Apex Code Development You need to sign in to do that
Don't have an account?
BBeaird Federated SAML SSO with Sandboxes and Production
We have had Federated SSO set up for awhile now in our production org. I would like to set it up in at least one of our sandboxes as well. Is there any way to do this without having our IDP admins maintain separate endpoints for each sandbox? We are using My Domain, so it seems like the SAML Assertion would need to be pretty specific to each one and as far as I can tell does not have a way to dynamically forward users to the desired sandbox. It would be even better if production and sandbox orgs could point to the same SSO url, but it seems like that is even less likely.
Any thoughts on this? Is anyone else using SSO across multiple environments?
In the IdP Identity Provider setting, make 2 Service Providers setting for each sandbox SP
And then I can use one sandbox IdP for SAML login for two other SP.
All Answers
If you are trying to do SP-initiated SSO, in which the user starts off with a link to particular MyDomain Org that they are trying to reach, causing Salesforce to send a SAML AuthnRequest to the IdP, you can probably just use a single endpoint, as long as you are able to set up the FederationID at the Salesforce end to be identical across all Orgs. If you cannot do that, then you will have to set up a different Federation configuration for each Org.
If you can do that, then the IdP should be able to validate the user's credentials as long as they are the same for each Org.
The IdP will then return the results to the ACS endpoint which Salesforce is using for that Org, and the combination of the SAMLResponse and the RelayState value should take the user back to the correct Org.
Once again, if there has to be a different ACS endpoint at Saleforce for each Org, you will probably have to set up multiple Federations. The alternative would be to have Salesforce send the specific ACS URL for that transaction as part of the AuthnRequest, and I do not know if that is configurable.
If you are trying to do IdP-initiated SSO, in which the user starts off with a link to the IdP, you may also be able to handle multiple Orgs with one Federation as long as the three requirements above can be met at the Salesforce end. (Single Federation ID, Single Salesforce user name across all Orgs, and single ACS URL)
The link the user starts with will then contain the destination Org URL as the TargetResource parameter (if you are using PingFederate), which gets populated into the RelayState of the SAMLResponse message. If the ACS URL also has to be different for the different Orgs, then you can also specify that using a query string parameter (ACSIdx if you are using PingFederate) in the starting link.
Note that this is all speculation, as I have not tried this specific configuration with Salesforce.
Thanks for the suggestions! It should be possible for us to have matching FederationID's across our orgs. We do use a different ACS URL for Production, but it seems like our sandboxes should be able to share one connection. We would be doing SP-initiated SSO. We seem to have 2 issues keeping us from sharing the connection:
1.) The "Salesforce.com Login URL" value in the Single Sign-On settings varies across sandboxes (the saml query string is different). I'm not totally sure that matters, but I have noticed that it only adds that "saml=..." parameter when I specify that we use the Federation ID field to map users.
2.) The Entity Id varies across sandboxes. This is because I have it set to use the My Domain value instead of just saml.salesforce.com. Maybe I should try changing this back?
The bigger thing I don't quite understand is how exactly to get redirected back to the correct sandbox. As of now, something keeps redirecting me back to the original sandbox I set up SSO for.
I did some more testing with this today, and I'm not sure if it's really possible. When using FederationId as the UserID type, the Salesforce.com Login URL tags on a saml parameter that is unique to every org. This URL is put in as the ACS URL (or SSOStartURL) in ping. Since this is a static value on the federated configuration side, I'm not sure how this could work for multiple sandboxes.
Even if it could work for sandboxes, I don't think it's possible to use the same connection for both sandbox and production seeing as how one directs back to salesforce.com and the other to test.salesforce.com.
In the IdP Identity Provider setting, make 2 Service Providers setting for each sandbox SP
And then I can use one sandbox IdP for SAML login for two other SP.
Jia Hu, you are a lifesaver! I didn't even think about having 1 do the SAML and the others just feed off of that one as SP's. Genius. Thanks so much for taking the time to post this!