Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

SSO integration using SAML requires FlexDeploy to be available from a HTTPS url. 

You must also download the Okta Certificate (from within the Okta Edit SAML Settings).

Download the SHA-2 certificate.

...

Salesforce support SSO as an identity provider meaning you can log into an external service provider (i.e FlexDeploy) or relying party with your Salesforce credentials.

The following documentation is referenced from Salesforce. See Salesforce Single Sign-On documentation for more information.

To set up this SSO configuration, follow these instructions:

1. Enable Salesforce as an identity provider

  1. Determine which certificate you want to use to enable your org to communicate with the service provider. You can use the default certificate or create your own. See Certificates and Keys.

    • By default, a Salesforce identity provider uses a self-signed certificate generated with the SHA-256 signature algorithm. If you want to use the default certificate, proceed to step 2.

    • To create a new self-signed certificate, follow the instructions in Generate a Self-Signed Certificate. These instructions will be using a self-signed certificate.

    • To create a CA-signed certificate, follow the instructions in Generate a Certificate Signed by a Certificate Authority

  2. From Setup, in the Quick Find box, enter Identity Provider, then select Identity Provider.

  3. Click Enable Identity Provider.

  4. Select a certificate from the dropdown menu.

  5. Save your changes.

  6. Click Download Certificate. This is typically .crt file. FlexDeploy will use the certificate to connect to Salesforce.

  7. Copy the URL of Salesforce Identity (SF_METADATA_URL) as this will be used to connect to Salesforce.

...

2. Integrate FlexDeploy as a SAML-enabled connected app

  1. Use the New Connected App wizard to define a connected app.

    • In Lightning Experience, you use the App Manager to create connected apps. From Setup, enter App in the Quick Find box, then select App Manager. Click New Connected App.

      Image Added
    • In Salesforce Classic, from Setup, enter Apps in the Quick Find box, then select Apps. On that page under Connected Apps, click New.

  2. Configure settings for the connected app.

    • Under Basic Information

      1. Name your app - i.e FlexDeploy

      2. Enter your own email address

    • Under Web App Settings

      1. Select Enable SAML.

      2. For Entity Id, enter https://HOST:PORT/flexdeploy/callback?client_name=SAML2Client

      3. For ACS URL, enter https://HOST:PORT/flexdeploy/callback?client_name=SAML2Client

      4. For Start URL, enter https://HOST:PORT/flexdeploy

      5. For Subject Type, select Username.

      6. For Name ID Format, select urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.

      7. For Issuer, keep the default value, your subdomain.

      8. In the field IdP Provider Certificate, keep the default (unselected).

      9. For Verify Request Signatures, keep the default (unselected).

      10. Click Save.

...

  1. Under Profiles or Permission Sets, add the profiles or permissions sets of the users who can access this connected app

3. Import SSO Certificate from Salesforce into FlexDeploy keystore

You can use the same keystore which was created as part of the HTTPS configuration, or create one using a command like this /u01/java/jdk8/bin/keytool -genkey -alias mykeystorealias -keyalg RSA -keystore /home/oraclethe below command: This will also create a PrivateKeyEntry

Code Block
keytool -genkey -alias flexdeploy -keyalg RSA -keystore /u01/flexdeploy/sso/flexdeploy.keystore

and import it Import the certificate from step 1 into the keystore (adjust parameters below as appropriate).

Code Block
/u01/java/jdk1.8.0_281/bin/keytool -import -alias oktasalesforce -file /var/tmp/oktaself_signed.cert -keystore /u01/homeflexdeploy/oraclesso/flexdeploy.keystore

If you didn’t already create a private key for the purpose of https, perhaps due to using a load balancer, or create one from -genkey command you will need to generate a private key with a password.

Code Block
keytool -genkey -keyalg RSA -alias tomcatserverflexdeployserver -keystore /home/oracle/flexdeploy.keystore -validity 3650 -keysize 2048

You will need to define an application in your Okta console.

...

4. FlexDeploy Realm Config

Go to Realms and Enable Single Sign-On.

...

Click fdSSO to edit the SSO config. Replace capitalized text with appropriate values. Update values in the configuration file as shown below.

...

  • FLEXDEPLOY_HOME - Directory on the server where FlexDeploy is installed

  • KEYSTORE_PASSWORD - The Java key store password.

  • PRIVATE_KEY_PASSWORD -The private key password.

  • OKTASF_METADATA_URL - The Metadata URL (from OktaSalesforce) to the identity provider metadata (e.g. https://flexagon9-dev-484624ed.my.oktasalesforce.com/app/exk4c1ilhiTs3dKRb4y5/sso/saml/metadata.well-known/samlidp.xml).

  • FLEXDEPLOY_HOST - FlexDeploy application host

  • FLEXDEPLOY_PORT - FlexDeploy application port

  • AUDIENCEENTITY_RESTRICTION ID - The Audience Restriction or Audience URI (SP Entity ID) found in the Okta UI Entity Id found in the connected app (e.g https://app-poc-e15b5cfc83cc.azurewebsites.net/flexdeploy/callback?client_name=SAML2Client).

  • PATH_TO_YOUR_KEYSTORE_FILE - The path to the keystore, including the file name and extension.

Example

...

fdSSO realm configuration (SAML 2.0)

Info

Change log

  • FlexDeploy 6.0.0.0 - The values for excludedPathMatcher.excludedPath, and logout.defaultUrl have changed

Code Block
callbackFilter.defaultUrl = /flexdeploy
saml2Config = org.pac4j.saml.config.SAML2Configuration
saml2Config.keystorePath = PATH_TO_YOUR_KEYSTORE_FILE
saml2Config.keystorePassword = KEYSTORE_PASSWORD
saml2Config.privateKeyPassword = PRIVATE_KEY_PASSWORD
saml2Config.identityProviderMetadataPath = OKTASF_METADATA_URL
saml2Config.maximumAuthenticationLifetime = 3600
saml2Config.serviceProviderEntityId = AUDIENCEENTITY_RESTRICTIONID
saml2Config.serviceProviderMetadataPath = FLEXDEPLOY_HOME/apache-tomcat-flexdeploy/sso/FlexDeployMetadata.xml
saml2Client = org.pac4j.saml.client.SAML2Client
saml2Client.configuration = $saml2Config
clients.callbackUrl = https://FLEXDEPLOY_HOST:FLEXDEPLOY_PORT${{FD_SERVER_BASE_URL}}/flexdeploy/callback
clients.clients=$saml2Client
isAuthenticatedAdmin = org.pac4j.core.authorization.authorizer.IsAuthenticatedAuthorizer
excludedPathMatcher = org.pac4j.core.matching.matcher.PathMatcher
excludedPathMatcher.excludedPath = /next/#/login
config.authorizers = admin:$isAuthenticatedAdmin
config.matchers = excludedPath:$excludedPathMatcher
ssoFilter = flexagon.fd.ui.security.FlexPac4jFilter
ssoFilter.config = $config
ssoFilter.clients = SAML2Client
ssoFilter.matchers = nocache
ssoFilter.authorizers = admin
logout = io.buji.pac4j.filter.LogoutFilter
logout.config = $config
logout.localLogout = true
logout.centralLogout = false
logout.defaultUrl = https://FLEXDEPLOY_HOST:FLEXDEPLOY_PORT${{FD_SERVER_BASE_URL}}/flexdeploy/next/#/home
Info

Configuration Tips

If the Java keystore referenced (line 3) does not exist, it will automatically be created, and key will be generated and inserted into the keystore using the passwords provided (line 3 and 4).

...

Property replacement syntax can be

...

used within the Realm configuration to retrieve a Credential value. It is replaced at runtime.

5. Restart FlexDeploy to apply configuration changes

  1. Login to Identity Provider - Salesforce

  2. Go to Start URL defined by your connected app, and it should redirect you to FlexDeploy new user page if its your first time logging in.

  3. Done!