Configuring SAML/ADFS Authentication for all tenants

You can configure SAML/ADFS authentication globally to all tenants for the instance.

After you configure the instance to enable SAML/ADFS authentication, follow these steps to configure SAML/ADFS authentication globally:

  1. Configure your IdP to add values for your Platform tenant. These values include the following; different IdPs might have different labels for these. The labels shown below are for Salesforce:
    • Entity ID — The value of the entityID attribute of the EntityDescriptor element in the SP metadata file
    • ACS (Assertion Consumer Service) URL — The value of the SAML ACS(Assertion Consumer Service) URL property on the SAML/ADFS configuration page in Platform
    • Encrypt SAML response — Upload the public key certificate file. The master administrator should provide you with this file.
  2. After configuring the IdP, obtain the IdP's SAML/ADFS metadata XML. You will need to save this as a file and use it in the next step. This is usually provided by the IdP as either a file or as a URL containing the metadata XML. If it is provided as a URL, save the XML in a file. This file is referred to as the IdP metadata file in the next step.
  3. Log into Platform and navigate to System Console>Control Panel>Authentication
    Note: Ensure Global is selected as the authentication mode.
    .
  4. In addition to the already configured SAML/ADFS SP details, specify the values for the following fields in SAML/ADFS IDP Configuration section to configure SAML/ADFS for all tenants.
Field Description
Issuer (IDP/ADFS Entity ID) This is the value of the entityID attribute of the EntityDescriptor element in the IdP metadata file.This is a mandatory field.
Identity Provider/ADFS Metadata The IdP Metadata file.
Service Provider EntityID/Relying Party Entity ID The entity ID of the service provider. This is a mandatory field. This is the value of the entityID attribute of the EntityDescriptor element in the SP metadata file.
Identity Provider Logout URL A custom URL can be configured by the SAML customer administrator to redirect the user after logout.
Authentication Context Comparison Type A comparison attribute on the AuthnContext request parameter to indicate how an authentication context should be evaluated. The authentication context will be evaluated based on the relative strengths of the authentication context classes specified in the AuthnContext request and the authentication methods offered by an IdP.

The four available comparison values are - better, exact, maximum, and minimum. If no value is specified, it will default to minimum .

See setAuthentication and getAuthentication for more information.
Authentication Context Classes

A set of authentication methods that are viewed as being identical to one another in a specific context is called an authentication context class. This appends required authentication information to the Identity Provider (IDP).

The required authentication context classes selected from the available list for SAML/ADFS Configuration.

See SAML Auth Context Classes for more information.
Attribute Map A pipe-separated mapping of the attributes in the form integration name in Platform=attribute name sent from IdP. A user can choose to map more than one attribute. The attribute loginName is the only required and compulsory field to be mapped. You can also choose to add more Attribute Mappings. For example: firstName=givenName|lastName=sn|loginName=uid|city=city
Request Signature Method A signature method alogorithm to be used to sign the request being sent to the IDP. You can select RSA-SHA1 or RSA-SHA256. The default value is RSA-SHA1.
Enable Just-In-Time for SAML

When enabled, new application accounts are created on the fly by utilizing SAML assertions, thus eliminating manual account creations for every new user. With Just-In-Time enabled, the new user accounts are created dynamically by the first time users themselves upon the SAML based Platform SSO portal. See Just-in-Time Provisioning, for more information.
Validate User Fields on creation

If enabled, field format, mandatory fields and unique fields are validated on record creation for all the user fields including the below mentioned mandatory fields.

If disabled (not recommended) and if any of the below mentioned mandatory fields are missing, an error is prompted without any field validations taking place. However, editing the record in the UI validates the data in any subsequent edit.

The below listed mandatory fields are required by a user object while creating a record:

Login Type Mandatory Fields
Any regular SAML login (Per tenant, Portal, Global) loginName
JIT-Enabled SAML login (Per tenant, Portal) loginName, email, role
JIT-Enabled Global SAML Login loginName, email, role, custId
Note: Authentication Context Comparison Type parameter for SAML can be configured only at a tenant level . For Global Level SAML configuration, the comparison value will always default to Minimum. If SAML is the selected authentication type, then the parameter samlAuthnContextComparison will return the set comparison value for getAuthentication REST API.