SAML use case: SalesForce as Identity Provider – IriusRisk Support

Using SalesForce as Identity Provider

Create a developer account going to this link → https://developer.salesforce.com/signup/
Register a new domain

After create the domain and receive the confirmation email, go to the link provided in the confirmation email and log in.
Enable Salesforce as a SAML Identity Provider

Download the metadata file.

Then, you have to set the path and the name of the file in the SAML config file, like this:

metadata {
    defaultIdp = 'salesforce'
    providers = [ salesforce :'/path/to/salesforce-idp.xml']
    // Identity provider info
    idp {
        title = 'SalesForce'
    }
}

metadata.providers → Map of providers and path to their metadata file.

metadata.defaultIdp → Which Idp to use by default

metadata.idp.title → Name of the Identity Provider displayed in the login page.

Create a connected app

The ACS URL (Assertion Consumer Service URL) has to be filled with this pattern: {entityBaseUrl}/saml/SSO/alias/{sp.defaults.alias}. I.e: https://my-server:443/app/saml/SSO/alias/iriusrisk-sp

Create a new role and assign a user to it (optional)

You can map Identity Provider roles to IriusRisk roles using the setting "userGroupToRoleMapping" from you SAML config file:

userGroupToRoleMapping = ['dev': 'ROLE_DEVELOPER']

"dev" is the SalesForce role name and "ROLE_DEVELOPER" is the name of the role in IriusRisk.

Complete connected app settings

Just users with selected profile will be able to login through the identity provider.

You can map Identity Provider user attributes to IriusRisk user attributes using the setting "userAttributeMappings" from your SAML config file:

userAttributeMappings = ['firstName': 'GivenName', 'lastName': 'LastName', 'email': 'EmailAddress']

"firstName" is the IriusRisk user attribute and the "GivenName" is the SalesForce user attribute.

Generate the key for the Service Provider and add it to the java keystore.

keytool -genkey -alias iriusrisk-sp -keyalg RSA -keystore iriusrisk-sp.jks

And put the generated file iriusrisk-sp.jks on any path on your filesystem where tomcat has read permissions.

Also, you have to add the key manager settings in the SAML config file, like this:

keyManager {
    storeFile = 'file:/path/to/iriusrisk-sp.jks'
    storePass = 'changeit'
    passwords = [ 'iriusrisk-sp': 'changeit' ]
    defaultKey = 'iriusrisk-sp'
}

"storeFile" → The path on your filesystem where you put iriusrisk-sp.jks file.

"storePass" → The password for the keystore file

"defaultKey" → The alias of the key generated

"passwords" → The alias and password for the keys

Run this command to generate a certificate file

keytool -exportcert -alias iriusrisk-sp -keypass "password" -keystore iriusrisk-sp.jks -file "mycert.cer"

With the generated file, you have to go to App settings and select this certificate, like this:

Restart IriusRisk, press the login link and then you will see the SalesForce login page. After complete a successfull login, you will be automatically redirected to IriusRisk as a logged in user.

Using SalesForce as Identity Provider

Related articles