Identity Server management console.
  • On the Main tab, click Add under Service Providers. Create a new service provider by providing a suitable name.
  • Expand Inbound Authentication Configuration and then expand the SAML2 Web SSO Configuration.
  • Select Metadata File Configuration as the mode and upload the metadata file downloaded from Salesforce in Step 03.
  • Check Enable Response Signing.
  • Check Enable Attribute Profile and Include Attributes in the Response Always.
  • Check Enable IdP Initiated SLO and for Return to URL provide the URL in the following format. Replace the placeholder with the appropriate value.

https://<your salesforce domain>

  • Save the changes.

Step 05 - Add a new claim to track the Salesforce username

  • On Main menu, click Add under Claims and then click Add Local Claim.
    Add the following local claim as provided in the screenshot below.

Step 06 - Claim configuration in the service provider

  • On the Main tab, click List under Service Providers section and navigate to the created service provider which we created in Step 05.
  • Expand the Claim Configuration section and select Select Define Custom Claim Dialect. Click Add Claim URI and add the below provided set of claims. Select User.Username as the Subject Claim URI.
  • Save the changes.

Step 07 - Add role mappings

For this tutorial, we will be provisioning users of two different roles. For this first, let's create two local roles in WSO2 Identity Server.

  • Navigate to the Main menu in the Management Console, click Add under Users and Roles.
  • Click Roles and Click Add New Role.
  • Create a role with the name sales_user.
  • Similarly, create another role as solution_manager.

Next, let’s add the role configuration to map WSO2 Identity Server roles to relevant Salesforce roles.

  • On the Main tab, click List under Service Providers section and navigate to the created service provider.
  • Expand Role/Permission Configuration section.
  • Add the following role mappings. Make sure to provide the Service Provider Role as a valid role in Salesforce.

Tip - To view roles in Salesforce:

  • Log in to Salesforce as Salesforce developer.
  • On the left navigation panel search for ‘Profiles’.

Step 08 - Add users

  • On the Main tab, click Add under Users and Roles.
  • Click Add New User and create a new user.
  • Assign the role sales_user to this newly created user.
  • Similarly, create another new user and assign the role solution_manager.

We have completed all the configuration steps required for this tutorial. Now it’s time for us to test the flow.

Testing the flow

  • Navigate to the Salesforce login page for the newly created domain.
  • Click on WSO2 Identity Server.
  • You will be redirected to the WSO2 Identity Server login page.
  • Login with the credentials of a newly created user in Step 09.
  • Provide the consent to share user attributes expected by Salesforce for provisioning the user.
  • The user will be logged in to Salesforce successfully.
  • Similarly, repeat the login flow for the other user.
  • To view the provisioned accounts in log in to Salesforce as Salesforce System Administrator.
  • On the left navigation panel search for ‘Users’.
  • You will see the provisioned users with the relevant Profile.

Congratulations!! You have successfully tried out Just-in-Time provisioning to Salesforce using WSO2 Identity Server during SAML SSO login.

WSO2 Identity Server is an industry well-recognized product leader supporting a range of IAM use cases. To find out more interesting CIAM integrations visit: https://wso2.com/identity-and-access-management/

Wso2is
Jit
Salesforce
Wso2
Sso

--

--

Dewni Weeraman
Dewni Weeraman

Written by Dewni Weeraman

141 Followers
27 Following

Software Engineer at WSO2 | Graduate of University of Westminster

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams