There a several unique issues involved with integrating Gigya as an Identity Provider (IdP) using Salesforce as a Service Provider (SP). This document outlines a step-by-step guide for successfully completing such an integration.
Gigya as IdP - Phase 1
Configure SAML IdP Settings
1. Log in to your Gigya Console.
2. Navigate to the Saml Identity Provider tab of the site you would like to use as the IdP.
3. Press the Configure SAML IdP Settings link.
4. Here you will enter the URL's that SAML will use when performing it's functions.
4a. Enter a URI for both a Proxy Page and an Error Page.
4b. To configure the individual Proxy and Error pages see Gigya SAML Proxy Page.
Create your x509 file for upload to Salesforce
5. Navigate back to the SAML Identity Provider page of the Gigya Console (from Step 2, above) .
6. Clicking on Saml IdP Metadata link will bring up the following page.
7. Copy the data from the x509 Certificate section and paste it into your favorite text editor.
8. Append these two lines to the very top and very bottom of the file (see the example in Step 9, below).
9. So that your text file looks similar to this:
10. Save the file as a .pem file with whatever name you like, i.e., gigya-x509-cert.pem
You will need this during the Salesforce setup.
These are the only steps you will be performing on Gigya prior to configuring Salesforce.
Salesforce as SP - Phase 2
You must have a valid account on Salesforce.com.
1. Log in to your Salesforce account and proceed to the Setup area. If prompted, you need the Apps Settings section.
Configuring My Domain
2. You must use a custom Domain Name inside Salesforce for SAML.
2a. To enable a custom Domain Name, navigate to the Domain Management > My Domain page.
2b. Enter your preferred Domain Name in the appropriate field. If you are sure it is correct, press the button to activate it. This may take some time, however, usually occurs within 15 minutes. You will receive an email when the DNS setup is complete.
2c. Once the DNS settings for your custom Domain Name are active, you must log in to your Salesforce account using the new Domain and Deploy the Domain for all users (from the same page you configured the Custom Domain Name).
Configure Remote Site Settings
Do not proceed with this guide until your Custom Domain, from the step above, is setup, active, and deployed.
3. Navigate to the Security Controls > Remote Site Settings page.
4. On this page you need to enter several URL's. The Remote Site Name is not important but should describe the site's purpose and be easily recognizable.
4a. In the Remote Site URL section enter the following URL's (you will need a separate entry for each one):
- The URL of your website that will be performing the login.
- The URL of the Gigya Saml data. https://fidm.<Data-Center-ID>.gigya.com
- The URL of Gigya.
- The URL of the Gigya Socialize API. http(s)://socialize.gigya.com
Configure Single Sign-On Settings
5. Navigate to the Security Controls > Single Sign-On Settings page.
6. First, select the Edit button under Federated authentication, a single sign-on method that uses SAML assertions sent to a Salesforce endpoint.
7. Check the SAML Enabled check box and Save your settings.
8. Once you return to the main page, select the New from Metadata URL button. You will need the Metadata URL from the Gigya SAML IdP Metadata page you copied the x509 data from.
9. Enter the Gigya Metadata URL into the field when prompted.
10. Press Create.
11. You will receive a warning that Gigya has multiple instances of a Single Sign-On Login URL. You can ignore that.
12. You will now need to edit some of this data.
12a. In the Name field, you can call it whatever you like. This name should then propagate to the API Name field. If it doesn't, be sure the API Name matches the Name, note that it can only contain letters, numbers, and under-scores; no spaces.
12b. The Issuer field should be filled out automatically.
12c. The Entity ID should be filled out automatically, if not, it is the URL of your custom Salesforce domain.
12d. Where it says Identity Provider Certificate, you need to upload the .pem file created earlier from Gigya's x509 data. Select the Choose File option and browse to and upload the file.
12e. Request Signing Certificate should be set to Default Certificate.
12f. Assertion Decryption Certificate should have been automatically set to RSA-SHA1.
12g. SAML Identity Type would have been automatically set to Assertion contains User's salesforce.com username. If you want to be able to log in users from your site that do not have a salesforce ID, you must change this to Assertion contains the Federation ID from the User object; and also turn on Just-in-time User Provisioning by ticking the corresponding check box at the bottom of the form and set Just-in-time User Provisioning to Standard.
12h. In the SAML Identity Location section select Identity is in the NameIdentifier of the Subject statement.
12i. In the Service Provider Initiated Request Binding section select HTTP POST.
12j. The Identity Provider Login URL should have been automatically filled in, if not, this is the URL from the SSO Endpoint field of the Gigya SAML IdP Metadata page.
12k. The Identity Provider Logout URL should be empty, enter the URL for the logout page you have set inside your SAML Proxy Page configuration.
An example logout.html page:
12l. The Custom Error URL should be empty, enter the URL for the Error Page URL that you configured in your Gigya SAML IdP Settings above.
13. When you have configured all the available fields press Save.
14. You should see a section now on the bottom of the SAML Single Sign-On Settings page with the new Endpoints for this API.
15. Select Download Metadata and save it to a file. You will need the x509 data from this file in order to configure Gigya's IdP settings.
Enable SSO in Salesforce
16. Navigate to the Domain Management > My Domain page.
17. Under Authentication Configuration, select Edit.
18. Ensure that the check box for your new IdP is checked.
19. Press Save.
Once enabled, you will see an alternative Login option on the main page of your Custom Domain Name URL.
Completing Giyga IdP Setup - Phase 3
1. Return to the Gigya SAML Identity Provider page (from Phase 1 - Step 2).
2. Press the Add button. This will open up the Configurations page for the new IdP.
3. In the Name field enter a friendly name for the IdP.
4. In the Issuer field enter the Entity ID from your Salesforce account, it should be your custom Domain Name URL.
5. In the Session Lifetime (Minutes) enter an integer (1440 is 24 hours).
6. In the Assertion Consumer Service URL enter the Salesforce Login URL, from the Endpoints section of your salesforce configuration.
7. In the Single Logout Service URL, enter the SP's Single Logout URL or leave it blank.
8. In the Single Logout Service Binding select the option for HTTP-POST.
9. In the Name ID select Map profile field.
In the field below, enter: email
10. Leave Profile field type as it is.
11. Select Signed Assertions.
12. In the Attribute Map section you must create and map 8 attributes to support Salesforce Login. Press the Add Attribute button and enter the following Attributes:
data.ProfileID must correspond to the permissions you wish the user to have upon logging into Salesforce. See Salesforce Custom data Attributes for more information.
data.UserName should be the users email address, with a random generated string appended to it, to avoid conflicting with any existing Salesforce users. UserNames on Salesforce are globally unique, so if a user attempts to login with an email that is already associated with an existing account on Salesforce, login will fail.
13. In the x509 Certificate field, open the xml data you downloaded from Salesforce. Copy the string of data from between the <ds:X509Certificate></ds:X509Certificate> tags, not coping the tags themselves, and paste the data into the x509 Certificate field.
14. Press Save Settings.
Finalizing Configuration - Phase 4
For users to be able to login to Salesforce via their Gigya account, you must ensure that all users that use this service have the corresponding custom data fields in their profiles.
Initially you may add the data.ProfileID and data.UserName fields via accounts.setAccountInfo, however, for production, you will need to create a script on the Proxy Page that checks for, and if not present, generates and populates these fields for all users prior to sending them over to Salesforce.com.
For more information see accounts.setAccountInfo JS.