Salesforce as an IdP

Overview

Salesforce can be configured as an Identity Provider (IdP) to provide users the ability to log in to Bridge with their login credentials from Salesforce.

For organizations without an external single sign-on provider, this configuration creates a seamless user experience allowing the end-user to present login credentials a single time and gain access to both Salesforce and Bridge.

Client Requirements

  • Administrative access to Salesforce Account
  • Ability to update users and profile access
  • Ability to manage connected apps
  • Ability to add/modify Identity Provider configuration
  • Generate IdP Metadata
  • Desired NameID created in Salesforce user record (usually Username or Email Address)
  • Bridge provided configuration details for creating the Bridge SP relationship to Salesforce
  • Bridge SP Entity ID
  • Assertion Consumer Service (ACS) URL
  • NameID Format

Bridge Requirements

  • IT or Account Admin permissions in your Bridge instance
  • Configuring the SSO in Bridge (SAML metadata*)
    • SAML IdP Entity ID (Required)
    • SAML X509 Certificate (Required)
    • SAML Single Sign-On URL (Required)
    • SAML Logout Redirect URL
    • SAML NameId Format

The metadata XML file generated during the IdP configuration process in Salesforce should contain all required information.

Steps for Configuration

Salesforce - Enable IdP & Metadata

  • Login to Salesforce 
  • On the left menu bar under Settings, go to Identity, then Identity Provider
  • Click on Enable Identity Provider in the middle of the screen across from Identity Provider Setup
  • Select the certificate that Salesforce.com uses when communicating with service providers, then click Save
    • Download the IdP Metadata by clicking on the Download Metadata button that appears after enabling Salesforce as an IdP

Bridge - Configure SAML 2.0

  • In Bridge, navigate to the account authentication settings → https://<domain>.bridgeapp.com/admin/config/auth
  • Scroll to the SAML 2.0 and click Enable
  • Select Manual Configuration
  • Update the fields below with your metadata generated from Salesforce
    • Identity Provider URL
    • Single Sign-On URL
    • Name ID Format URN
  • Click Save
  • Copy the Audience URI and ACS URL - We'll be using these for configuration in Salesforce

Salesforce - New Connected App

  • Log in to Salesforce
  • On the left menu bar under Platform Tools, go to Apps and then App Manager
  • In the top right-hand corner, click on New Connected App
  • Update the fields below within Basic Information
    • Connected App Name
    • API Name
    • Contact Email
  • Input your Bridge domain, https://<domain>.bridgeapp.com, in the Start URL field
  • Input your Bridge Audience URI into the Entity ID field
  • Input your Bridge ACS URL into the ACS URL field
  • Click Save
  • Give the app and user the same permission set

Testing

  • Attempt to log into your Bridge instance, https://<domain>.bridgeapp.com
    • The page should redirect you to the Salesforce login screen
    • If you already have an active session within Salesforce, you should be automatically logged in
  • Test with a few user accounts across the company
    • If the integration is successful, the user should be logged in to Bridge and will see the My Learner Dashboard or the Admin Dashboard, depending on the user's assigned roles
  • When testing is complete, let your implementation consultant know whether or not you'd like just-in-time provisioning enabled
    • Just-in-time provisioning instantly creates a user in the system if Bridge cannot find any active users with the unique identifier passed by Salesforce during the login process

Troubleshooting

What You're Experiencing

What's Happening

How to Fix it

Navigating to the Bridge login page does not redirect me to Salesforce.

The configuration settings are incorrect within the Bridge configuration

Provide the Bridge implementation consultant with your Salesforce login URL and they will update the configuration

After successfully logging in within Salesforce, I am not redirected back to my Bridge domain.

This is likely an issue with the SAML configuration on either the client or Bridge side

Confirm that both systems have the correct EntityIDs, ACS URLs, and X509 certificates

User not authorized to access the Bridge Application.

User doesn't belong to a profile that has been authorized to access the Bridge Connected App in Salesforce

Add the user to a Salesforce user profile that has been authorized to access the Bridge connected app

 

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request