Integrating Salesforce with VMware Identity Manager: VMware Workspace ONE Operational Tutorial

Overview

Introduction

VMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. In this tutorial, you configure VMware Identity Manager as a third-party identity provider in Salesforce to enable single sign-on (SSO) access to Salesforce. Then, you add Salesforce as a SAML application in VMware Identity Manager to be launched from the Workspace ONE app catalog.

Audience

This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Familiarity with networking and storage in a virtual environment is assumed, including Active Directory, identity management, and directory services. Knowledge of additional technologies such as VMware Identity Manager™ and VMware Workspace ONE® UEM, is also helpful.

Integrating Salesforce with VMware Identity Manager

Introduction

This tutorial helps you to integrate Salesforce to VMware Identity Manager to enable single sign-on access to Salesforce. Procedures include:

  • Creating a Salesforce Developer environment
  • Configuring SAML SSO settings in Salesforce
  • Adding Salesforce to the Workspace ONE app catalog and configuring Salesforce SSO settings in the VMware Identity Manager console
  • Providing users with SSO access to Salesforce

The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step.

Prerequisites

Before you can perform the procedures in this tutorial, you must satisfy the following requirements. For more information, see the VMware Identity Manager Documentation.

Check whether you have the following components installed and configured:

  • VMware Identity Manager tenant with administrator access
  • Salesforce environment – you can use an existing environment or follow steps in this tutorial to create a new Salesforce development environment

Configuring the Salesforce Developer Environment

In this activity, create a Salesforce developer account and configure the Salesforce domain.

If you have an existing Salesforce environment and want to use that for the exercises, skip to the next chapter: Configuring SSO Settings in Salesforce.

1. Create Salesforce Developer Account

  1. To create a Salesforce developer account, navigate to https://developer.salesforce.com/signup.
  2. Enter the required information and click Sign me up. After you create the account, you will receive an email to verify the email account and set your Salesforce password.
  3. When the account has been created successfully, you are logged in to the Salesforce console.

3. Deploy the Domain

Perform the following steps to make the domain publicly available.

  1. Refresh your screen until you see confirmation that your Domain is Ready for Testing, which means  the domain name is registered (vmwareeuc-dev-ed.my.salesforce.com).
  2. Click Log in.
  3. Click Deploy to Users.

4. Confirm the Domain is Deployed

Confirm that the domain has been deployed. You have completed the first configuration step in your Salesforce development environment.

Logging In to the VMware Identity Manager Console

To perform most of the steps in this exercise, you must first log in to the VMware Identity Manager console.

1. Launch Google Chrome (If Needed)

If Google Chrome is not already open, launch Google Chrome by double-clicking the icon from the desktop.

2. Open a New Browser Tab

Click the Tab space to open a new tab.

4. Login to Your VMware Identity Manager Tenant

  1. Enter the Username, for example, Administrator.
  2. Enter the Password, for example, VMware1!.
  3. Click Sign In.

Downloading the VMware Identity Manager SAML Metadata

In this activity, you retrieve the SAML metadata and SAML signing certificate associated with VMware Identity Manager. Salesforce requires both of these SAML components for the SSO configuration and to set up VMware Identity Manager as its identity provider (IdP).

The SAML metadata describes the capabilities and requirements of the VMware Identity Manager, and resides as an XML file on the VMware Identity Manager tenant.

1. Navigate to Settings

In the VMware Identity Manager administration console:

  1. Click Catalog.
  2. Click Settings.

 

2. Download the Identity Provider (IdP) SAML Metadata

  1. Click SAML Metadata.
  2. Right-click Identity Provider (IdP) metadata and save locally as vidm-idp.xml.

Configuring SSO in Salesforce

In this activity, you configure Salesforce for SSO by defining VMware Identity Manager as the SAML identity provider for the application. Then, you download the SAML metadata for the Salesforce SSO configuration. You will use the file in a later activity to configure the Salesforce app in VMware Identity Manager.

If SAML is already enabled in your environment, skip to the next exercise.

1. Navigate to Single Sign-On Settings

In the Salesforce environment:

  1. Enter Single Sign-On in the search text box.
  2. Select Single Sign-On Settings.
  3. Click Edit.

2. Enable SAML Settings

  1. Select the SAML Enabled check box.
  2. Click Save.

3. Configure SAML Single Sign-On Settings

Click New from Metadata File.

4. Upload SAML Metadata File

Upload the IdP metadata file.

  1. Click Choose File and select the file previously downloaded from VMware Identity Manager. For example, vidm-idp.xml.
  2. Click Create.

5. Configure SSO Settings

 

  1. Enter a Name, for example, ws1. The profile Name is defined based on your VMware Identity Manager tenant URL; you can change this Name.
  2. The API Name by default uses the same profile name. For example, ws1. You can also change the API name, however this name must be unique across all Salesforce data.
  3. Add your registered Salesforce Domain URL to Entity ID. For example, https://vmwareeuc-dev-ed.my.salesforce.com.
  4. For SAML Identity Type, ensure Assertion contains the User's salesforce username is selected.
  5. For SAML Identity Location, ensure Identity is in the NameIdentifier element of the Subject statement is selected.
  6. Enter your Identity Manager logout URL to the Identity Provider Single Logout URL. For example,  https://ws1.vidmpreview.com/SAAS/auth/logout.
  7. For Single Logout Request Binding, select HTTP POST.
  8. Click Save.

6. Download Salesforce SSO Metadata

Click Download Metadata.

An XML file with the following format will be downloaded: SAMLSP-XXXXXXXXXXX.xml.

Adding Salesforce to the Workspace ONE Application Catalog

In this activity, you add Salesforce as an application to the Workspace ONE catalog for seamless access. This enables the end user to authenticate directly into the Workspace ONE app catalog and perform an IdP-initiated login to the Salesforce instance federated with VMware Identity Manager.

1. Create New SaaS Application

In the VMware Identity Manager administration console:

  1. Click Catalog.
  2. Click New.

2. Select Salesforce Template

  1. Enter Salesforce in the text box.
  2. Select the Salesforce template.
  3. Click Next.

3. Configure URL/XML Settings

  1. Select URL/XML.
  2. Copy and paste the content of the Salesforce XML metadata file that you previously downloaded from Salesforce into the URL/XML text box.
  3. Click Next.

4. Configure Access Policies for the Application

For this exercise, use the default_access_policy_set.

Click Next.

5. Save the Application Configuration

Salesforce is now configured as an application on the Workspace ONE Catalog.

Click Save & Assign to configure the groups of users that will have permission to this application on the Catalog.

6. Assign Users to Salesforce

  1. Enter ALL USERS in the search box and select All Users.
  2. Select Automatic for Deployment Type.
  3. Click Save.

7. Complete Salesforce Configuration

The following steps complete the Salesforce configuration.

  1. Click Catalog.
  2. Select the Salesforce application.
  3. Click Edit.

8. Configure Username Settings

The following configuration ensures that the VMware Identity Manager service sends SAML assertions with subject statements that the application service provider recognizes. For Salesforce, the user e-mail address is used.

  1. Click Configuration.
  2. Select Email Address as the Username Format.
  3. Enter ${user.email} as the Username Value.
  4. Click Summary.

9. Save the Configuration

Click Save.

This concludes the configuration of the Salesforce Application, which now is available for All Users through the Workspace ONE App Catalog.

Testing Salesforce SSO through Workspace ONE Catalog

In this activity, you test SSO to Salesforce through the Workspace ONE catalog.

Before you log in to Salesforce using the Workspace ONE Catalog, make sure that the email address for the user account in Salesforce matches the email address for the user in VMware Identity Manager.

Note: The user account in VMware Identity Manager can be either a local account or Active Directory. However, it is important that the email addresses match between the accounts.

1. Log In to Workspace ONE

From your web browser open a New Incognito Window and navigate to the Workspace ONE portal.

  1. Enter the Username for the account you have in VMware Identity Manager (not the email address).
  2. Enter the Password.
  3. Click Sign in.

2. Open the Salesforce Application

Now, test authenticating into Salesforce through the Workspace ONE catalog.

Click Open and you should be redirected directly to Salesforce through SSO.

3. Confirm Successful SSO Access to Salesforce

Upon successful authentication with VMware Identity Manager, you are granted access to Salesforce through the Workspace ONE catalog.

Summary and Additional Resources

Conclusion

This tutorial provided steps to create and configure a Salesforce developer environment, and integrate Salesforce with VMware Identity Manager to enable single sign-on access to Salesforce.

 

Additional Resources

About the Author

This tutorial was written by:

  • Andreano Lanusse, End-User-Computing Staff Architect, Technical Marketing, VMware.

Feedback

The purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.