I am helping a client that needs to connect their partner portal, a Salesforce Partner Community. They need to setup an SSO for their partners from the partner portal into another web application using SAML. We are familiar with enabling Salesforce as an IdP for internal users, but not for partners. Can someone tell us how to setup and configure a Salesforce Partner Community as a SAML IdP?
[SalesForce] How Do You Enable SAML IdP in a Partner Community
Related Solutions
If you look at that response carefully, you'll see that the JavaScript actually makes a request of https://xxx.my.salesforce.com/, not your server. You need to follow one step further to see the request to your server. Here's an abbreviated version of what I just saw.
First, the initial OAuth request to a My Domain URL:
$ curl -v 'https://superpat-developer-edition.my.salesforce.com/services/oauth2/authorize?response_type=code&redirect_uri=...&client_id=...'
* ...
< HTTP/1.1 302 Found
< Location: https://superpat-developer-edition.my.salesforce.com/setup/secur/RemoteAccessAuthorizationPage.apexp?source=...
Following the redirect:
$ curl -v https://superpat-developer-edition.my.salesforce.com/setup/secur/RemoteAccessAuthorizationPage.apexp?source=...
* ...
< HTTP/1.1 200 OK
< ...
<
<script>
var escapedHash = '';
var url = '/saml/authn-request.jsp?saml_request_id=...&saml_acs=...&saml_binding_type=HttpPost&Issuer=https%3A%2F%2Fsuperpat-developer-edition.my.salesforce.com&urlSource=1&RelayState=%2Fsetup%2Fsecur%2FRemoteAccessAuthorizationPage.apexp%3Fsource%3D...';
if (window.location.hash) {
escapedHash = '%23' + window.location.hash.slice(1);
}
if (window.location.replace){
window.location.replace(url + escapedHash);
} else {;
window.location.href = url + escapedHash;
}
</script>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
...
</html>
Note - no server on that /saml/authn-request.jsp URL, so the request will go to https://superpat-developer-edition.my.salesforce.com/. Let's simulate it with curl
and see what happens:
$ curl -v 'https://superpat-developer-edition.my.salesforce.com/saml/authn-request.jsp?saml_request_id=...&saml_acs=...&saml_binding_type=HttpPost&Issuer=https%3A%2F%2Fsuperpat-developer-edition.my.salesforce.com&urlSource=1&RelayState=%2Fsetup%2Fsecur%2FRemoteAccessAuthorizationPage.apexp%3Fsource%3D...'
* ...
< HTTP/1.1 200 OK
< ...
<
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<body onload="document.forms[0].submit()">
<noscript>
<p>
<strong>Note:</strong> Since your browser does not support JavaScript,
you must press the Continue button once to proceed.
</p>
</noscript>
<form action="https://ADFS.example.com/adfs/ls/" method="post">
<div>
<input type="hidden" name="RelayState" value="/setup/secur/RemoteAccessAuthorizationPage.apexp?source=..."/>
<input type="hidden" name="SAMLRequest" value="..."/>
</div>
<noscript>
<div>
<input type="submit" value="Continue"/>
</div>
</noscript>
</form>
</body>
</html>
And there's the request that's posted to the SAML endpoint you configured (in my case, https://ADFS.example.com/adfs/ls/). So - follow the chain one more link and you should see what's really happening.
- No
- Yes, you have to change the URL if you're migrating to the community. If this is what you mean by 'impacted', then yes. You should be using an identity provider that does not expose this URL to end users.
- Maybe, see below
Internal users can login to the community via the same Assertion Consumer Service (ACS) endpoint @ /login/blah used by community users. You don't need multiple connections on the identity provider side.
With communities it is now much easier to segregate audiences vis-a-vis the baseline org. For example, we have customers where internal users (full Salesforce license) login to the baseline org and external users login to the community. They use two different ACS endpoints on two different identity providers. Or you could have a single identity provider with two connections, one for each user segment. This depends on the sophistication of your identity provider.
Best Answer
The process is very much similar to how you set up for Internal Users except that you need to replace with Community URLS .
Lets look at step by step the mechanism to accomplish the same .For simplicity I am taking another winter 17 pre release org as a SP (Service Provider)
Step 1
Set Up a Partner Community in Salesforce(This is your IDP org) .Not going to detail this but should be straight forward
Step 2
Download the Self Signed Certificate from your IDP org .Your IDP org is where you have set up partner community .Navigate to
Click on Download Certificate button
You will clearly see for your Partner Community there will be Discovery EndPoint URL .Carefully Note this down as this will be needed by your Service Provider .Also note down the issuer
Step 3
Lets go to the service provider screen .In my example its another salesforce Instance (Winter 17 pre release org ).
Carefully note two things
1.The issuer was obtained from IDP .
2.The IDP login URL is of one we noted in step 2 from IDP
3.We have uploaded the certificate which we downloaded in previous step
Step 4
Create a Connected App in IDP and allow the partner community profile for the connected app
Carefully note that I have configured ACS URL which was provided by the service provider in previous step
Once your connected app is save and when you click on Detail link of the the Connected App ,for every community you will get an IDP intitated URL
The IDP initiated login URL is what you need to put on a tab or visualforce .You will then see that User is redirected to the SP once user clicks on the IDP initiated URL without having to log into the SP org .