Configuring Salesforce as an IdP for Bridge

Document created by Bo Harris Administrator on Jul 19, 2016
Version 1Show Document
  • View in full screen mode

 

 

Overview

 

Salesforce can be configured as an Identity Provider (IdP) to provide users the ability to login to Bridge with their login credentials from Salesforce. For organizations without an external single sign on provider, this configuration creates a seamless user experience allowing the end user to present login credentials once and gain access to both Salesforce and Bridge.

 

Requirements

 

Client Side

    • Administrative access to Salesforce Account
      • Ability to update users and profile access
      • Ability to manage connected apps
      • Ability to add/modify Identity Provider configuration
        • Generate IdP Metadata
    • Desired NameID created in Salesforce user record (usually Username or Email Address)
    • Bridge provided configuration details for creating the Bridge SP relationship to Salesforce
      • Bridge SP Entity ID
      • Assertion Consumer Service (ACS) URL
      • NameID Format

 

Bridge Side

Your Bridge implementation consultant or solutions engineer will need the following information to configure single sign on with Salesforce*:

    • SAML IdP Entity ID (Required)
    • SAML X509 Certificate (Required)
    • SAML Single Sign On URL (Required)
    • SAML Logout Redirect URL
    • SAML NameId Format

*The metadata xml file generated during the IdP setup process in Salesforce should contain all required information.

Steps for Configuration

 

Client Side

    • Login to Salesforce and click on the "Setup" link in the upper right hand corner.
    • Click Security Controls under the "Administer" link, and then click on Identity Provider.
    • Enable Salesforce as an Identity Provider by clicking Enable Identity Provider.
    • Download the IdP Metadata by clicking on the Download Metadata button that appears after enabling Salesforce as an IdP.
    • Send the XML metadata file, generated in the previous step, to the Bridge implementation consultant or solutions engineer for them to begin the configuration on the Bridge side.
    • Initiate the Bridge Service Provider (SP) connection for Bridge by clicking on Apps under the "Build" link. Click on Create and then click on Connected Apps. Click New to create Bridge as a connected app.
    • Input the following information in the New Connected App configuration
      • Basic Information
        • Connected App Name: Bridge
      • Web App Settings
        • Start URL: Your Bridge Instance (Example: https://clientabc.bridgeapp.com)
        • Click on Enable SAML
          • Entity ID: This ID will be provided by your implementation consultant. Please request if you do not already have this information.
          • ACS URL: This URL will be provided by your implementation consultant. Please request if you do not already have this information.
          • Subject Type: Value you would like to pass to Bridge as unique ID. If email address is desired, select Username.
          • Name ID Format: If using email address for unique ID, select urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress. If you would like to use a different name ID, please contact your Implementation Consultant.
    • Save your newly created app by clicking on the Save button at the bottom of the "New Connected App" configuration screen.
    • Manage your user profiles to allow users or specific user roles access to Bridge by clicking on Connected Apps. Click on the Bridge connected app and update user access under the Profiles area.

 

Bridge Side

    • Your implementation consultant will extract the necessary fields from the IdP metadata XML file and input into the back-end of Bridge.
    • Your implementation consultant will update the account settings and notify you that the integration is complete. From this point you should test the integration.

 

Testing

To test configuration, attempt to log into your Bridge instance by navigating to your domain (example: https://clientabc.bridgeapp.com). The page should redirect you to the Salesforce login screen to present your credentials. If you already have an active session with Salesforce, you should automatically be logged in. Test with a couple user accounts across the company. If the integration is successful the user should be logged into Bridge and will see the My Learner Dashboard or the Admin Dashboard, depending on the user's assigned permissions.

 

After testing is over, tell your implementation consultant whether or not you'd like just-in-time provisioning off or on. Just-in-time provisioning instantly creates a user in the system if Bridge cannot find any active uses with the specific unique identifier passed by Salesforce.

 

Troubleshooting

 

What You're ExperiencingWhat's HappeningHow to Fix It
Navigating to Bridge login page doesn't direct me to Salesforce to login.This means that the configuration settings are incorrect on the Bridge configuration. Provide the Bridge implementation consultant with your Salesforce login url and they will update the configuration.
After presenting login credentials, it moves past the Salesforce page, but doesn't login to Bridge.This is likely an issue with the SAML configuration on either the client or Bridge side.

 

Confirm that both systems have the correct EntityIDs, ACS URLs and X509 certificates.
User not authorized to access the Bridge ApplicationUser doesn't belong to a profile that has been authorized to access the Bridge Connected App in Salesforce.Add user to a Salesforce user profile that has been authorized to access the Bridge connected app.

 

Additional Reading

 

Salesforce Documentation: Enable Salesforce as an Identity Provider

Salesforce Documentation: Identity Providers and Service Providers

Salesforce Documentation: Defining Service Providers as SAML-Enabled Connected Apps

 

 

 


1 person found this helpful

Attachments

    Outcomes