IdP Example: Salesforce

If Salesforce is your end users’ primary login location, it is possible to use a Salesforce org as an identity provider (IdP) for Skuid NLX.

Setting up this SSO scheme requires:

  1. Enabling the Salesforce org as an identity provider
  2. Creating an identity provider connection in Skuid using the Salesforce org’s identity provider metadata
  3. Creating a connected app within Salesforce based off the Skuid IdP connection
  4. Creating and assigning a permission set for the connected app
  5. Adjust identifier values for proper authentication

Because this process involves some back and forth between the two platforms, having two browser windows with both open side-by-side is recommended.

Enable Salesforce as an Identity Provider

In Salesforce

First, you must enable Salesforce as an identity provider.

  1. Type Identity Provider in the Salesforce Quick Find box.

  2. Click the Identity Provider option.

  3. Click Enable Identity Provider.

  4. If prompted, select a certificate and click Save.

    Note

    You will need to choose a certificate to enable Salesforce as an identity provider. You may choose any existing certificate, or create a new one if needed. This will not affect future steps.

  5. After being redirected to the Identity Provider page, click Download Metadata.

This will download the necessary SAML metadata file to be used within Skuid. It will likely have a name similar to SAMLIdP-00A12000000BBCd.

Create the identity provider connection

In your Skuid NLX site:

  1. Navigate to Settings > Single Sign-on.
  2. Click Create identity provider or, if some IdP connections already exist, click Create in the Identity Providers section.
  3. Give the IdP connection a name, like Salesforce.
  4. Confirm the name by clicking Create.

With the IdP connection created, update its identity provider details by importing the downloaded metadata file.

  1. In the Identity provider details section, click Add details.
  2. Select Upload metadata file.
  3. Click Select file and select the downloaded metadata file, or drag and drop the file onto the the Select file button.

To create the Salesforce connected app in the next section, you’ll need two values from this newly created IdP connection:

  • Entity Id
  • Assertion Consumer Service (ACS) URL

Copy these values within the detail screen, or refer back to this screen when needed during the connected app setup.

Create the Salesforce Connected App

In Salesforce

  1. Create a new connected app.
  2. Fill out the fields as follows:
    • Basic Information
      • Connected App Name: Enter a name that represents your SSO connection, like SkuidNLXSAML.
      • API Name: This will be populated automatically based on the connected app’s name.
      • Contact Email: Enter the email of the user who will be in charge of maintaining this SAML connection.
    • API (Enable OAuth Settings)
      • Enable OAuth Settings: Checked
      • Callback URL: The callback URL for the Skuid site you’ll be connecting to, e.g. https://example.skuidsite.com/auth/oauth/callback.
      • Selected OAuth Scopes:
        • Manage user data via APIS (api)
        • Access the identity URL service (id, profile, email, address, phone)
        • Perform requests at any time (refresh_token, offline_access)
    • Web App Settings
      • Enable SAML: Checked
      • Entity Id: The IdP connection’s entity Id
      • ACS URL: The IdP connection’s ACS URL
  3. Click Save.
  4. Click Continue.

Create and Assign the Permission Set

Now that the connected app is created, Salesforce users must be granted access to it—and one additional Apex class—through a custom permission set.

  1. Create a new permission set.
  2. Fill out the permission set’s basic information:
    • Label: Give it name like SkuidNLXSAML.
    • API Name: This will be populated automatically based on the label.
    • License: Choose the appropriate license based on your SAML needs. Selecting None allows this permission set to work for the most users.
  3. Click Save.

While on the permission set’s detail page, assign the connected app for this SSO connection to the permission set:

  1. Click Assigned Connected Apps.
  2. Click Edit.
  3. Add the app you created in previous step.
  4. Click Save.

Next, give this permission set access to a specific Apex class used by Skuid.

  1. Return to the Permission Set Overview, and click Apex Class Access.
  2. Click Edit.
  3. Add skuid.RestServices_Model.
    • This will likely be near the bottom of the Available Apex Classes list.
  4. Click Save.

Finally, assign this newly created permission set to any users that will be logging in through SAML.

  1. Click Manage Assignments.
  2. Click Add Assignments.
  3. Check any users that will be using Salesforce as an IdP.
  4. Click Assign.

Identity mapping

. By default, Skuid will attempt to match the Salesforce username value—since it is the Subject statement—to a user’s Federation Id.

If these values do not match for your end users, you can update the federation IDs to match. To do so, navigate to the Settings > Users screen or encourage your users to do so individually through the My Settings screen.

Alternatively, you can set

One alternative is to match the Salesforce user’s email against the Skuid user’s email.

Add identity mapping

Once SAML metadata is loaded, you must create an identity mapping so Skuid can identify users based on the information sent by Salesforce. Salesforce sends the Salesforce username as its SAML Subject statement, along with several other user attributes, which can be used for identity mapping. For more information, see Salesforce documentation on example SAML assertions

This example assumes the Salesforce user’s email maps to the user’s email in the Skuid NLX site.

In your Skuid NLX site:

  1. In the Identity mapping section, click Add mapping.

  2. Configure the mapping:

    [ SAML attribute ] [ email ] matches Skuid user [ Email ]

  3. Indicate whether or not the match is Case-sensitive.

  4. Click Save.

Make the IdP available as a login option

With all setup options complete, enable the Available as login option toggle and then click Save to display the newly created IdP connection as a login option to your users.

Additional Configuration Options

Access Salesforce as a data source

Configuring Salesforce as an IDP for Skuid NLX does not automatically allow for the use of Salesforce as data source within that Skuid NLX site.

Some additional steps are necessary to use Salesforce data within a Skuid page, but the connected app configured above allows for a quicker setup.

In Skuid

Create an authentication provider
  1. Navigate to Data Sources > Authentication Providers.
  2. Click Create.
  3. Enter the following settings:
    • Name: A human-readable name, like SkuidNLXSAML.
    • Authentication: OAuth 2.0/Open ID.
    • Provider Type: Salesforce.
    • Grant Type: SAML 2.0 Bearer Assertion.
    • Token Endpoint URL: Set <My Domain> to match your org’s My Domain.
    • Client Id: The consumer key from the Salesforce connected app.
    • Client Secret: The consumer secret from the Salesforce connected app.
  4. Click Save.
Create data source

To set the authentication provider, you’ll need to create the data source and then update it.

  1. Navigate to Data Sources.
  2. Click Create.
  3. Fill out the first information:
    • Data Source Type: Salesforce.
    • Name: A name representative of the data source, like SalesforceSAMLOrg.
  4. Fill out the My Domain field.
  5. Enter placeholder values for Client Id and Client secret
  6. Click Create.
  7. In the newly created data source detail screen, click the Authentication tab.
  8. Select the authentication provider you just created.
  9. Click Save.

You may now use this data source to access Salesforce data within a Skuid page.

Use a Request Signing Certificate

Request signing certificates offer an extra layer of security, ensuring that every request must match a certificate only available to the Salesforce org and the Skuid NLX site it is attempting to authenticate to.

While this process is optional, it is recommended.

In Skuid

  1. Navigate to Settings > Certificates.
  2. Click Create.
  3. Fill out the certificate details:
    • Certificate Name: Enter an easily recognizable name.
    • Key Size: Set to either 2048 or 4096 bits. A larger key will be more secure, but will take longer for to parse.
    • Type: Self Signed
  4. Click Create.
  5. Click the newly created certificate.
  6. Click Download certificate.

Next, update the identity provider connection to use this self-signed certificate:

  1. Navigate to Settings > Single Sign-on.
  2. Click the IdP connection to update its details.
  3. Click the Certificates tab.
  4. Select the newly created certificate in the Request Signing Certificate dropdown.
  5. Click Save.

In Salesforce

  1. Return to the Apps page and click Edit beside the connected app from above.
  2. Update the following settings:
    • Web App Settings
      • Verify Request Signatures: Checked.
      • Upload a certificate: Upload the self-signed certificate you just downloaded from Skuid.
  3. Click Save.

User provisioning

User provisioning through through a standard Salesforce connected app is currently not possible, as the necessary attributes for provisioning are not included in the SAML assertion.

Troubleshooting

Salesforce Error: Invalid HTTP method

There may be an issue with the Identity Provider Login URL on the Skuid IdP connection.

  1. Navigate to Settings > Single Sign-on.
  2. Click the identity provider connection (or click More Options > Configure).
  3. Ensure the Identity Provider Login URL ends with HttpRedirect and not HttpPost.

Salesforce Error: Unable to resolve request into a Service Provider

The Entity Id value of the Salesforce connected app may not match the Skuid NLX site. Ensure these two values match exactly:

  • The Web App Settings > Entity Id field on the Salesforce connected App
  • The Audience URI / Service Provider Entity ID / Metadata URL of the identity provider connection in Skuid NLX.

SAML Login error: User not found

Salesforce is sending an identifier—by default, the user’s username—to Skuid that doesn’t match any existing Skuid user records, and user provisioning is not enabled.

The identifier sent by Salesforce must match the value chosen within the IdP connection’s SAML Identity contains Skuid User’s setting. This is the Federation Id field by default.

For more information, see the Adjust Identifier Values section.

Seeing the Skuid login screen after clicking Login with SAML

  • The ACS URL may not be configured correctly. Ensure these two values match exactly:
    • The Web App Settings > ACS URL field on the Salesforce connected App
    • The Assertion Consumer Service (ACS) URL of the identity provider connection in Skuid NLX.
  • There could be an issue with the request signing certificates used by Salesforce and Skuid. Repeat the steps in the Use a Request Signing Certificate section.
  • The identity provider certificate within Salesforce could be expired.
    • Create a new self-signed certificate within Salesforce.
    • Select that certificate within Salesforce’s Identity Provider page.
    • Click Download Metadata and recreate the identity provider connection following the instructions above.

Seeing an Internal Server Error after clicking Login with SAML

  • Verify that the necessary permission set is both created and assigned to all necessary end users.
  • Ensure that the identifier value matches the value of the Skuid NLX user record field.
  • The connected app’s IP restrictions could be causing issues. Consider relaxing its IP restriction policies in Salesforce.
    1. Navigate to the Connected Apps page and click Manage.
    2. Edit Policies.
    3. Permitted Users: Admin approved users are pre-authorized.
    4. IP Relaxation: Relax IP restrictions.
    5. Click Save.