New Riva On-Premise installations include a new strategy to provide impersonation access into Salesforce: the Standard Impersonation Model. For instructions on implementing the Standard Impersonation Model, see Prepare Salesforce for Riva and Create and test a Salesforce connection.
For current Riva On-Premise installations that use Salesforce Single Sign-On, administrators are encouraged to upgrade their Riva for Salesforce connection setup to the Standard Impersonation Model. For assistance, contact the Riva Success Team.
The procedures in the following article have been deprecated. The information is being retained for clients who have not yet converted to the new Standard Impersonation Model.
The target Salesforce user accounts that will be enabled for Riva SSO must be granted special SSO-related permission. This is done by enabling the required permission in Salesforce user profiles and/or permission sets that the user will be assigned to. Once users are added to an SSO-enabled user profile or permission set, their Salesforce login will change to use their Exchange account password.
Because organizations may not want to enable all of their Salesforce users for SSO, the best practice is to "clone" existing user profiles and enable those cloned profiles for SSO, or create and enable permission sets for SSO. This article discusses:
- Requirements
- Options for enabling SSO for users
- How to create and configure a permission set
- Assign Users to an SSO-enabled permission set
- How to clone a user profile
- Enable the user profile for SSO
- Assign users to an SSO-enabled user profile
Requirements
Ensure that the following requirements are met before enabling Salesforce users for SSO:
- The DA-SSO feature has been activated in the target Salesforce organization.
- Salesforce Network Trust has been configured for the hosted SSO Provider service - for Hosted SSO Provider setup only.
- Salesforce Network Trust has been configured for the Riva server.
- The Generated SSO URL has been activated in the hosted Riva SSO Provider service - for Hosted SSO Provider setup only.
Options for enabling SSO for Salesforce Users
Enabling SSO involves checking the "Is Single Sign-on Enabled" permission against a user profile or a permission set. If a user is assigned to an SSO-enabled user profile or permission set, Salesforce will pass all authentication requests to the DA-SSO gateway URL.
Deciding which option to use depends on how Salesforce user accounts will be enabled for SSO:
-
Use a Permission Set:
- when you need to enable Salesforce users on an individual one-by-one basis, or
- if Riva needs to sync a Salesforce user that is assigned to the System Administrator user profile.
-
Use a User Profile when you need to bulk enable a group of users:
- you can enable an existing user profile for SSO, or
- you can clone an existing profile, enable the cloned user profile for SSO, and move users into the cloned SSO-enabled user profile when you need to enable their Salesforce accounts for SSO.
How to create and configure a Permission Set
To create and configure a permission set for SSO:
-
Log in to the Salesforce.com organization using an admin account.
-
Select Setup > Administration Setup > Manage Users > Permission Sets.
-
Select New.
-
Complete the online form. Ensure that you select the same license type that will be assigned to the users. Save the permission set.
-
In the Permission Sets list, select the name of the permission set to edit it.
-
On the Permission Set Overview page, scroll down, and select System Permissions.
-
In the System Permissions section, select Edit.
-
Check the Is Single Sign-On Enabled permission check box, and select Save.
Assign Users to a Permission Set
To assign Salesforce users to a permission set:
- Do one of the following:
- On the Permission Set Overview page, select Assigned Users, or
- On the user's page, under Manage Users, select Edit Assignments.
- On the Permission Set Overview page, select Assigned Users, or
How to Clone a User Profile
As a best practice, we recommend creating a clone of existing user profiles for SSO-enabled users:
To clone a user profile:
-
Log in to the Salesforce.com organization using an admin account.
-
Select Setup > Administration Setup > Manage Users > Profiles.
-
Select New.
-
On the Existing Profile drop-down list, select the desired source user profile.
-
Provide a profile name that clearly indicates it is for SSO-enabled users.
-
Select Save, and read the confirmation page that appears.
How to enable a User Profile for SSO
To enable a user profile for SSO:
-
Select Setup > Administration Setup > Manage Users > Profiles.
-
Besides the desired profile, select Edit.
-
Scroll down to General User Permissions, and check the Is Single Sign-on Enabled permission check box.
-
Save the user profile.
Assign users to an SSO-enabled User Profile
You can assign Salesforce users to a user profile from the Profile Detail page or from a user's page under Manager Users. For more information, see the following procedures.
To assign users on the Profile Detail page to an SSO-enabled user profile:
-
On the Profile Detail page for the desired profile, select View Users.
-
In the user list, select New User or Add Multiple Users.
To assign a user from the user's page to an SSO-enabled user profile:
-
On the user's page under Manage Users, select Edit.
-
On the Profile drop-down list, select an SSO-enabled profile.