Upload
others
View
21
Download
0
Embed Size (px)
Citation preview
GUIDE – APRIL 2019
PRINTED 7 AUGUST 2019
INTEGRATING SALESFORCEWITH VMWARE IDENTITYMANAGER: VMWAREWORKSPACE ONEOPERATIONAL TUTORIALVMware Workspace ONE
INTEGRATING SALESFORCE WITH VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL
GUIDE | 2
Table of Contents
Overview
– Introduction
– Audience
Integrating Salesforce with VMware Identity Manager
– Introduction
– Prerequisites
– Configuring the Salesforce Developer Environment
– Logging In to the VMware Identity Manager Console
– Downloading the VMware Identity Manager SAML Metadata
– Configuring SSO in Salesforce
– Adding Salesforce to the Workspace ONE Application Catalog
– Testing Salesforce SSO through Workspace ONE Catalog
Summary and Additional Resources
– Conclusion
– Additional Resources
– About the Author
– Feedback
INTEGRATING SALESFORCE WITH VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL
GUIDE | 3
Integrating Salesforce: VMware Workspace ONEOperational Tutorial
OverviewIntroductionVMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. In this tutorial, you configureVMware Identity Manager as a third-party identity provider in Salesforce to enable single sign-on (SSO) access to Salesforce. Then,you add Salesforce as a SAML application in VMware Identity Manager to be launched from the Workspace ONE app catalog.
AudienceThis operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments.Familiarity with networking and storage in a virtual environment is assumed, including Active Directory, identity management, anddirectory services. Knowledge of additional technologies such as VMware Identity Manager™ and VMware Workspace ONE® UEM, isalso helpful.
Integrating Salesforce with VMware Identity ManagerIntroductionThis tutorial helps you to integrate Salesforce to VMware Identity Manager to enable single sign-on access to Salesforce. Proceduresinclude:
Creating a Salesforce Developer environmentConfiguring SAML SSO settings in SalesforceAdding Salesforce to the Workspace ONE app catalog and configuring Salesforce SSO settings in the VMware IdentityManager consoleProviding users with SSO access to Salesforce
The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step.
PrerequisitesBefore you can perform the procedures in this tutorial, you must satisfy the following requirements. For more information, see theVMware Identity Manager Documentation.
Check whether you have the following components installed and configured:
VMware Identity Manager tenant with administrator accessSalesforce environment – you can use an existing environment or follow steps in this tutorial to create a new Salesforcedevelopment environment
Configuring the Salesforce Developer EnvironmentIn this activity, create a Salesforce developer account and configure the Salesforce domain.
If you have an existing Salesforce environment and want to use that for the exercises, skip to the next chapter: Configuring SSOSettings in Salesforce.
1. Create Salesforce Developer Account
INTEGRATING SALESFORCE WITH VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL
GUIDE | 4
INTEGRATING SALESFORCE WITH VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL
GUIDE | 5
To create a Salesforce developer account, navigate to https://developer.salesforce.com/signup.1.Enter the required information and click Sign me up. After you create the account, you will receive an email to verify the email2.account and set your Salesforce password.When the account has been created successfully, you are logged in to the Salesforce console.3.
2. Navigate to My Domain
INTEGRATING SALESFORCE WITH VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL
GUIDE | 6
Enter My Domain in the search box.1.Click My Domain.2.Enter a name for your domain—it must be unique—In this exercise, the domain is called vmwareeuc.3.Click Check Availability. If your domain is available, you will see a green Available message.4.Click Register Domain.5.
It take approximately two minutes for the domain to register. You will receive an email when it is ready for testing.
3. Deploy the Domain
INTEGRATING SALESFORCE WITH VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL
GUIDE | 7
Perform the following steps to make the domain publicly available.
Refresh your screen until you see confirmation that your Domain is Ready for Testing, which means the domain name1.is registered (vmwareeuc-dev-ed.my.salesforce.com).Click Log in.2.Click Deploy to Users.3.
4. Confirm the Domain is Deployed
INTEGRATING SALESFORCE WITH VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL
GUIDE | 8
Confirm that the domain has been deployed. You have completed the first configuration step in your Salesforce developmentenvironment.
Logging In to the VMware Identity Manager ConsoleTo perform most of the steps in this exercise, you must first log in to the VMware Identity Manager console.
1. Launch Google Chrome (If Needed)
If Google Chrome is not already open, launch Google Chrome by double-clicking the icon from the desktop.
2. Open a New Browser Tab
Click the Tab space to open a new tab.
INTEGRATING SALESFORCE WITH VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL
GUIDE | 9
3. Navigate to Your VMware Identity Manager Tenant
Paste or enter the Tenant URL into the navigation bar and press Enter to continue.
4. Login to Your VMware Identity Manager Tenant
Enter the Username, for example, Administrator.1.Enter the Password, for example, VMware1!.2.Click Sign In.3.
5. Navigate to the Administrator Console (If Necessary)
INTEGRATING SALESFORCE WITH VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL
GUIDE | 10
If you see the User Portal as shown in the screenshot, navigate to the Administrator Console.
Click the user drop-down icon.1.Select Administration Console.2.
This opens the Administration Console in a separate tab in your browser.
Downloading the VMware Identity Manager SAML MetadataIn this activity, you retrieve the SAML metadata and SAML signing certificate associated with VMware Identity Manager. Salesforcerequires both of these SAML components for the SSO configuration and to set up VMware Identity Manager as its identity provider(IdP).
The SAML metadata describes the capabilities and requirements of the VMware Identity Manager, and resides as an XML file on theVMware Identity Manager tenant.
1. Navigate to Settings
In the VMware Identity Manager administration console:
Click Catalog.1.Click Settings.2.
2. Download the Identity Provider (IdP) SAML Metadata
INTEGRATING SALESFORCE WITH VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL
GUIDE | 11
Click SAML Metadata.1.Right-click Identity Provider (IdP) metadata and save locally as vidm-idp.xml.2.
Configuring SSO in SalesforceIn this activity, you configure Salesforce for SSO by defining VMware Identity Manager as the SAML identity provider for theapplication. Then, you download the SAML metadata for the Salesforce SSO configuration. You will use the file in a later activity toconfigure the Salesforce app in VMware Identity Manager.
If SAML is already enabled in your environment, skip to the next exercise.
1. Navigate to Single Sign-On Settings
INTEGRATING SALESFORCE WITH VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL
GUIDE | 12
In the Salesforce environment:
Enter Single Sign-On in the search text box.1.Select Single Sign-On Settings.2.Click Edit.3.
2. Enable SAML Settings
INTEGRATING SALESFORCE WITH VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL
GUIDE | 13
Select the SAML Enabled check box.1.Click Save.2.
3. Configure SAML Single Sign-On Settings
INTEGRATING SALESFORCE WITH VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL
GUIDE | 14
Click New from Metadata File.
4. Upload SAML Metadata File
Upload the IdP metadata file.
Click Choose File and select the file previously downloaded from VMware Identity Manager. For example, vidm-idp.xml.1.Click Create.2.
INTEGRATING SALESFORCE WITH VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL
GUIDE | 15
5. Configure SSO Settings
Enter a Name, for example, ws1. The profile Name is defined based on your VMware Identity Manager tenant URL; you can1.change this Name.The API Name by default uses the same profile name. For example, ws1. You can also change the API name, however this2.name must be unique across all Salesforce data.Add your registered Salesforce Domain URL to Entity ID. For example,3.https://vmwareeuc-dev-ed.my.salesforce.com.For SAML Identity Type, ensure Assertion contains the User's salesforce username is selected.4.For SAML Identity Location, ensure Identity is in the NameIdentifier element of the Subject5.statement is selected.Enter your Identity Manager logout URL to the Identity Provider Single Logout URL. For example,6. https://ws1.vidmpreview.com/SAAS/auth/logout.For Single Logout Request Binding, select HTTP POST.7.Click Save.8.
INTEGRATING SALESFORCE WITH VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL
GUIDE | 16
6. Download Salesforce SSO Metadata
Click Download Metadata.
An XML file with the following format will be downloaded: SAMLSP-XXXXXXXXXXX.xml.
Adding Salesforce to the Workspace ONE Application CatalogIn this activity, you add Salesforce as an application to the Workspace ONE catalog for seamless access. This enables the end user toauthenticate directly into the Workspace ONE app catalog and perform an IdP-initiated login to the Salesforce instance federated withVMware Identity Manager.
1. Create New SaaS Application
INTEGRATING SALESFORCE WITH VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL
GUIDE | 17
In the VMware Identity Manager administration console:
Click Catalog.1.Click New.2.
2. Select Salesforce Template
INTEGRATING SALESFORCE WITH VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL
GUIDE | 18
Enter Salesforce in the text box.1.Select the Salesforce template.2.Click Next.3.
3. Configure URL/XML Settings
INTEGRATING SALESFORCE WITH VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL
GUIDE | 19
Select URL/XML.1.Copy and paste the content of the Salesforce XML metadata file that you previously downloaded from Salesforce into the2.URL/XML text box.Click Next.3.
4. Configure Access Policies for the Application
INTEGRATING SALESFORCE WITH VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL
GUIDE | 20
For this exercise, use the default_access_policy_set.
Click Next.
5. Save the Application Configuration
INTEGRATING SALESFORCE WITH VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL
GUIDE | 21
Salesforce is now configured as an application on the Workspace ONE Catalog.
Click Save & Assign to configure the groups of users that will have permission to this application on the Catalog.
6. Assign Users to Salesforce
INTEGRATING SALESFORCE WITH VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL
GUIDE | 22
Enter ALL USERS in the search box and select All Users.1.Select Automatic for Deployment Type.2.Click Save.3.
7. Complete Salesforce Configuration
INTEGRATING SALESFORCE WITH VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL
GUIDE | 23
The following steps complete the Salesforce configuration.
Click Catalog.1.Select the Salesforce application.2.Click Edit.3.
8. Configure Username Settings
The following configuration ensures that the VMware Identity Manager service sends SAML assertions with subject statements thatthe application service provider recognizes. For Salesforce, the user e-mail address is used.
INTEGRATING SALESFORCE WITH VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL
GUIDE | 24
Click Configuration.1.Select Email Address as the Username Format.2.Enter ${user.email} as the Username Value.3.Click Summary.4.
9. Save the Configuration
Click Save.
This concludes the configuration of the Salesforce Application, which now is available for All Users through the Workspace ONE AppCatalog.
Testing Salesforce SSO through Workspace ONE CatalogIn this activity, you test SSO to Salesforce through the Workspace ONE catalog.
Before you log in to Salesforce using the Workspace ONE Catalog, make sure that the email address for the user account inSalesforce matches the email address for the user in VMware Identity Manager.
Note: The user account in VMware Identity Manager can be either a local account or Active Directory. However, it is important that theemail addresses match between the accounts.
INTEGRATING SALESFORCE WITH VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL
GUIDE | 25
1. Log In to Workspace ONE
From your web browser open a New Incognito Window and navigate to the Workspace ONE portal.
Enter the Username for the account you have in VMware Identity Manager (not the email address).1.Enter the Password.2.Click Sign in.3.
2. Open the Salesforce Application
INTEGRATING SALESFORCE WITH VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL
GUIDE | 26
Now, test authenticating into Salesforce through the Workspace ONE catalog.
Click Open and you should be redirected directly to Salesforce through SSO.
3. Confirm Successful SSO Access to Salesforce
Upon successful authentication with VMware Identity Manager, you are granted access to Salesforce through the Workspace ONEcatalog.
Summary and Additional ResourcesConclusionThis tutorial provided steps to create and configure a Salesforce developer environment, and integrate Salesforce with VMwareIdentity Manager to enable single sign-on access to Salesforce.
INTEGRATING SALESFORCE WITH VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL
GUIDE | 27
Additional ResourcesFor more information about Workspace ONE, you can explore the following resources:
VMware Workspace ONE Activity PathVMware Workspace ONE product pageVMware Workspace ONE DocumentationVMware Identity Manager product pageVMware Identity Manager DocumentationVMware Workspace ONE UEM powered by AirWatch product pageVMware Workspace ONE UEM DocumentationVMware Workspace ONE free trialVMware Workspace ONE and VMware Horizon Reference ArchitectureVMware End-User-Computing BlogsWorkspace ONE UEM Hands-On Lab
About the AuthorThis tutorial was written by:
Andreano Lanusse, End-User-Computing Staff Architect, Technical Marketing, VMware.
FeedbackThe purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at [email protected].
VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001
www.vmware.com
Copyright © 2019 VMware, Inc. All rights reserved. This product is protected by U.S. and international
copyright and intellectual property laws. VMware products are covered by one or more patents listed at
http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in
the United States and/or other jurisdictions. All other marks and names mentioned herein may be
trademarks of their respective companies.