New Riva On-Premise installations include a new strategy to provide impersonation access into Salesforce: the Standard Impersonation Model. For instructions on implementing the Standard Impersonation Model, see Prepare Salesforce for Riva and Create and test a Salesforce connection.
For current Riva On-Premise installations that use Salesforce Single Sign-On, administrators are encouraged to upgrade their Riva for Salesforce connection setup to the Standard Impersonation Model. For assistance, contact the Riva Success Team.
The procedures in the following article have been deprecated. The information is being retained for clients who have not yet converted to the new Standard Impersonation Model.
In order for the synchronization engine to fully comply with user data, profile, role, and territory security, the Riva Delegated Authentication - Single Sign-on for Salesforce (Riva DA-SSO) must be configured. This additional service allows Salesforce.com to "Impersonate" multiple users from a single account and check the validity of user credentials against a server in your environment that confirms login and password information. After configuring Riva DA-SSO for Salesforce, the Riva server will be able to "impersonate" each user's Salesforce account without needing to know each user's password.
Riva provides an On-Premise SSO Provider server for Salesforce that is installed on a public-facing IIS server in the customer's environment. The On-Premise SSO Provider server is required/recommended for:
- When target email accounts are hosted on Exchange 2003 systems (required to support SSO)
- When target email accounts are hosted on GroupWise systems (required to support SSO)
- When a customer requires authentication against Active Directory or other supported Directory Services (optional)
- When the hosted Riva SSO Provider service will not support the customer's environment (as directed by Omni professional services).
To prepare for the deployment of the Riva On-Premise SSO Provider for Salesforce:
- Prepare a Windows server to host the SSO Provider server
- Prepare Salesforce for SSO
- Configure corporate firewalls to support SSO
- Schedule the installation appointment
Prepare a Windows server to host the Riva SSO Provider server
The Riva DA-SSO Provider server must be installed on a Windows server that meets the following system requirements:
- Windows Server 2003 / 2008 (32-bit or 64-bit)
- Memory: 500 MB (In addition to the OS RAM)
- Storage: 2 GB (In addition to the OS Storage)
- IIS / ASP.NET 2.0
- Public Internet-accessible HTTP/S Website (preferable accessible via HTTPS)
- For HTTPS / SSL -- IIS Website with a valid Trusted SSL Certificate (Salesforce does not support self-signed SSL certificates):
http://wiki.developerforce.com/index.php/Outbound_Messaging_SSL_CA_Certificates - Salesforce.com Whitelist IP Address Range
Prepare Salesforce for SSO
These steps will enable the Delegated Authentication - Single Sign-On (DA-SSO) feature in a Salesforce organization. If a company uses multiple Salesforce organizations, these steps must be repeated for each organization.
To prepare and enable a Salesforce organization for DA-SSO:
-
Activate the “Delegated Authentication Single Sign-On” (DA-SSO) feature.
-
Configure a “Network Trust” for the On-Premise Riva SSO Provider server.
-
Verify the Salesforce "System Administrator" permissions to support administering SSO-enabled target users.
-
Create SSO-enabled user profile(s) for the Salesforce target users. Do not add target users at this time.
Configure corporate firewalls to support SSO
-
Prepare corporate firewalls to support communications between the Riva On-Premise server (which hosts the Riva application, CRM Monitor, and CRM Agent service) and the Riva On-Premise SSO Provider server.
-
Ensure that corporate firewalls safeguarding the Riva On-Premise SSO Provider server are configured with the applicable Salesforce.com Whitelist IP address range.
Salesforce.com Whitelist IP Address Range
To reduce the exposure of the single sign-on provider to the internet, consider whitelisting the specified ranges of IP addresses *OWNED* by Salesforce.com. It is not leased or shared in any way with any other organizations.
Salesforce.com has an IP address block allocated directly to salesforce.com by the American Registry for Internet Numbers (ARIN).
To provide continuity of service if you utilize IP address security filters, whitelist, or otherwise add salesforce.com's IP address space to your list of trusted addresses.
The IP address spaces are as follows:
204.14.232.0/23 East Coast Data Center (set one)
204.14.237.0/24 East Coast Data Center (set two)
96.43.144.0/22 MidWest Data Centers
96.43.148.0/22 MidWest Data Centers
204.14.234.0/23 West Coast Data Center (set one)
204.14.238.0/23 West Coast Data Center (set two)
202.129.242.0/23 Singapore Data Center
182.50.76.0/22 Japan Data Center
To clarify, the "0/25" that you see in the ranges refers to an abbreviated form of Classless Inter-domain routing (CIDR) notation. In essence, this notation is a network number followed by a "/" and a number , the latter number indicates the number of 1's (starting a the leftmost bit i.e MSB - most significant bit) in the subnet mask i.e the number of bits relevant to a network portion of the IP address. So "/25" means 25 bits constitute the subnet mask of 255.255.255.128, and really 25 bits are reserved for the network address which is identified by performing bitwise "AND" to the full network number.
For example, 204.14.232.0/25 means 2 possible networks in the form of 204.14.232.0 and 204.14.232.128 each having possible 126 hosts i.e. total of 252 hosts or IP addresses per specified range.
Schedule the Server Installation Appointment
To schedule the installation of the Riva On-Premise SSO Provider server, contact the Riva Success Team.