Configure Identity Provider with Salesforce

The GoodData platform has a built-in support for integrating with Salesforce Single Sign-On (SSO). Your users can use their Salesforce logins to interact with your GoodData projects. This article outlines the data that you must gather and the configuration steps required to integrate with Salesforce SSO.

For more information on GoodData SSO and SSO in general, see Single Sign-On Overview and SAML SSO with GoodData.

Steps:

  1. Log in to your Salesforce account, and add a new domain (for more information, see Salesforce user documentation).
  2. Enable Salesforce as Identity Provider (for more information, see Salesforce user documentation).
  3. Download the Identity Provider certificate, note Issuer and save it for later use.
  4. Set up a new connected app:
    1. Select Enable SAML.
    2. Set Entity Id and ACS URL to https://<YOUR_GOODDATA_HOSTNAME>/gdc/account/samllogin.
    3. Select the Identity Provider that you created in Step 2.
  5. Open the connected app details and look for SAML Login Information. Note IdP-Initiated Login URL and save it for later use.
  6. Set up Connected app access for profile: go to Setup -> Users -> Profiles, click Edit for the selected profile, click Connected apps, and select the app that you created in Step 4.
  7. Send a request to GoodData Support to create an SSO provider. In the request:
    • Specify the scenario that you want to use: Service Provider-initiated (recommended) or Identity Provider-initiated.
    • Include the downloaded IdP certificate (see Step 3), the issuer name (see Step 3), IdP-Initiated Login URL (step 5), and the name of the SSO provider that you want to use.

      Pick the SSO provider name that clearly identifies you. Include your domain name (if you are a white-labeled customer, include your top-level white-label domain name), and optionally include an sf prefix. If you do not provide the SSO provider name, we may use the value of the entityID keyword in the IdP certificate.

      The SSO provider name must be lowercase.

      Examples:
      my.domain.com
      sf-my.domain.au

    GoodData deploys your SSO provider to the production environment. You receive a unique SSO parameter to use in user provisioning.
    This parameter is named SSOProvider and is used in the API for managing users. Usually, it is the same as your SSO provider name

  8. Provision users with the provided SSOProvider parameter. Use the same login as Salesforce username, and enable SSO auth mode for them.

    Only a domain administrator can create a user with the ssoProvider parameter specified or modify the ssoProvider parameter for an existing user.