Single Sign-On with Two Factor Authentication in Salesforce (End to End).
Terminology
My Domain
My Domain is an identity feature in Salesforce which can add a subdomain to your Salesforce org. It provides a friendly domain name which is convenient for users to remember and also gives the chance to customize your login page separately.
Identity Provider
Identity Provider is a database which stores user identities (i.e passwords, biometric information, keys and factual data) which can be used to federate various IT resources.
Connected App
A connected app provides interfaces(APIs) for an application communicate with Salesforce. Here in this scenario our application (or Service Provider in Salesforce terminology) needs to communicate with Identity Provider which is again Salesforce itself. In order to do that a connected app can be created which exposes all required endpoints of IDP with unique identifiers to identify the specific IDP in the required domain.
How Single Sign-On Works with SAML?
For the simplicity I will describe Salesforce Single Sign-On process (SAML) with the help of following diagram.
- User requests for a specific resource(i.e access some url) from the BFF(Backend for Front-end) or the Service Provider.
- Then BFF generates a SAML request and redirects browser to the Salesforce IDP Single Sign-On url endpoint with SAML request embedded in it.
- Next browser redirects to the Salesforce IDP through the url exposed via the connected app.
- Unless user is already authenticated, IDP prompts user with a login page where he should enter credentials (i.e username, password).
- IDP returns SAML response with user data in to the browser if the user’s identity can be resolved.
- Browser sends SAML response contains user information to the ServiceProvider’s ACS (Assertion Consumer Service) URL.
Finally ACS verifies the SAML response and decides whether user can be logged in.
Setting Up My Domain
As shown in the above diagram we can set up My Domain by providing any custom name which can uniquely identify your sub domain. At the configuration time you are allowed to check the availability of your domain as well by a check.
Identity Provider
When you go to Identity Provider section, you can see it is configured as the issuer associated with the domain name that you configured as My Domain. If identity provider configurations are ok, then you will be provided the chance to create connected apps to connect your applications (Service Providers) which can connect with this IDP.
Creating a Connected App
When connected app is being created we have to enter set of variables.
- Start URL — The start url part of the application.
- Entity Id — The unique identifier of the Identity Provider.
- Issuer — The URL of the Identity Provider.
- ACS URL — The URL of Assertion Consumer Service of the Service Provider.
Once the configuration is done, you can see various SAML Login Information such as SP-Initiated Redirect Endpoint and Metadata Discovery Endpoint have been configured.
Single Sign-On Configurations
Finally, go to SAML Single Sign-On Settings section to enter your configurations for SSO. Here we should specially focus on filling following sections
- Issuer — This is the entity ID for the identity provider.
- Entity ID — base domain (https://saml.salesforce.com) or the custom domain.
Now Lets Introduce Two Factor Authentication
Create a new Permission Set
Go to Permission Sets section in the Setup. Create a new permission set named “Two Factor Authentication Required” (any name is valid).
Assign the Relevant System Permission for the Permission Set
Assign the permission Two Factor Authentication for User Interface Logins.
Tick the specific option in the list of permissions.
Add Assignments
Now you can do necessary assignments. Go to Add Assignments and start adding users to the created permission.
Now Lets Connect User via Salesforce Authenticator
Add user to the Two-Factor Authentication Required Permission.
Then proceed the following steps to use Salesforce Authenticator as the second factor
