Overview
This article provides a step-by-step guide for administrators on how to configure SAML Single Sign-On (SSO) using Salesforce for AdvocateHub. It details the process of setting up a custom Salesforce domain, enabling SAML, creating a connected app with attribute mapping, and configuring the necessary SSO settings in AdvocateHub with the SSO Endpoint URL and SSO Fingerprint.
Information
This article will cover how to configure SAML SSO for your AdvocateHub using Salesforce. This provides your Advocates with a seamless, easy way to access your hub once they are logged into a Salesforce app, such as Salesforce Community.
Note: Single Sign-On may not be available in your plan.
Configuration In Salesforce
You must be logged into Salesforce as an Administrator to complete these actions.
Setup Domain
1. SP-Initiated SAML requires you to customize your Salesforce domain to something that is specific to your company. To do this navigate to Setup > Domain Management > My Domain . You will see a page like the below:
2. Enter a name of your choice for your domain and make sure it is available and then register the domain. You will receive an email from Salesforce when they have completed updating their naming registries. We will need this new customized domain name later on.
3. Now we will enable the ability for Salesforce to accommodate SAML. Navigate to Setup > Security > Controls > Single Sign-On Settings.
Configure SSO Settings
4. On the Single Sign-On Settings click edit. Check the SAML Enabled checkbox.
5. Staying on that same page, click the 'new' button in the SAML Single Sign-On Settings section.
6. Fill out the required fields as per the below table:
Field Name | Value |
Name | Whatever you like |
Issuer | The URL you set as your custom domain in step 2 |
Identity Provider Certificate | Generate or upload your certificate. Check out this Salesforce article on how to generate a certificate |
API Name | Whatever you like |
Entity ID | https://saml.salesforce.com |
SAML Identity Type | Assertion contains the User's Salesforce username |
SAML Identity Location | Identity is in the NameIdentifier element of the Subject statement |
SP Initiated Request Binding | HTTP POST |
7. Click save
Create Connected App
8. Create an app in Salesforce by going to Build > Create > Apps
9. Scroll down to the Connected Apps section and click the new button.
10. You should be greeted with an initial setup page where you can fill out the Basic Information section as you please. The other section we need to concern ourselves with here is Web App Services , check the Enable SAML box
11. Fill out the field and information according to the table below (Ignore if not mentioned)
Fields | Values |
Entity ID | Influitive-AdvocateHub |
ACS URL |
https:// insert_subdomain_here.influitive.com/saml/consume Note - If the hub has a custom domain, then please have the ACS URL like below: https://custom_domain/saml/consume |
12. Save your app, you will get a notification saying that it should take 2-10 minutes for the changes to take effect. Click continue.
13. Finally, we need to map our Attributes. Scroll down to the bottom of the page to the Custom Attributes section. Click new to create a new Attribute and create 3 attributes as per below:
14. That is it! Our app is created and now we have the information to complete the configuration in AdvocateHub
<h3="" id="ah"> Configuration in AdvocateHub </h3="">
For the configuration on the AdvocateHub side, we need 2 pieces of information, the SSO Endpoint URL and the SSO Fingerprint .
1. To retrieve the SSO Endpoint URL head back to your Connected App you created and locate the SAML Login Information section of the app. Copy the SP-Initiated Redirect Endpoint URL to your clipboard:
Copy this to your clipboard and open up your AdvocateHub. Navigate to Settings > Login/Security and paste it in the SSO Endpoint URL field:
2. Finally we need the SSO Fingerprint, we need to derive this from your certificate.
I like using this tool but feel free to use another one if you like. We need to copy the contents of your certificate to your clipboard as below (without the Begin Certificate and End Certificate)
Paste the contents into our tool like below, select sha256 as your algorithm and click Calculate
This should populate both Fingerprint fields as you can see below. Both of these are the same and both will work equally well. Copy one of these to your clip board and head back to Navigate to Settings > Login/Security in your AdvocateHub settings
Your settings should looks something the below. Save these and we should be all set!
FAQ
What are the prerequisites for configuring SAML SSO with Salesforce for AdvocateHub?
You must be an administrator logged into Salesforce, and your plan should support Single Sign-On. A unique Salesforce domain for your company is also required.
How do I enable SAML in Salesforce for SSO?
Navigate to Setup > Security > Controls > Single Sign-On Settings in Salesforce and select the 'SAML Enabled' checkbox to enable SAML.
What information do I need from Salesforce to configure SSO in AdvocateHub?
You need the SSO Endpoint URL and the SSO Fingerprint, which can be obtained from the Connected App's SAML Login Information section and by using a tool like SAMLTool's Fingerprint Calculator, respectively.
How long does it take for changes to a new connected app to take effect in Salesforce?
It can take between 2-10 minutes for the changes to a new connected app to take effect in Salesforce.
Can I configure SAML SSO for AdvocateHub using Salesforce without a custom domain?
No, configuring SP-Initiated SAML requires a custom domain that is unique to your company, which you must register through Salesforce's domain management.