Salesforce

Before You Begin

Introduction

This document describes how to configure Oracle Identity Cloud Service to provide Single Sign-On (SSO) and user provisioning for Salesforce.

About Salesforce

Salesforce provides remote conferencing services using cloud computing. Salesforce offers both meeting and webinar software, combines video conferencing, online meetings, and mobile collaboration.

After integrating Salesforce with Oracle Identity Cloud Service:

Users can access Salesforce using their Oracle Identity Cloud Service login credentials.
Users can launch Salesforce using the Oracle Identity Cloud Service My Apps console.
Admins can assign and revoke user access to the Salesforce app using the Oracle Identity Cloud Service administration console.

What Do You Need?

An Oracle Identity Cloud Service account with authorization rights to manage apps and users (Identity Domain Administrator or Application Administrator).
A pre-provisioning SSO enabled Salesforce account with authorization rights to configure federated authentication and user provisioning. Contact the Salesforce support team to enable the pre-provisioning SSO.
Ensure that the user name of each user account to be provisioned in Salesforce from Oracle Identity Cloud Service is in the email format.
Make sure that the User Name of each user in Salesforce matches the User Name of the Oracle Identity Cloud Service account.
Identity Provider metadata. You can use the following URL to access the metadata: https://<IDCS-Service-Instance>.identity.oraclecloud.com/fed/v1/metadata and save the metadata as a .xml file.

Configuring Domain and SSO for Salesforce

Use this section to set up the domain and configure SSO for Salesforce.

Setting Up the Domain in Salesforce

Access Salesforce as an administrator using the URL: https://login.salesforce.com. The Home page appears.
In the left navigation menu, locate the SETTINGS section, and then expand Company Settings. Locate and click My Domain. The My Domain page displays the My Domain Step 1 section.
In the Choose Your Domain Name section, enter your domain name in the text box, and then click Check Availability.
If the domain name is available, click Register Domain. Salesforce takes few minutes to register domain and sends an email once the domain is registered. The My Domain Step 2 section appears.
After registering domain successfully, Salesforce takes few minutes and sends an email once the domain is ready for testing. The My Domain Step 3 section appears.
Locate and click Log in. The Register Your Mobile Phone page appears in another tab.
Select your Country from the drop-down list.
Enter your Mobile Phone Number, and then click Register. The Enter Verification Code page appears.
Enter the Verification Code that has been sent to your registered mobile number, and then click Verify. The My Domain page displays the My Domain Step 3 section.
Locate and click Deploy to Users. On the pop-up window, click OK. The My Domain Step 4 section appears.
Locate the My Domain Settings Section, and then make note of the domain name next to the Your domain name is field.

Tip: Use the domain name during Service Provider initiated SSO from Salesforce and Salesforce registration in the Oracle Identity Cloud Service. See the "Registering and Activating the Salesforce App" section.

Configuring SSO for Salesforce

In the left navigation menu, locate the SETTINGS section, and then expand Identity. Locate and click Single Sign-On Settings. The Single Sign-On Settings page appears.
In the Single Sign-On Settings section, click Edit.
In the Federated Single Sign-On Using SAML section, select the SAML Enabled check box, and then click Save.
In the SAML Single Sign-On Settings section, click New from Metadata File. The SAML Single Sign-On Settings section appears.
Upload the identity provider metadata that you obtained earlier in the "What Do You Need?" section.
Click Create. The SAML Single Sign-On Settings section displays the required information that is obtained from the identity provider metadata.

Note: Make sure that all the information is filled in the required fields.
Locate and clear the Single Logout Enabled checkbox, and then click Save. The SAML Single Sign-On Settings section displays the configured information.

Note: Make note of the Name value. This value is displayed as the label for the button used to initiate service provider SSO.
Under the Endpoints section, Click Download Metadata to download the service provider metadata.

Note: Use this file later to obtain the service provider certificate in the "Obtaining the Service Provider Signing Certificate in .pem Format" section.
In the left navigation menu, locate the SETTINGS section, and then expand Company Settings.
Locate and click My Domain. The My Domain page appears.
Locate the Authentication Configuration section, click Edit. The Authentication Configuration page appears.
Select your SSO provider name from the list of Authentication Service check box and then click Save.

Note: The selected SSO provider name is displayed on the button used to initiate SSO from the service provider login screen.

Obtaining Client ID and Client Secret

A dedicated Client ID and Client Secret are required before you can enable provisioning for Salesforce in Oracle Identity Cloud Service.

In the left navigation menu, locate the PLATFORM TOOLS section, expand Apps, and then click App Manager. The Lightning Experience App Manager page appears.
In the upper-right corner, click New Connected App. The App Manager page appears.
Under the Basic Information section, fill in the required information.

Under the API (Enable OAuth Settings) section, use the table to update the federated authentication attributes, and then click Save. The New Connected App section appears.

Attribute	Value
Enable OAuth Settings	Select the check box.
Enable for Device Flow	Select the check box.
Selected OAuth Scopes	Select required options from the Available OAuth Scopes drop-down list, and then click the button under Add. The added scopes are listed under the Selected OAuth Scopes field.

Click Continue. The Manage Connected Apps page appears.
Under the API (Enable OAuth Settings) section, make note of the Consumer Key value.
Click Click to reveal next to Consumer Secret, and then make note of the Consumer Secret value.

Note: While enabling user provisioning for the Salesforce app in Oracle Identity Cloud Service, use this Consumer Key and Consumer Secret values as Client ID and Client Secret values respectively. See the "Enabling Provisioning" section.

Obtaining Security Token

A security token is required before you can enable provisioning for Salesforce in Oracle Identity Cloud Service.

In the upper-right corner of the Salesforce home page, click the user icon, and then click Settings from the drop-down list. The Personal Information page appears.
In the left navigation menu, expand My Personal Information, and then click Reset My Security Token. The Reset My Security Token page appears.
Click Reset Security Token under the Reset Security Token section.

Note: A security token is sent to the Salesforce administrator's email address. Make note of this security token and append it later to the administrator's password while enabling user provisioning for the Salesforce app in Oracle Identity Cloud Service. See the "Enabling Provisioning" section.

Obtaining the Service Provider Signing Certificate in .pem Format

Use this section to obtain the service provider certificate from the Salesforce metadata.

Use the service provider metadata that you downloaded while performing the steps in the "Configuring SSO for Salesforce" section.
In the metadata file, locate the ds:X509Certificate tags.
Copy the content between the ds:X509Certificate tags into text file.
Add -----BEGIN CERTIFICATE----- at the beginning of the content.
Add -----END CERTIFICATE----- at the end of the content.
Save the text file in .pem format. This is the service provider signing certificate.

Tip: Use this service provider certificate later while registering and activating the Salesforce app in Oracle Identity Cloud Service. See the "Registering and Activating the Salesforce App" section.

Configuring Salesforce in Oracle Identity Cloud Service

Use this section to register and activate Salesforce, and to enable provisioning and synchronization for Salesforce.

Registering and Activating the Salesforce App

Access the Oracle Identity Cloud Service administration console, select Applications, and then click Add.
Click App Catalog.
Search for Salesforce, and then click Add.
In the App Details section, select the corresponding Visible check boxes of the applications that can be accessed with single sign-on.
Enter your Salesforce Domain Name, and then click Next.

Note: This is the domain name that you obtained while performing the steps in the "Setting Up the Domain in Salesforce" section.
In the SSO Configuration section, upload the signing certificate of the service provider.

Note: This is the service provider signing certificate that you obtained by performing the steps in the "Obtaining the Service Provider Signing Certificate in .pem Format" section.
Click Next to enable provisioning and synchronization for Salesforce. Oracle Identity Cloud Service displays the Provisioning page.

Enabling Provisioning and Synchronization for Salesforce

Use this section to enable provisioning and synchronization for managing user accounts in Salesforce through Oracle Identity Cloud Service.

Enabling Provisioning

On the Provisioning page, select Enable Provisioning.

Under Configure Connectivity, use the following table to update the parameters that Oracle Identity Cloud Service requires to connect to Salesforce.

Attribute	Value
Client ID	Enter the Consumer Key value that you obtained while performing the steps in the "Obtaining Client ID and Client Secret" section.
Client Secret	Enter the Consumer Secret value that you obtained while performing the steps in the "Obtaining Client ID and Client Secret" section.
Username	Enter the Salesforce administrator's user name.
Password	Enter the Salesforce administrator's password, and then append the security token that you obtained while performing the steps in the "Obtaining Security Token".

Click Test Connectivity. A success message is displayed stating that the connection is successful.
To view predefined attribute mappings between the user account fields defined in Salesforce and the corresponding fields defined in Oracle Identity Cloud Service, click Attribute Mapping, and then click OK.

Note: To add a new attribute for provisioning, click Add Row, specify the attributes in the User and Salesforce Account columns, and then click OK. For example, if you want to add the External ID field, enter $(user.externalId) in the User column, and then select the corresponding field from the drop-down list in the Salesforce Account column.
Specify the provisioning operations that you want to enable for Salesforce:

Note: By default, the Create Account, Update Account, De-activate Account, and Delete Account check boxes are selected.

Create Account: Automatically creates a Salesforce account when Salesforce access is granted to the corresponding user in Oracle Identity Cloud Service.

Note: When a user account is created in Salesforce, then the user cannot be created again with the same user name in Salesforce.

Update Account: Automatically updates a Salesforce account when the corresponding user account is edited in Oracle Identity Cloud Service.

De-activate Account: Automatically deactivates or activates a Salesforce account when Salesforce access is deactivated or activated for the corresponding user in Oracle Identity Cloud Service.

Delete Account: Automatically removes an account from Salesforce when Salesforce access is revoked from the corresponding user in Oracle Identity Cloud Service.

Note: When a user assigned to Salesforce is revoked under the Users tab of Oracle Identity Cloud Service, the user will be deactivated in Salesforce. To re-assign the user, import and manually confirm under Salesforce app in Oracle Identity Cloud Service and then activate the user under the Users tab in Oracle Identity Cloud Service.

Enabling Synchronization

On the Provisioning page, select Enable Synchronization.
From the User Identifier drop-down list, select the Oracle Identity Cloud Service user attribute that you want to match with the corresponding record fetched from Salesforce:

Note: By default, the User Name option is selected from the drop-down list. It is recommended to leave this default attribute for accurate synchronization of user records.

Primary Email Address: Primary email address of the Oracle Identity Cloud Service user.

User Name: User name of the Oracle Identity Cloud Service user.
To match a Salesforce account attribute with the existing Oracle Identity Cloud Service user, select an attribute from the Application Identifier drop-down list.

Note: By default, the name option is selected that represents the user name attribute of the Salesforce account. It is recommended not to change this default option.
From the When exact match is found drop-down list, select one of the following actions to be performed when a matching Oracle Identity Cloud Service user is found for an account:

Link and confirm: Automatically links and confirms the matched account to the corresponding Oracle Identity Cloud Service users based on the defined User Identifier and Application Identifier fields.

Link but do not confirm: Automatically links all the matched accounts to the corresponding Oracle Identity Cloud Service users based on the defined User Identifier and Application Identifier fields. You need to manually confirm the linked accounts.
In the Max. number of creates field, enter a number that is greater than or equal to 10. This value limits the number of accounts to be created during the synchronization run.
In the Max. number of deletes field, enter a number that is greater than or equal to 10. This value limits the number of accounts to be deleted during the synchronization run.

After enabling provisioning and synchronization for Salesforce, you can synchronize the existing account details from Salesforce and link them to the corresponding Oracle Identity Cloud Service users. For more information on performing synchronization tasks, see the Importing User Accounts from a Software as a Service Application section in Administering Oracle Identity Cloud Service.

You can also manage Salesforce accounts through Oracle Identity Cloud Service. For more information on performing provisioning tasks, see the Managing Oracle Identity Cloud Service Users and Managing Oracle Identity Cloud Service Groups sections in Administering Oracle Identity Cloud Service.
Click Finish, and Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Verifying the Integration

Use this section to verify that SSO works when initiated from Oracle Identity Cloud Service (IdP initiated SSO) and Salesforce (SP initiated SSO).

Verifying Identity Provider Initiated SSO from Oracle Identity Cloud Service

Access the Oracle Identity Cloud Services My Profile console using the URL: https://<IDCS-Service-Instance>.identity.oraclecloud.com/ui/v1/myconsole.
Log in using credentials for a user that is assigned to the Salesforce app. Oracle Identity Cloud Service displays shortcuts to the selected Salesforce apps (Salesforce, Salesforce Application, Salesforce Chatter, Salesforce Work.com) under My Apps.
Click any of the Salesforce apps, and the respective home page of the selected app appears.
To confirm the user that is logged in is the same for both salesforce and Oracle Identity Cloud Service
- For Salesforce or Salesforce Chatter or Salesforce Work.com, in the upper-right corner, hover over and click the View profile icon.
- For Salesforce Application, see the upper-right corner of the Salesforce home page.
Note: When the user accesses Salesforce Work.com for the first time, the WELCOME TO LIGHTNING EXPERIENCE pop-up window appears. Close the pop-up window.

This confirms that SSO that is initiated from Oracle Identity Cloud Service works.

Verifying Service Provider Initiated SSO from Salesforce

Use the URLs in the table to access the Salesforce apps. The log in page appears.

Application names	URL
Salesforce	`https://<Domain_Name>.my.salesforce.com`
Salesforce Application	`https://<Domain_Name>.my.salesforce.com/home/home.jsp`
Salesforce Chatter	`https://<Domain_Name>.my.salesforce.com/_ui/core/chatter/ui/ChatterPage`
Salesforce Work.com	`https://<Domain_Name>.my.salesforce.com/_ui/core/userprofile/UserProfilePage`

Note: This is the domain name that you obtained while performing the steps in the "Setting Up the Domain in Salesforce" section.

Under Or log in using:, click your SSO provider name. You are redirected to the Oracle Identity Cloud Service login page.
Log in using credentials for a user that is assigned to the Salesforce app.
To confirm that the user that is logged in is the same for both salesforce and Oracle Identity Cloud Service perform the following:
- Salesforce or Salesforce Chatter or Salesforce Work.com - In the upper-right corner, hover over and click the View profile icon.
- Salesforce Application - see the upper-right corner of the Salesforce home page.
Note: When the user accesses Salesforce Work.com for the first time, the WELCOME TO LIGHTNING EXPERIENCE pop-up window appears. Close the pop-up window.

This confirms that SSO that is initiated from Salesforce works.

Troubleshooting

Use this section to locate solutions to common integration issues.

Known Issues

Salesforce displays the message, "Single Sign-On Error"

Cause 1: The user account assigned to Salesforce is deactivated in Salesforce under the Salesforce Users tab, and the user attempts to initiate single sign-on.

Solution 1: Ensure that the user account is activated under the Users page in the Salesforce application.

Cause 2: The user name attribute sent by Oracle Identity Cloud Service during SSO doesn't match any existing user in Salesforce.

Solution 2: Ensure that the user that you assign to the Salesforce app has an account in both Oracle Identity Cloud Service and Salesforce with the same user name.

Cause 3: The user account assigned to Salesforce is in Freeze status under the Salesforce Users page, and the user attempts to initiate single sign-on.

Solution 3: Ensure that the user account is in the Unfreeze status under the Users page in the Salesforce application.

Oracle Identity Cloud Service displays the message, "You are not authorized to access the app. Contact your system administrator."

Cause 1: The SAML 2.0 integration and user provisioning between the Oracle Identity Cloud Service Salesforce app and Salesforce is deactivated.

Solution 1:

Access the Oracle Identity Cloud Service administration console, select Applications, and then select Salesforce.
In the App Details section, click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Cause 2: The administrator revokes access for the user at the same time that the user tries to access the Salesforce app using Oracle Identity Cloud Service.

Solution 2:

Access the Oracle Identity Cloud Service administration console, select Applications, and then select Salesforce.
Under the Import tab, click Import, and then click Confirm next to the required user. For more information, see the Enabling Provisioning section.

Cause 3: The user account assigned to Salesforce is deactivated in Oracle Identity Cloud Service under the Salesforce application's Users tab, and the user attempts to initiate single sign-on from Salesforce.

Solution 3:

Ensure that the user account is activated under the Users tab of the Salesforce application in Oracle Identity Cloud Service.

Unknown Issues

For unknown issues, contact Oracle Support:

Go to https://support.oracle.com.
Select Cloud Support, and then sign in with your support credentials.
In the Cloud Dashboard, confirm that there are no planned outages in Oracle Identity Cloud Service, and then click Create Service Request.
Select Oracle Identity Cloud Service as the service type.
Complete your service request.