Salesforce Single Sign-On (Lightning)
In order to complete these steps, you must:
- Be assigned Admin permissions in Ambition.
- Have Salesforce create/edit privileges: Security Controls, Connected Apps, Permission Sets.
Benefits of Single Sign-On
Enabling single sign-on with Ambition/Salesforce provides the following benefits:
- Users can authenticate to Ambition with their Salesforce credentials.
- If a user is already signed-in to Salesforce they will automatically be signed into Ambition.
- Ambition access will automatically be revoked as employees leave your company (and are removed from your account management system).
What steps do I need to complete within Salesforce to enable SSO for Ambition?
How do I enable Salesforce SSO within Ambition?
Salesforce Lightning Identify Provider Setup
Configuring the Identity Provider (IdP)
1. Setup a domain using My Domain and deploy it to all users.
2. Click Setup, locate Settings in the left navigation.
3. Expand the Identity section, and click Identity Provider.
4. Click Enable Identity Provider. Save.
5. Locate SAML Metadata Discovery Endpoints and copy/paste the Salesforce Identity Metadata URL somewhere as you will need this later.
Configuring the Service Provider (SP)
1. Click Setup, locate Platform Tools in the left navigation.
2. Expand the Apps section, and click App Manager.
3. Click on New Connected App.
4. Complete the New Connected App form with the following information:
Basic Information (only need to complete the required fields)
Connected App Name: Ambition SAML Authentication
API Name: Will be automatically generated
Contact Email: IT's email address
Web App Settings
Start URL: https://SUBDOMAIN.ambition.com/account-management/login/
Enable SAML: Check to enable
After checking Enable SAML, the form will expand. Continue completing the following fields:
Entity Id: https://SUBDOMAIN.ambition.com/account-management/login/
ACS URL: https://SUBDOMAIN.ambition.com/account-management/login/
Name ID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Ensure that you replace SUBDOMAIN in the URLs above with your actual company named used when logging into Ambition.
5. Click << Back to List: Custom Apps.
6. Find Ambition SAML Authentication and select View from the right hand drop down menu.
7. Scroll to Custom Attributes and click New.
You will add two attributes.
Key: FirstName
Click Insert Field, select User > First Name, click Insert.
Click Save and then click New again.
Key: LastName
Click Insert Field, select User > Last Name, click Insert.
Click Save.
Permissions
1. In the left navigation, expand the Users section, and click Permission Sets.
2. Click New, complete the Permission Set form with the following required information:
Label: Ambition Single Sign-On
API Name: Will be automatically generated after inputting label
3. Click Save on the Permission Set form.
4. Click on the name of the Permission Set you just created, Ambition Single Sign-On.
5. Under Apps click Assigned Connected Apps and click Edit.
6. Add Ambition SAML Authentication and click Save.
7. Click Manage Assignments, Add Assignments, select desired users, click Assign, and Done.
Enable Salesforce Lightning Single Sign-On
1. Open the left navigation and click Administration > People > Single Sign-On.
Don't see the Single Sign-On tab? The feature can be enabled by any user with system Admin permissions. Enable Feature: Open the left navigation and click Administration > Features. Locate the SAML/SSO feature, and toggle "On". Click the Update Features button to save.
2. Click the Enable Single Sign-On button.
3. Complete the form.
Integration Name: Defaults to SAML Authentication. Naming convention is up to your organization
IdP Metadata URL: The link copy/pasted from Salesforce
First Name SAML Attribute:FirstName
Last Name SAML Attribute:LastName
Default User Time Zone: The corresponding default time zone your organization uses
Automatically Create Ambition Accounts on Sync (Using Just-in-Time User Provisioning):
When enabled, Ambition will use a SAML assertion to create Ambition user accounts the first time the user attempts to log in to Ambition.
When disabled, Salesforce users who have no corresponding Ambition account will be denied access to Ambition.
4. Click the Save button.
Comments
0 comments
Article is closed for comments.