Friday, 6 March 2020

Enable SSO between 2 salesforce communities

by :

Hello Everyone ,

I hope you all have read my recent post. Recently I have implemented SSO between 2 salesforce communities. Let’s start how I did this using salesforce’s out of the box functionality.

Use Case: one organisation was using the salesforce and salesforce community(let's name it cloudkicks) , later they acquired another organisation another company and that company was also using the salesforce and salesforce community(name it iCourier). Now the stakeholder of the parent organisation wanted that users of their community can login directly in the acquired company’s community portal.

So in this case cloudkicks will act as Identity provider (Source organisation) and iCourier will act as service provider (Target community where we want to login).

Following steps we need to take :

1. Enable Identity provider in source org.

2. Enable Single Sign on in the target org.

3. Create a connected app in the source org.

Let’s see them step by step how that will be working.

1. Enable Identity provider in source org:

a. If identity provider is not already enabled in org then first enable it.

Once we click on the enable identity provider button we will be asked to select a certificate, you can select existing one or also can create new.

b. Download metadata and certificate: Once we have enabled identity provider in our source org we need to download metadata file, which will be used for enabling single sign on in the target org.

2. Enable Single Sign on in the target org

a. SAML Enabled:

b. Create SAML Sign-On Settings: We can click on a new button and fill all the details manually,or we can use metadata file by clicking on the ‘New from Metadata file’ button. We will use a metadata file which we used from step 1.

All details will be filled automatically. We would need to make the following changes for red highlighted fields.

Request Signature Method: RSA-SHA1

Service Provider Initiated Request Binding: HTTP POST

Identity Provider Login URL: Keep it blank for now , we will come back to it later.

3. Create connected app in the source org: We will create a connected app in the source org (cloud kicks) .

In the connected app , enable SAML, we need some information here that will be provided by target org when they enable single sign on setting.

Lets see where we can get entity url and ACS URL from the target org.Both details are available on the detail page of single sign on setting which we created in step 2.

Entity Id :

ASC URL: Is the endpoint of login url where we need to provide login access.

Once we save connected app , click on manage button and assign profiles who will be using this connected app (cloudkicks community user profile)

Now we need to copy ‘IdP-Initiated Login URL’ and put it on the single sign on settings, remember we put 1 blank value there.

Copy from the connected app

Paste on the single sign on setting page in target org.

Now we are done with the setup. We can call this url on any button click from target community (Cloudkicks) and it will allow us to login into source org community (iCourier).

Note: We can set federation Id on user detail page, make sure federation id should be same in both orgs for a user, this will be used to authenticate the user.