Salesforce SAML Integration
Use this topic to assist you in configuring Agiloft with SAML using Salesforce as the Identity Provider. This way, you can establish a single sign-on connection between Salesforce and Agiloft, where Salesforce acts as the Identity Provider for SAML-based SSO. For more information on Salesforce configuration, see Salesforce Help. For more detailed information on configuring SAML in Agiloft, see SAML 2.0 SSO.
Prerequisites
Register the Salesforce Domain
The full setup requires you to switch between Agiloft and Salesforce, so open each one in its own browser window so you can easily switch between them.
To begin:
- In the Salesforce account, click the Setup icon to open the Setup Home.
Note: You may need to switch to the new Salesforce Lightning interface at https://<domain name>.lightning.force.com/one/one.app#/home. - In the Quick Find search box in the left pane, enter "my domain", then select the search result.
- Add a domain name in the field, and click Check Availability.
- Once you find an available domain, click Register Domain
- When the domain has been registered, you will receive an email to confirm that it is ready to use.
Configure Salesforce as an Identity Provider
- In Salesforce Setup, enter "identity provider" in the Quick Find search box, then select the search result.
- In the Identity Provider window, click Enable Identity Provider.
- This opens the Identity Provider Setup window, which contains the necessary information to configure Agiloft.
- Click Download Certificate and save the file to a location on your system.
- Open the file in a text editor such as Notepad++ so that you can copy the contents.
Enable SAML in Agiloft
- Click the Setup gear in the top-right corner and go to Access > Configure SAML 2.0 Single Sign-On.
- In the General tab:
- Select Enable SAML SSO.
- Select Create SAML IdP Authenticated user in Agiloft, if you wish to provision a new user on login if one does not exist.
- Select Employees in the drop-down to add users to the Table/Subtable shown below.
- Select the last checkbox only if you want to synchronize the user attributes in
Agiloft with those in Salesforce every time a user logs in. If you leave this deselected, the user's attributes will be synchronized only when the user is first created.
- Select the Service Provider Details tab.
- For the Keystore file path, Java KeyStore Password, and Alias to add the certificate to the Java KeyStore...
- If you are using Agiloft's hosted service, the fields will be populated by Support.
- If you are using an in-house server where Agiloft is installed, see Generate a Keystore File, and refer to the further information in the SAML 2.0 SSO topic to populate the fields.
- For the Keystore file path, Java KeyStore Password, and Alias to add the certificate to the Java KeyStore...
- Click Finish.
- Download the Agiloft X.509 Certificate and and save it to your disk.
- Click Configure SAML 2.0 Single Sign-On to reopen the SAML configuration wizard.
- Leave the Service Provider Details tab open while you continue with the steps below.
Create a Connected App in Salesforce
- In the Quick Find search box, enter "app manager", then select the search result.
- In the Lightning Experience App manager window, click New Connected App.
- Enter the app details in the Basic Information section based on your system.
- In the Web App Settings, select Enable SAML. This will open additional fields which you must populate from the
Agiloft Service Provider Details tab:
- Start URL - enter the base URL for the
Agiloft knowledgebase. Whenever possible, make sure to use the domain name for your server, such as
example.agiloft.com
, rather than the specific server hostname, such asps108.agiloft.com
. - Entity ID - enter the Agiloft (SP) Entity ID.
- ACS URL - enter the SAML V2 Assertion Consume Service (ACS) Endpoint.
- IdP Certificate - select the Default IdP Certificate. This will populate the Issuer and Name ID Format.
- Select Verify Request Signatures, then click Choose File to locate the Agiloft X.509 certificate from earlier.
- Click Save at the bottom.
- Start URL - enter the base URL for the
Agiloft knowledgebase. Whenever possible, make sure to use the domain name for your server, such as
- In the Quick Find search box, enter "connected apps", then select the search result.
- In the list of apps in the Connected Apps window, select the Master Label of the app you just created. This opens a view of the app details.
- Click Download Metadata to download the app metadata XML file, and save it to a location on your system.
- Open the metadata file in your text editor and copy the contents.
- Click Manage Profiles.
- Select the System Administrator profile, then click Save. This will give access to your current user profile which will enable you to test that the connection was established successfully.
Add Identity Provider Details in Agiloft
- In the SAML Configuration wizard, select Identity Provider Details.
- In "SAML Metadata XML contents obtained from your IdP", paste the contents of the Salesforce app metadata file.
- Click Finish. This will automatically populate all of the Identity Provider Details fields, including the X.509 certificate, which is included in the metadata.
Establish the SAML Connection
- To test the SAML connection from the IdP-initiated side, in the Salesforce window click the IdP Initiated Login URL. If the connection has been established successfully, this will open the Agiloft knowledgebase, with the user created.
- To test the
Agiloft-initiated login, point your browser to:
https://{server}/gui2/samlssologin.jsp?project={kbName}
, where {server} is the IP Address or FQDN of the server hosting the Agiloft instance and kbName is replaced by the name of your knowledgebase. Whenever possible, make sure to use the domain name for your server, such asexample.agiloft.com
, rather than the specific server hostname, such asps108.agiloft.com
.This URL forwards the login assertion to the IdP. You will be directed to the Salesforce SAML login page.
- If the user does not exist in the ADFS server, they will automatically be provisioned once ADFS authenticates the user successfully if you selected Create SAML IdP Authenticated user in Agiloft during the setup.
If you are already logged in and authenticated, you will be forwarded directly to the Agiloft interface.
Force SSO Login
To force users to log in with SSO, you can prevent them from accessing Agiloft with their username and password. Follow the steps below to make the Password field optional in the Employees table and then remove passwords for employees who should log in with SSO. Now, users whose passwords were reset can only log in with SSO. If you also allow some external users to log in with SSO, repeat the process for the External Users table.$global.null
and click Next.