Logging in to Salesforce using Gigya as the IdP requires that every account which attempts to login to Salesforce contain certain attributes mapped to Salesforce fields.
Several of these can be mapped using standard Gigya Profile attributes.
data.ProfileID must correspond to the permissions you wish the user to have upon logging into Salesforce. See Salesforce Custom data Attributes for more information.
data.UserName should be the users email address, with a random generated string appended to it, to avoid conflicting with any existing Salesforce users. UserNames on Salesforce are globally unique, so if a user attempts to login with an email that is already associated with an existing account on Salesforce, login will fail.
The last two must use custom data attributes.
data.UserName needs to be in the form of an email address. If you are using only company owned employee email addresses you may be able to map the Salesforce User.UserName field directly from the Gigya email field, as is done for several of the other attributes.
If you are allowing users to use their own, personal email addresses, this will cause a lot of login attempts to fail. Salesforce UserNames are globally unique, that means that any individual email address can only be associated to a single salesforce account. If any of your users already have their email addresss associated with another account on Salesforce.com, their login will fail with a User Already Exists error.
To avoid this, best practice is to create a custom data field and use a modified version of the users email address as the string. You can see in the user data below that for this example I appended the random string '+sf2.01293013900123' to an existing email address, before the @ symbol. You could use the same string for all email addresses, reminiscent of a salt, or you can generate a random string for every user.
The data.ProfileID is a custom attribute that holds the permissions that you want the individual user to gain upon logging into Salesforce. This may be the same for many different users.
This attribute holds the data that tells Salesforce what permissions to allow the individual user to have upon login. Depending upon your account type within Salesforce, the number of different types of users may be limited. Be sure that you are setting user permissions to a profile that has available users.
In order to determine what string to place in this field for a particular user, navigate to the Manage Users > Profiles page of your Salesforce account's Setup section.
You will see a list of all possible profiles for your account. Select the profile you want the user to have the permissions for and open the page for that Profile. In the URL of the page that opens you will see a string that defines that Profile type. Copy that string and use it as the data for the data.ProfileID attribute.
See the video below for clarification.
Trouble viewing the above video? See here.
Download link: salesforce-02.mp4
If you are using the newer SalesForce Portal, the URL of the Profile may be different. If this is the case, you want to pull the ProfileID from the address attribute of the URI.
In this example the ProfileID is 00e46000001P6PF (%2F and %3F are URL Encoded entities).
Response of accounts.getAccountInfo for an account with data.ProfileID and data.UserName set:
Configuring Custom Data For Users
You will need to set these custom data fields for every user prior to their attempt to login to Salesforce. Best practice is to set up a script within the SAML Proxy Page you configured within Gigya's Configure SAML IdP Settings page. This should call accounts.setAccountInfo after determining which permissions the user is entitled, and after setting the salt for the UserName field but before sending the response to Salesforce.com.
For more information on setting custom data see accounts.setAccountInfo JS.