...
Determine which certificate you want to use to enable your org to communicate with the service provider. You can use the default certificate or create your own. See Certificates and Keys.
By default, a Salesforce identity provider uses a self-signed certificate generated with the SHA-256 signature algorithm. If you want to use the default certificate, proceed to step 2.
To create a new self-signed certificate, follow the instructions in Generate a Self-Signed Certificate, then proceed to step 2. These instructions will be using a self-signed certificate.
To create a CA-signed certificate, follow the instructions in Generate a Certificate Signed by a Certificate Authority, then proceed to step 2.
From Setup, in the Quick Find box, enter Identity Provider, then select Identity Provider.
Click Enable Identity Provider.
Select a certificate from the dropdown menu.
Save your changes.
Click Download Certificate. This is typically .crt file. FlexDeploy will use the certificate to connect to Salesforce.
Copy or make a note of the Salesforce Identity value, this is the Metadata URL. FlexDeploy will use the Metadata URL the URL of Salesforce Identity (SF_METADATA_URL) as this will be used to connect to Salesforce.
...
2. Integrate FlexDeploy as a SAML-enabled connected app
Use the New Connected App wizard to define a connected app.
In Lightning Experience, you use the App Manager to create connected apps. From Setup, enter App in the Quick Find box, then select App Manager. Click New Connected App.
In Salesforce Classic, from Setup, enter Apps in the Quick Find box, then select Apps. On that page under Connected Apps, click New.
Configure settings for the connected app.
Under Basic Information
Name your app - i.e FlexDeploy
Enter your own email address
Under Web App Settings
Select Enable SAML.
For Entity Id, enter https://HOST:PORT/flexdeploy/callback?client_name=SAML2Client
For ACS URL, enter https://HOST:PORT/flexdeploy/callback?client_name=SAML2Client
For Start URL, enter https://HOST:PORT/flexdeploy/callback?client_name=SAML2Client
For Subject Type, select Username.
For Name ID Format, select urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
For Issuer, keep the default value, your subdomain.
In the field IdP Provider Certificate, keep the default (unselected).
For Verify Request Signatures, keep the default (unselected).
Click Save.
...
Under Profiles or Permission Sets, add the profiles or permissions sets of the users who can access this connected app
...
| Code Block |
|---|
keytool -genkey -alias flexdeploy -keyalg RSA -keystore /u01/flexdeploy/sso/flexdeploy.keystore |
Import it the certificate from step 1 into the keystore (adjust parameters below as appropriate).
...
4. FlexDeploy Realm Config
Go to Realms and Enable Single Sign-On.
...
Click fdSSO to edit the SSO config. Replace capitalized text with appropriate values. Update values in the configuration file as shown below.
...
FLEXDEPLOY_HOME - Directory on the server where FlexDeploy is installed
KEYSTORE_PASSWORD - The Java key store password.
PRIVATE_KEY_PASSWORD -The private key password.
OKTASF_METADATA_URL - The Metadata URL (from OktaSalesforce) to the identity provider metadata (e.g. https://flexagon9-dev-484624ed.my.oktasalesforce.com/app/exk4c1ilhiTs3dKRb4y5/sso/saml/metadata.well-known/samlidp.xml).
FLEXDEPLOY_HOST - FlexDeploy application host
FLEXDEPLOY_PORT - FlexDeploy application port
AUDIENCEENTITY_RESTRICTION ID - The Audience Restriction or Audience URI (SP Entity ID) found in the Okta UI Entity Id found in the connected app (e.g https://app-poc-e15b5cfc83cc.azurewebsites.net/flexdeploy/callback?client_name=SAML2Client).
PATH_TO_YOUR_KEYSTORE_FILE - The path to the keystore, including the file name and extension.
Example
...
fdSSO realm configuration (SAML 2.0)
...
Change log
|
| Code Block |
|---|
callbackFilter.defaultUrl = /flexdeploy saml2Config = org.pac4j.saml.config.SAML2Configuration saml2Config.keystorePath = PATH_TO_YOUR_KEYSTORE_FILE saml2Config.keystorePassword = KEYSTORE_PASSWORD saml2Config.privateKeyPassword = PRIVATE_KEY_PASSWORD saml2Config.identityProviderMetadataPath = OKTASF_METADATA_URL saml2Config.maximumAuthenticationLifetime = 3600 saml2Config.serviceProviderEntityId = AUDIENCEENTITY_RESTRICTIONID saml2Config.serviceProviderMetadataPath = FLEXDEPLOY_HOME/apache-tomcat-flexdeploy/sso/FlexDeployMetadata.xml saml2Client = org.pac4j.saml.client.SAML2Client saml2Client.configuration = $saml2Config clients.callbackUrl = https://FLEXDEPLOY_HOST:FLEXDEPLOY_PORT${{FD_SERVER_BASE_URL}}/flexdeploy/callback clients.clients=$saml2Client isAuthenticatedAdmin = org.pac4j.core.authorization.authorizer.IsAuthenticatedAuthorizer excludedPathMatcher = org.pac4j.core.matching.matcher.PathMatcher excludedPathMatcher.excludedPath = /next/#/login config.authorizers = admin:$isAuthenticatedAdmin config.matchers = excludedPath:$excludedPathMatcher ssoFilter = flexagon.fd.ui.security.FlexPac4jFilter ssoFilter.config = $config ssoFilter.clients = SAML2Client ssoFilter.matchers = nocache ssoFilter.authorizers = admin logout = io.buji.pac4j.filter.LogoutFilter logout.config = $config logout.localLogout = true logout.centralLogout = false logout.defaultUrl = https://FLEXDEPLOY_HOST:FLEXDEPLOY_PORT${{FD_SERVER_BASE_URL}}/flexdeploy/next/#/home |
| Info |
|---|
Configuration TipsIf the Java keystore referenced (line 3) does not exist, it will automatically be created, and key will be generated and inserted into the keystore using the passwords provided (line 3 and 4). The Okta Identity Provider Metadata Property replacement syntax can be found from within the Sign On tab of your Okta applicationused within the Realm configuration to retrieve a Credential value. It is replaced at runtime. |
5. Restart FlexDeploy to apply configuration changes
Login to Identity Provider - Salesforce
Go to Start URL defined by your connected app, and it should redirect you to FlexDeploy new user page if its your first time logging in.
Done!