Configure Salesforce for UserLock Single-Sign On

Procedure

Choose either of the following two methods:

Retrieve the SSO metadata file by navigating to https:// <SSO address> /metadata
In Salesforce Setup webpage navigate to Settings → Identity → Single Sign-On settings
Click the "Edit" button on top of "Federated Single Sign-On Using SAML" and check the SAML Enabled checkbox. Click the Save button.
Next to SAML Single Sign-On Settings, click the "New from Metadata File" button.
Select SSO metadata file and upload it. Click the Create button.
Salesforce attempts to complete the form using the metadata file; However, several pre-entered values are not applicable and require modification:
- SAML Identity Type: Assertion contains the Federation ID from the User object
- Service Provider Initiated Request Binding: HTTP POST
- Single Logout Enabled: Ensure this value is unchecked
- Name: The value can be changed to a more convenient value if required as it is only used for display purposes.
Click the Save button

In Salesforce Setup webpage navigate to Settings → Identity → Single Sign-On settings
Click the "Edit" button on top of "Federated Single Sign-On Using SAML" and check the SAML Enabled checkbox. Click the Save button.
Next to SAML Single Sign-On Settings, click the "New" button.
Enter the values listed below :
- Name: Enter preferred name
- Issuer: SSO address (https://<SSO domain>)
- Identity Provider Certificate: navigate to the %ProgramFiles(x86)%\ISDecisions\UserLock\SSO folder and locate and upload the ulsso.signing.cer certificate.
- Request Signing Certificate: Accept default value
- Request Signature Method: RSA-SHA256
- Assertion Decryption Certificate: Accept default value
- SAML Identity Type: "Assertion contains the Federation ID from the User object"
- SAML Identity Location: "Identity is in the Name Identifier element of the Subject statement"
- Service Provider Initiated Request Binding: HTTP POST
- Identity Provider Login URL: https://<SSO address>/saml/sso
- Custom Logout URL: https://<SSO address>/connect/endsession
- Custom Error URL: <Empty>
- Single Logout Enabled: <Unchecked>
- API Name: Accept default value
- Entity ID: https://saml.salesforce.com
- User Provisioning Enabled: unchecked
Click the "Save" button

The following procedure is required for each user requesting SSO:

In the SalesForce webpage, navigate to Administration → Users → Users
Click Edit, then in the section Single Sign On Information, for the Federation ID, provide the ImmutableID of the corresponding Active Directory user. Click the Save Button upon completion.

In the UserLock console, Navigate to Single Sign-On → Configuration.

Select Add configuration, then select Salesforce as the provider to be configured.
Enter the values listed below :
- Custom App Domain: domain of your Salesforce instance (https:// <yourInstance> .my.salesforce.com)
- Client ID: the ClientId/Entity Id of the Client/Service Provider
- Email domain: domain of the email you want to be used to log users in
- Certificate: Certificate provided by Salesforce*

Returning to the Salesforce webpage, navigate to Settings → Security → Certificate and Key Management.
Under Certificates, click on the last certificate in the list (SelfSignedCert_... .crt), then download it.
Open the certificate with a text editor and copy/paste its value in SSO.

NOTE: The SSO service needs to be restarted in order to use this profile

It is possible to bypass SSO using the following procedure:

Go to https://MyDomain.my.salesforce.com?login where your administrator can revert back to a standard Log-In sessions while SSO is unavailable.