Prepare For The Riva On-Premise SSO Provider For Salesforce

  • Updated
WARNING: The Riva for Salesforce Single Sign-On connection strategy described in this article is not supported for new Riva On-Premise installations.

New Riva On-Premise installations include a new strategy to provide impersonation access into Salesforce: the Standard Impersonation Model. For instructions on implementing the Standard Impersonation Model, see Prepare Salesforce for Riva and Create and test a Salesforce connection.

For current Riva On-Premise installations that use Salesforce Single Sign-On, administrators are encouraged to upgrade their Riva for Salesforce connection setup to the Standard Impersonation Model. For assistance, contact the Riva Success Team.

The procedures in the following article have been deprecated. The information is being retained for clients who have not yet converted to the new Standard Impersonation Model.


In order for the synchronization engine to fully comply with user data, profile, role, and territory security, the Riva Delegated Authentication - Single Sign-on for Salesforce (Riva DA-SSO) must be configured. This additional service allows to "Impersonate" multiple users from a single account and check the validity of user credentials against a server in your environment that confirms login and password information. After configuring Riva DA-SSO for Salesforce, the Riva server will be able to "impersonate" each user's Salesforce account without needing to know each user's password.

Riva provides an On-Premise SSO Provider server for Salesforce that is installed on a public-facing IIS server in the customer's environment. The On-Premise SSO Provider server is required/recommended for:

  • When target email accounts are hosted on Exchange 2003 systems (required to support SSO)
  • When target email accounts are hosted on GroupWise systems (required to support SSO)
  • When a customer requires authentication against Active Directory or other supported Directory Services (optional)
  • When the hosted Riva SSO Provider service will not support the customer's environment (as directed by Omni professional services).

To prepare for the deployment of the Riva On-Premise SSO Provider for Salesforce:

Prepare a Windows server to host the Riva SSO Provider server

The Riva DA-SSO Provider server must be installed on a Windows server that meets the following system requirements:

Prepare Salesforce for SSO

These steps will enable the Delegated Authentication - Single Sign-On (DA-SSO) feature in a Salesforce organization.  If a company uses multiple Salesforce organizations, these steps must be repeated for each organization.

To prepare and enable a Salesforce organization for DA-SSO:

  1. Activate the “Delegated Authentication Single Sign-On” (DA-SSO) feature.

  2. Configure a “Network Trust” for the On-Premise Riva SSO Provider server.

  3. Configure a "Network Trust" for the Riva server.

  4. Verify the Salesforce "System Administrator" permissions to support administering SSO-enabled target users.

  5. Create SSO-enabled user profile(s) for the Salesforce target users.  Do not add target users at this time.

Configure corporate firewalls to support SSO

  • Prepare corporate firewalls to support communications between the Riva On-Premise server (which hosts the Riva application, CRM Monitor, and CRM Agent service) and the Riva On-Premise SSO Provider server.

  • Ensure that corporate firewalls safeguarding the Riva On-Premise SSO Provider server are configured with the applicable Whitelist IP address range. Whitelist IP Address Range

To reduce the exposure of the single sign-on provider to the internet, consider whitelisting the specified ranges of IP addresses *OWNED* by It is not leased or shared in any way with any other organizations. has an IP address block allocated directly to by the American Registry for Internet Numbers (ARIN).

To provide continuity of service if you utilize IP address security filters, whitelist, or otherwise add's IP address space to your list of trusted addresses.

The IP address spaces are as follows: East Coast Data Center (set one) East Coast Data Center (set two)  MidWest Data Centers  MidWest Data Centers West Coast Data Center (set one) West Coast Data Center (set two) Singapore Data Center  Japan Data Center

To clarify, the "0/25" that you see in the ranges refers to an abbreviated form of Classless Inter-domain routing (CIDR) notation. In essence, this notation is a network number followed by a "/" and a number , the latter number indicates the number of 1's (starting a the leftmost bit i.e MSB - most significant bit) in the subnet mask i.e the number of bits relevant to a network portion of the IP address. So "/25" means 25 bits constitute the subnet mask of, and really 25 bits are reserved for the network address which is identified by performing bitwise "AND" to the full network number.

For example, means 2 possible networks in the form of and each having possible 126 hosts i.e. total of 252 hosts or IP addresses per specified range.

Schedule the Server Installation Appointment

To schedule the installation of the Riva On-Premise SSO Provider server, contact the Riva Success Team.

Was this article helpful?




Article is closed for comments.