IdP Example: Salesforce

If Salesforce is your users’ primary login location, it is possible to use a Salesforce org as an identity provider (IdP) for Skuid Platform.

Setting up this SSO scheme requires:

  • Enabling the Salesforce org as an identity provider
  • Creating an SSO config in Skuid using the Salesforce org’s identity provider metadata
  • Creating a connected app within Salesforce based off the Skuid SSO config
  • Creating and assigning a permission set for the connected app
  • Adjust identifier values for proper authentication

Because this process involves some back and forth between the two platforms, having two browser windows with both open side-by-side is recommended.

Enable Salesforce as an Identity Provider

In Salesforce

First, you must enable Salesforce as an identity provider.

  1. Type Identity Provider in the Salesforce Quick Find box.

  2. Click the Identity Provider option.

  3. Click Enable Identity Provider.

  4. If prompted, select a certificate and click Save.

    Note

    You will need to choose a certificate to enable Salesforce as an identity provider. You may choose any existing certificate, or create a new one if needed. This will not affect future steps.

  5. After being redirected to the Identity Provider page, click Download Metadata.

This will download the necessary SAML metadata file to be used within Skuid. It will likely have a name similar to SAMLIdP-00A12000000BBCd.

Create the SSO Configuration

In Skuid

  1. Navigate to Configure > Site > Single Sign On.
  2. If you have not already done so, check SAML Enabled.
  3. Click fa-plus-circle New Single Sign On Config.
  4. Click Import from Identity Provider Metadata File.
  5. Click Upload metadata file…
  6. Select the downloaded metadata file to upload it to Skuid.

After selecting the file, Skuid will create an SSO config for the Salesforce org based on the provided metadata.

Optionally, you may rename SSO config to reflect which org the config represents, for example SalesforcePrimaryOrg. If you have more than one SSO config, then this is the name that will be displayed when users click Login with SAML.

To create the Salesforce connected app in the next section, you’ll need two values from this newly created SSO config:

  • Audience URI / Service Provider Entity ID / Metadata URL
  • Assertion Consumer Service (ACS) URL

To retrieve these URLs, click fa-link IDP Configuration Details.

Create the Salesforce Connected App

In Salesforce

  1. Create a new connected app.
  2. Fill out the fields as follows:
    • Basic Information
      • Connected App Name: Enter a name that represents your SSO connection, like SkuidPlatformSAML.
      • API Name: This will be populated automatically based on the connected app’s name.
      • Contact Email: Enter the email of the user who will be in charge of maintaining this SAML connection.
    • API (Enable OAuth Settings)
      • Enable OAuth Settings: Checked
      • Callback URL: The callback URL for the Skuid site you’ll be connecting to, e.g. https://example.skuidsite.com/auth/oauth/callback.
      • Selected OAuth Scopes:
        • Access and manage your data (api)
        • Access your basic information (id, profile, email, address, phone)
        • Perform requests on your behalf at any time (refresh_token, offline_access)
    • Web App Settings
      • Enable SAML: Checked
      • Entity Id: The SSO config’s Audience URI / Service Provider Entity ID / Metadata URL
      • ACS URL: The SSO config’s Assertion Consumer Service (ACS) URL
  3. Click Save.
  4. Click Continue.

Create and Assign the Permission Set

Now that the connected app is created, Salesforce users must be granted access to it—and one additional Apex class—through a custom permission set.

  1. Create a new permission set.
  2. Fill out the permission set’s basic information:
    • Label: Give it name like SkuidPlatformSAML.
    • API Name: This will be populated automatically based on the label.
    • License: Choose the appropriate license based on your SAML needs. Selecting None allows this permission set to work for the most users.
  3. Click Save.

While on the permission set’s detail page, assign the connected app for this SSO connection to the permission set:

  1. Click Assigned Connected Apps.
  2. Click Edit.
  3. Add the app you created in previous step.
  4. Click Save.

Next, give this permission set access to a specific Apex class used by Skuid.

  1. Return to the Permission Set Overview, and click Apex Class Access.
  2. Click Edit.
  3. Add skuid.RestServices_Model.
    • This will likely be near the bottom of the Available Apex Classes list.
  4. Click Save.

Finally, assign this newly created permission set to any users that will be logging in through SAML.

  1. Click Manage Assignments.
  2. Click Add Assignments.
  3. Check any users that will be using Salesforce as an IdP.
  4. Click Assign.

Adjust Identifier Values

Salesforce sends the Salesforce username as its SAML Subject statement, along with several other user attributes. By default, Skuid will attempt to match the Salesforce username value—since it is the Subject statement—to a user’s Federation Id.

If these values do not match for your users, you must manually update users’ Federation Ids within the the Configure > Users screen, or encourage your users to do so individually through the My Settings screen.

One alternative is to match the Salesforce user’s email against the Skuid user’s email.

In Skuid

  1. Navigate to Configure > Site > Single Sign On.
  2. Click fa-pencil Edit SSO Config beside the appropriate SSO config.
  3. Update the following values:
    • SAML Identity is in: An Attribute element.
    • Attribute Name: email.
    • SAML Identity contains Skuid User’s: Email Address.
  4. Click Save.

Skuid will now attempt to match the Salesforce user’s email to a Skuid user record’s email address.

Additional Configuration Options

Access Salesforce as a data source

Configuring Salesforce as an IDP for Skuid Platform does not automatically allow for the use of Salesforce as data source within that Skuid Platform site.

Some additional steps are necessary to use Salesforce data within a Skuid page, but the connected app configured above allows for a quicker setup.

In Skuid

Create an authentication provider
  1. Navigate to Configure > Data Sources > Authentication Providers.
  2. Click Create New Authentication Provider.
  3. Enter the following settings:
    • Name: A human-readable name, like SkuidPlatformSAML.
    • Authentication: OAuth 2.0/Open ID.
    • Provider Type: Salesforce.
    • Grant Type: SAML 2.0 Bearer Assertion.
    • Token Endpoint URL: Set <My Domain> to match your org’s My Domain.
    • Client Id: The consumer key from the Salesforce connected app.
    • Client Secret: The consumer secret from the Salesforce connected app.
  4. Click Save.
Create data source
  1. Navigate to Configure > Data Sources > Data Sources.
  2. Click Create New Data Source.
  3. Fill out the first information:
    • Data Source Type: Salesforce.
    • Name: A name representative of the data source, like SalesforceSAMLOrg.
  4. Click Next Step.
  5. Fill out your My Domain.
  6. Click Next Step.
  7. Select the authentication provider you just created.
  8. Click Save new Data Source.

You may now use this data source to access Salesforce data within a Skuid page.

Use a Request Signing Certificate

Request signing certificates offer an extra layer of security, ensuring that every request must match a certificate only available to the Salesforce org and the Skuid Platform site it is attempting to authenticate to.

While this process is optional, it is recommended.

In Skuid

  1. Navigate to Site > Certificates.
  2. Click fa-plus-circle Create Self-Signed Certificate.
  3. Complete out the required fields:
    • Certificate Name: Give an informative name, like SalesforceSAMLCert.
    • Key Size: Select either option.
  4. Click fa-folder-open View Certificate Details.
  5. Click fa-download Download Certificate.

Next, update the SSO config to use this self-signed certificate:

In Salesforce

  1. Return to the Apps page and click Edit beside the connected app from above.
  2. Update the following settings:
    • Web App Settings
      • Verify Request Signatures: Checked.
      • Upload a certificate: Upload the self-signed certificate you just downloaded from Skuid.
  3. Click Save.

User provisioning

User provisioning through through a standard Salesforce connected app is currently not possible, as the necessary attributes for provisioning are not included in the SAML assertion.

Troubleshooting

Salesforce Error: Invalid HTTP method

There may be an issue with the Identity Provider Login URL on the Skuid SSO config.

  1. Navigate to Configure > Site > Single Sign On.
  2. Click fa-pencil Edit SSO Config beside the appropriate SSO config.
  3. Ensure the Identity Provider Login URL ends with HttpRedirect and not HttpPost.

Salesforce Error: Unable to resolve request into a Service Provider

The Entity Id value of the Salesforce connected app may not match the Skuid Platform site. Ensure these two values match exactly:

  • The Web App Settings > Entity Id field on the Salesforce connected App
  • The Audience URI / Service Provider Entity ID / Metadata URL of the SSO config in Skuid Platform, available in fa-link IDP Configuration Details.

SAML Login error: User not found

Salesforce is sending an identifier—by default, the user’s username—to Skuid that doesn’t match any existing Skuid user records, and user provisioning is not enabled.

The identifier sent by Salesforce must match the value chosen within the SSO config’s SAML Identity contains Skuid User’s setting. This is the Federation Id field by default.

For more information, see the Adjust Identifier Values section.

Seeing the Skuid login screen after clicking Login with SAML

  • The ACS URL may not be configured correctly. Ensure these two values match exactly:
    • The Web App Settings > ACS URL field on the Salesforce connected App
    • The Assertion Consumer Service (ACS) URL of the SSO config in Skuid Platform, available in fa-link IDP Configuration Details.
  • There could be an issue with the request signing certificates used by Salesforce and Skuid. Repeat the steps in the Use a Request Signing Certificate section.
  • The identity provider certificate within Salesforce could be expired.
    • Create a new self-signed certificate within Salesforce.
    • Select that certificate within Salesforce’s Identity Provider page.
    • Click Download Metadata and recreate the SSO config following the instructions above.

Seeing an Internal Server Error after clicking Login with SAML

  • Verify that the necessary permission set is both created and assigned to all necessary users.
  • Ensure that the identifier value matches the value of the Skuid Platform user record field.
  • The connected app’s IP restrictions could be causing issues. Consider relaxing its IP restriction policies in Salesforce.
    1. Navigate to the Connected Apps page and click Manage.
    2. Edit Policies.
    3. Permitted Users: Admin approved users are pre-authorized.
    4. IP Relaxation: Relax IP restrictions.
    5. Click Save.