This article describes setting up single sign-on (SSO) with Salesforce. This feature must be enabled in your account by a MetaLocator support technician in order to function as shown in this article.
Step 1. Create a SalesForce Connected App for MetaLocator
Within Salesforce, create a new Connected App called "MetaLocator", with the following options:
Start URL:
https://admin.metalocator.com/plugins/user/oneloginsaml/oneloginsaml.php?sso&id=<youruserid>
Replace <youruserid> in the URL with the MetaLocator Owner user's User ID. Your user ID is a numerical value which can be found as shown below:
ACS URL: https://admin.metalocator.com/plugins/user/oneloginsaml/oneloginsaml.php?acs&id=<youruserid>
Entity Id:
metalocator-saml
Issuer:
https://<your salesforce url>.my.salesforce.com (change to your actual Salesforce URL, this should match the setting in MetaLocator for EntityID)
Name ID Format:
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
IdP Certificate:
Default IdP Certificate
Enable Single Layout
Check the box to enable Single Logout
Provide the Logout URL in this format https://admin.metalocator.com/plugins/user/oneloginsaml/oneloginsaml.php?sls&id=<youruserid>
Choose HTTP Redirect as the Logout Binding
Step 2. Configure the MetaLocator Account
Login as the Account Owner and go to My User Profile
Scroll down and expand Show Advanced Options, then update the following options according to your Salesforce settings.
Provide the URL for your Salesforce instance. It will be listed as the "Issuer" in the SAML Service Provider Settings for the Connected App created above.
2. Provide the SSO IDP URL as shown below. This is the same URL as the SP-Initiated Redirect Endpoint in the SAML Login Information for the Connected App created above.
3. Provide the IdP Certificate. This can be downloaded from the SAML Service Provider Settings.
4. Provide your SSO Domain.
Set this to the domain associated with your email address, e.g. customer.com. This ensures that the anonymous link on our login form knows which SSO to invoke based on an incoming email. If this domain is not provided, users will not be able to use the SSO link on the MetaLocator login screen.
Step 3. Testing the Connected App
Add MetaLocator to the Salesforce App Launcher by configuring the Connected App to show as shown below.
From the SalesForce main menu, choose App Launcher, then MetaLocator. You should be immediately signed in to MetaLocator.
Users that do not exist in MetaLocator will be created on the fly based on the email address coming from Salesforce. The accounts will be created as "blocked" accounts with no access to any MetaLocator features. The requesting user will receive an email that their account is pending review and the account owner will receive an email notification that an account is pending review as shown below:
Click the link provided and login as the account owner. Click the username to edit the user. Choose an appropriate user type:
Click Save, then enable the user as shown below. This triggers an email notification to the new SSO user indicating that their login has been enabled.
The email notification is shown below.
When the user logs in, they will now see the resources available to them, based on the type of user chosen above.