Configuring Salesforce as an IdP for Bridge

Document created by Bo Harris on Jul 19, 2016Last modified by Annie Battad on Dec 20, 2019
Version 3Show Document
  • View in full screen mode

 

 

Overview

 

Salesforce can be configured as an Identity Provider (IdP) to provide users the ability to login to Bridge with their login credentials from Salesforce. For organizations without an external single sign on provider, this configuration creates a seamless user experience allowing the end user to present login credentials once and gain access to both Salesforce and Bridge.

 

Requirements

 

Client Side

  • Administrative access to Salesforce Account
    • Ability to update users and profile access
    • Ability to manage connected apps
    • Ability to add/modify Identity Provider configuration
      • Generate IdP Metadata
  • Desired NameID created in Salesforce user record (usually Username or Email Address)
  • Bridge provided configuration details for creating the Bridge SP relationship to Salesforce
    • Bridge SP Entity ID
    • Assertion Consumer Service (ACS) URL
    • NameID Format

 

Bridge Side

  • IT or Account Admin permissions in your Bridge instance
  • You will need the following information to configure the SSO in Bridge
    • SAML IdP Entity ID (Required)
    • SAML X509 Certificate (Required)
  • SAML Single Sign On URL (Required)
  • SAML Logout Redirect URL
  • SAML NameId Format

*The metadata xml file generated during the IdP setup process in Salesforce should contain all required information.

Steps for Configuration

 

Salesforce 

  • Login to Salesforce 
  • On the left menu bar under Settings go to Identity then Identity Provider
  • Click on Enable Identity Provider in the middle of the screen across from Identity Provider Setup
  • Select certificate that Salesforce.com uses when communicating with service providers then click Save
  • Download the IdP Metadata by clicking on the Download Metadata button that appears after enabling Salesforce as an IdP

Bridge

  • In Bridge, navigate to the account authentication settings (https://<domain>.bridgeapp.com/admin/config/auth)
  • Scroll to the SAML 2.0 and click Enable
  • Select Manual Configuration

  • Update below fields with your Metadata generated from Salesforce
    • Identity Provider URL
    • Single Sign On URL
    • Name ID Format URN
  • Click Save
  • Copy the Audience URI and ACS URL *We will be using these to configure the Salesforce side

Salesforce 

  • Login to Salesforce 
  • On the left menu bar under Platform Tools go to Apps then App Manager
  • In the top right hand corner click on New Connected App
  • Update below fields under Basic Information
    • Connected App Name
    • API Name
    • Contact Email
  • Input your Bridge domain < https://yourdomain.bridgeapp.com > into the Start URL field
  • Input your Bridge Audience URI into the Entity ID Field 
  • Input your Bridge ACS URL into the ACS URL Field 
  • Click Save

 

Testing

To test configuration, attempt to log into your Bridge instance by navigating to your domain (example: https://clientabc.bridgeapp.com). The page should redirect you to the Salesforce login screen to present your credentials. If you already have an active session with Salesforce, you should automatically be logged in. Test with a couple user accounts across the company. If the integration is successful the user should be logged into Bridge and will see the My Learner Dashboard or the Admin Dashboard, depending on the user's assigned permissions.

 

After testing is over, tell your implementation consultant whether or not you'd like just-in-time provisioning off or on. Just-in-time provisioning instantly creates a user in the system if Bridge cannot find any active uses with the specific unique identifier passed by Salesforce.

 

Troubleshooting

 

What You're ExperiencingWhat's HappeningHow to Fix It
Navigating to Bridge login page doesn't direct me to Salesforce to login.This means that the configuration settings are incorrect on the Bridge configuration.Provide the Bridge implementation consultant with your Salesforce login url and they will update the configuration.
After presenting login credentials, it moves past the Salesforce page, but doesn't login to Bridge.This is likely an issue with the SAML configuration on either the client or Bridge side.

 

Confirm that both systems have the correct EntityIDs, ACS URLs and X509 certificates.
User not authorized to access the Bridge ApplicationUser doesn't belong to a profile that has been authorized to access the Bridge Connected App in Salesforce.Add user to a Salesforce user profile that has been authorized to access the Bridge connected app.

 

Additional Reading

 

Salesforce Documentation: Enable Salesforce as an Identity Provider

Salesforce Documentation: Identity Providers and Service Providers

Salesforce Documentation: Defining Service Providers as SAML-Enabled Connected Apps

 

 

 


1 person found this helpful

Attachments

    Outcomes