Salesforce has built-in functionality for configuration of SAML Single Sign-On. An administrator of an MIT Salesforce instance can configure their custom domain to use Touchstone authentication.
Instructions for configuring Salesforce for Single Sign On authentication are available in the Salesforce documentation: https://developer.salesforce.com/docs/atlas.en-us.sso.meta/sso/sso_about.htm
This article provides the specific configuration you will need to configure MIT Touchstone as the identity provider.
- Use MIT's identity provider (IdP) metadata to configure the Salesforce SSO settings: https://touchstone.mit.edu/metadata/idp.mit.edu-metadata.xml
- You will need a Salesforce custom domain, (e.g.https://mit-myDLC.my.salesforce.com), to distinguish your Salesforce instance from other MIT Salesforce instances
- By default the certificate/key pair you create for signing and encryption will apparently have a lifetime of only one
year, and you would need to create a new cert/key pair and provide it to us well ahead of its expiration to avoid an outage. We found that one way to mitigate this slightly is to specify a key size of 4096 bits (instead of 2048) when you create the key; the resulting cert will then get a lifetime of 2 years.
- Consider whether you will choose to enable Just-in-Time (JIT) provisioning to automatically create a user account in your Salesforce org the first time a user logs in with single sign-on (SSO).
- You will be mapping the eduPersonPrincipalName attribute for use as the unique user ID.
- Its value is the MIT Kerberos username, "scoped" to mit.edu, e.g. "email@example.com"
- In the configuration, you may need the attribute's "formal" identifier, that is: urn:oid:126.96.36.199.4.1.59188.8.131.52.6
- You will need to generate and provide your service provider (SP) metadata to us, per the instructions at the end of the "Set up single sign-on" section of the documentation, by contacting firstname.lastname@example.org.
- Once that is provided and approved, we will configure our IdP to release the "eduPersonPrincipalName" attribute to your service provider (SP) as the unique user ID.
Questions?: Contact email@example.com.