Access Keys:
Skip to content (Access Key - 0)

Configure Salesforce for Touchstone Authentication

Salesforce has built-in functionality for configuration of SAML Single Sign-On. An administrator of an MIT Salesforce instance can configure their custom domain to use Touchstone authentication.

Instructions for configuring Salesforce for Single Sign On authentication are available in the Salesforce documentation: https://developer.salesforce.com/docs/atlas.en-us.sso.meta/sso/sso_about.htm

This article provides the specific configuration you will need to configure MIT Touchstone as the identity provider.

Configuration settings

  1. Use MIT's identity provider (IdP) metadata to configure the Salesforce SSO settings: https://touchstone.mit.edu/metadata/idp.mit.edu-metadata.xml
  2. You will need a Salesforce custom domain, (e.g.https://mit-myDLC.my.salesforce.com), to distinguish your Salesforce instance from other MIT Salesforce instances
  3. By default the certificate/key pair you create for signing and encryption will apparently have a lifetime of only one
    year, and you would need to create a new cert/key pair and provide it to us well ahead of its expiration to avoid an outage. We found that one way to mitigate this slightly is to specify a key size of 4096 bits (instead of 2048) when you create the key; the resulting cert will then get a lifetime of 2 years.
  4. Consider whether you will choose to enable Just-in-Time (JIT) provisioning to automatically create a user account in your Salesforce org the first time a user logs in with single sign-on (SSO).
  5. You will be mapping the eduPersonPrincipalName attribute for use as the unique user ID.
    • Its value is the MIT Kerberos username, "scoped" to mit.edu, e.g. "jsmith@mit.edu"
    • In the configuration, you may need the attribute's "formal" identifier, that is: urn:oid:1.3.6.1.4.1.5923.1.1.1.6
  6. You will need to generate and provide your service provider (SP) metadata to us, per the instructions at the end of the "Set up single sign-on" section of the documentation, by contacting touchstone-support@mit.edu.
    • Once that is provided and approved, we will configure our IdP to release the "eduPersonPrincipalName" attribute to your service provider (SP) as the unique user ID.

Questions?: Contact touchstone-support@mit.edu.

IS&T Contributions

Documentation and information provided by IS&T staff members


Last Modified:

February 23, 2021

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
Labels:
None
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
Feedback
This product/service is:
Easy to use
Average
Difficult to use

This article is:
Helpful
Inaccurate
Obsolete
Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki