Enable Salesforce Users For Single Sign-On (SSO)

  • Updated
WARNING: The Riva for Salesforce Single Sign-On connection strategy described in this article is not supported for new Riva On-Premise installations.

New Riva On-Premise installations include a new strategy to provide impersonation access into Salesforce: the Standard Impersonation Model. For instructions on implementing the Standard Impersonation Model, see Prepare Salesforce for Riva and Create and test a Salesforce connection.

For current Riva On-Premise installations that use Salesforce Single Sign-On, administrators are encouraged to upgrade their Riva for Salesforce connection setup to the Standard Impersonation Model. For assistance, contact the Riva Success Team.

The procedures in the following article have been deprecated. The information is being retained for clients who have not yet converted to the new Standard Impersonation Model.

 

The target Salesforce user accounts that will be enabled for Riva SSO must be granted special SSO-related permission.  This is done by enabling the required permission in Salesforce user profiles and/or permission sets that the user will be assigned to.  Once users are added to an SSO-enabled user profile or permission set, their Salesforce login will change to use their Exchange account password.

NOTE - The steps in this article apply to Salesforce.com Enterprise and Unlimited organizations only.  Salesforce.com Professional organizations do not provide the ability to create/assign user profiles.  All users (except system administrators) automatically become SSO-enabled as soon as the Delegated Authentication Gateway URL is set.

 

Because organizations may not want to enable all of their Salesforce users for SSO, the best practice is to "clone" existing user profiles and enable those cloned profiles for SSO, or create and enable permission sets for SSO.  This article discusses:

Requirements

Ensure that the following requirements are met before enabling Salesforce users for SSO:

Options for enabling SSO for Salesforce Users

Enabling SSO involves checking the "Is Single Sign-on Enabled" permission against a user profile or a permission set.  If a user is assigned to an SSO-enabled user profile or permission set, Salesforce will pass all authentication requests to the DA-SSO gateway URL.

Deciding which option to use depends on how Salesforce user accounts will be enabled for SSO:

  • Use a Permission Set:

    • when you need to enable Salesforce users on an individual one-by-one basis, or
    • if Riva needs to sync a Salesforce user that is assigned to the System Administrator user profile.
  • Use a User Profile when you need to bulk enable a group of users:

How to create and configure a Permission Set

To create and configure a permission set for SSO:

  1. Log in to the Salesforce.com organization using an admin account.

  2. Select Setup > Administration Setup > Manage Users > Permission Sets.

  3. Select New.

  4. Complete the online form.  Ensure that you select the same license type that will be assigned to the users. Save the permission set.

    sso-permission-set-1.png

  5. In the Permission Sets list, select the name of the permission set to edit it.

  6. On the Permission Set Overview page, scroll down, and select System Permissions.

  7. In the System Permissions section, select Edit.

  8. Check the Is Single Sign-On Enabled permission check box, and select Save.

    sso-permission-set-2.png

Assign Users to a Permission Set

To assign Salesforce users to a permission set:

  • Do one of the following:
    • On the Permission Set Overview page, select Assigned Users, or

      sso-permission-set-3.png
    • On the user's page, under Manage Users, select Edit Assignments.

      sso-permission-set-4.png

 

IMPORTANT NOTE - Do not assign target Salesforce users to SSO-enabled permission set UNTIL you are ready to switch the user's authentication method to Single Sign-on.  Once a Salesforce user is enabled for SSO, the user's login to Salesforce will change to use the AD/Exchange password.  The Salesforce password-changing features will become disabled for that user.

 

How to Clone a User Profile

As a best practice, we recommend creating a clone of existing user profiles for SSO-enabled users:

To clone a user profile:

  1. Log in to the Salesforce.com organization using an admin account.

  2. Select Setup > Administration Setup > Manage Users > Profiles.

  3. Select New.

  4. On the Existing Profile drop-down list, select the desired source user profile.
    clone-profile-2.png

  5. Provide a profile name that clearly indicates it is for SSO-enabled users.
    clone-profile-3.png

  6. Select Save, and read the confirmation page that appears.
    clone-profile-4.png

How to enable a User Profile for SSO

To enable a user profile for SSO:

  1. Select Setup > Administration Setup > Manage Users > Profiles.

  2. Besides the desired profile, select Edit.

  3. Scroll down to General User Permissions, and check the Is Single Sign-on Enabled permission check box.

    user-profile-sso-permission.png

  4. Save the user profile.

Assign users to an SSO-enabled User Profile

W A R N I N G - Do not assign target Salesforce users to SSO-enabled user profiles UNTIL you are ready to switch the target user's authentication method to Single Sign-On.  Once a Salesforce user is enabled for SSO, the user's login to Salesforce will change to use the AD/Exchange password.  The Salesforce password-changing features will become disabled for that user.

 

You can assign Salesforce users to a user profile from the Profile Detail page or from a user's page under Manager Users. For more information, see the following procedures.

To assign users on the Profile Detail page to an SSO-enabled user profile:

  1. On the Profile Detail page for the desired profile, select View Users.

    user-profile-view-users.png

  2. In the user list, select New User or Add Multiple Users.

    user-profile-new-users.png

To assign a user from the user's page to an SSO-enabled user profile:

  1. On the user's page under Manage Users, select Edit.

  2. On the Profile drop-down list, select an SSO-enabled profile.

    edit-user-assign-profile.png

Was this article helpful?

/