Integrating Salesforce with VMware Identity Manager ... · This tutorial helps you to integrate Salesforce to VMware Identity Manager to enable single sign-on access to Salesforce

GUIDE – APRIL 2019

PRINTED 7 AUGUST 2019

INTEGRATING SALESFORCEWITH VMWARE IDENTITYMANAGER: VMWAREWORKSPACE ONEOPERATIONAL TUTORIALVMware Workspace ONE

INTEGRATING SALESFORCE WITH VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONALTUTORIAL

GUIDE | 2

Table of Contents

Overview

– Introduction

– Audience

Integrating Salesforce with VMware Identity Manager

– Introduction

– Prerequisites

– Configuring the Salesforce Developer Environment

– Logging In to the VMware Identity Manager Console

– Downloading the VMware Identity Manager SAML Metadata

– Configuring SSO in Salesforce

– Adding Salesforce to the Workspace ONE Application Catalog

– Testing Salesforce SSO through Workspace ONE Catalog

Summary and Additional Resources

– Conclusion

– Additional Resources

– About the Author

– Feedback


GUIDE | 3

Integrating Salesforce: VMware Workspace ONEOperational Tutorial

OverviewIntroductionVMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. In this tutorial, you configureVMware Identity Manager as a third-party identity provider in Salesforce to enable single sign-on (SSO) access to Salesforce. Then,you add Salesforce as a SAML application in VMware Identity Manager to be launched from the Workspace ONE app catalog.

AudienceThis operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments.Familiarity with networking and storage in a virtual environment is assumed, including Active Directory, identity management, anddirectory services. Knowledge of additional technologies such as VMware Identity Manager™ and VMware Workspace ONE® UEM, isalso helpful.

Integrating Salesforce with VMware Identity ManagerIntroductionThis tutorial helps you to integrate Salesforce to VMware Identity Manager to enable single sign-on access to Salesforce. Proceduresinclude:

Creating a Salesforce Developer environmentConfiguring SAML SSO settings in SalesforceAdding Salesforce to the Workspace ONE app catalog and configuring Salesforce SSO settings in the VMware IdentityManager consoleProviding users with SSO access to Salesforce

The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step.

PrerequisitesBefore you can perform the procedures in this tutorial, you must satisfy the following requirements. For more information, see theVMware Identity Manager Documentation.

Check whether you have the following components installed and configured:

VMware Identity Manager tenant with administrator accessSalesforce environment – you can use an existing environment or follow steps in this tutorial to create a new Salesforcedevelopment environment

Configuring the Salesforce Developer EnvironmentIn this activity, create a Salesforce developer account and configure the Salesforce domain.

If you have an existing Salesforce environment and want to use that for the exercises, skip to the next chapter: Configuring SSOSettings in Salesforce.

1. Create Salesforce Developer Account

http://www.vmware.com/products/workspace-one.html

https://www.vmware.com/products/workspace-one/identity-manager.html

https://www.vmware.com/products/airwatch-enterprise-mobility-management.html

https://www.vmware.com/support/pubs/identitymanager-pubs.html


GUIDE | 4


GUIDE | 5

To create a Salesforce developer account, navigate to https://developer.salesforce.com/signup.1.Enter the required information and click Sign me up. After you create the account, you will receive an email to verify the email2.account and set your Salesforce password.When the account has been created successfully, you are logged in to the Salesforce console.3.

2. Navigate to My Domain

https://developer.salesforce.com/signup


GUIDE | 6

Enter My Domain in the search box.1.Click My Domain.2.Enter a name for your domain—it must be unique—In this exercise, the domain is called vmwareeuc.3.Click Check Availability. If your domain is available, you will see a green Available message.4.Click Register Domain.5.

It take approximately two minutes for the domain to register. You will receive an email when it is ready for testing.

3. Deploy the Domain


GUIDE | 7

Perform the following steps to make the domain publicly available.

Refresh your screen until you see confirmation that your Domain is Ready for Testing, which means the domain name1.is registered (vmwareeuc-dev-ed.my.salesforce.com).Click Log in.2.Click Deploy to Users.3.

4. Confirm the Domain is Deployed


GUIDE | 8

Confirm that the domain has been deployed. You have completed the first configuration step in your Salesforce developmentenvironment.

Logging In to the VMware Identity Manager ConsoleTo perform most of the steps in this exercise, you must first log in to the VMware Identity Manager console.

1. Launch Google Chrome (If Needed)

If Google Chrome is not already open, launch Google Chrome by double-clicking the icon from the desktop.

2. Open a New Browser Tab

Click the Tab space to open a new tab.

https://media.screensteps.com/image_assets/assets/002/386/005/original/ad2b29c9-6159-4486-846c-2cadbefc00b5.png


GUIDE | 9

3. Navigate to Your VMware Identity Manager Tenant

Paste or enter the Tenant URL into the navigation bar and press Enter to continue.

4. Login to Your VMware Identity Manager Tenant

Enter the Username, for example, Administrator.1.Enter the Password, for example, VMware1!.2.Click Sign In.3.

5. Navigate to the Administrator Console (If Necessary)


GUIDE | 10

If you see the User Portal as shown in the screenshot, navigate to the Administrator Console.

Click the user drop-down icon.1.Select Administration Console.2.

This opens the Administration Console in a separate tab in your browser.

Downloading the VMware Identity Manager SAML MetadataIn this activity, you retrieve the SAML metadata and SAML signing certificate associated with VMware Identity Manager. Salesforcerequires both of these SAML components for the SSO configuration and to set up VMware Identity Manager as its identity provider(IdP).

The SAML metadata describes the capabilities and requirements of the VMware Identity Manager, and resides as an XML file on theVMware Identity Manager tenant.

1. Navigate to Settings

In the VMware Identity Manager administration console:

Click Catalog.1.Click Settings.2.

2. Download the Identity Provider (IdP) SAML Metadata


GUIDE | 11

Click SAML Metadata.1.Right-click Identity Provider (IdP) metadata and save locally as vidm-idp.xml.2.

Configuring SSO in SalesforceIn this activity, you configure Salesforce for SSO by defining VMware Identity Manager as the SAML identity provider for theapplication. Then, you download the SAML metadata for the Salesforce SSO configuration. You will use the file in a later activity toconfigure the Salesforce app in VMware Identity Manager.

If SAML is already enabled in your environment, skip to the next exercise.

1. Navigate to Single Sign-On Settings


GUIDE | 12

In the Salesforce environment:

Enter Single Sign-On in the search text box.1.Select Single Sign-On Settings.2.Click Edit.3.

2. Enable SAML Settings


GUIDE | 13

Select the SAML Enabled check box.1.Click Save.2.

3. Configure SAML Single Sign-On Settings


GUIDE | 14

Click New from Metadata File.

4. Upload SAML Metadata File

Upload the IdP metadata file.

Click Choose File and select the file previously downloaded from VMware Identity Manager. For example, vidm-idp.xml.1.Click Create.2.


GUIDE | 15

5. Configure SSO Settings

Enter a Name, for example, ws1. The profile Name is defined based on your VMware Identity Manager tenant URL; you can1.change this Name.The API Name by default uses the same profile name. For example, ws1. You can also change the API name, however this2.name must be unique across all Salesforce data.Add your registered Salesforce Domain URL to Entity ID. For example,3.https://vmwareeuc-dev-ed.my.salesforce.com.For SAML Identity Type, ensure Assertion contains the User's salesforce username is selected.4.For SAML Identity Location, ensure Identity is in the NameIdentifier element of the Subject5.statement is selected.Enter your Identity Manager logout URL to the Identity Provider Single Logout URL. For example,6. https://ws1.vidmpreview.com/SAAS/auth/logout.For Single Logout Request Binding, select HTTP POST.7.Click Save.8.

https://vmwareeuc-dev-ed.my.salesforce.com

https://ws1.vidmpreview.com/SAAS/auth/logout.


GUIDE | 16

6. Download Salesforce SSO Metadata

Click Download Metadata.

An XML file with the following format will be downloaded: SAMLSP-XXXXXXXXXXX.xml.

Adding Salesforce to the Workspace ONE Application CatalogIn this activity, you add Salesforce as an application to the Workspace ONE catalog for seamless access. This enables the end user toauthenticate directly into the Workspace ONE app catalog and perform an IdP-initiated login to the Salesforce instance federated withVMware Identity Manager.

1. Create New SaaS Application


GUIDE | 17

In the VMware Identity Manager administration console:

Click Catalog.1.Click New.2.

2. Select Salesforce Template


GUIDE | 18

Enter Salesforce in the text box.1.Select the Salesforce template.2.Click Next.3.

3. Configure URL/XML Settings


GUIDE | 19

Select URL/XML.1.Copy and paste the content of the Salesforce XML metadata file that you previously downloaded from Salesforce into the2.URL/XML text box.Click Next.3.

4. Configure Access Policies for the Application


GUIDE | 20

For this exercise, use the default_access_policy_set.

Click Next.

5. Save the Application Configuration


GUIDE | 21

Salesforce is now configured as an application on the Workspace ONE Catalog.

Click Save & Assign to configure the groups of users that will have permission to this application on the Catalog.

6. Assign Users to Salesforce


GUIDE | 22

Enter ALL USERS in the search box and select All Users.1.Select Automatic for Deployment Type.2.Click Save.3.

7. Complete Salesforce Configuration


GUIDE | 23

The following steps complete the Salesforce configuration.

Click Catalog.1.Select the Salesforce application.2.Click Edit.3.

8. Configure Username Settings

The following configuration ensures that the VMware Identity Manager service sends SAML assertions with subject statements thatthe application service provider recognizes. For Salesforce, the user e-mail address is used.

https://media.screensteps.com/image_assets/assets/002/414/193/original/1d36e8db-d90e-4ba0-9055-ffec78e531f6.png


GUIDE | 24

Click Configuration.1.Select Email Address as the Username Format.2.Enter ${user.email} as the Username Value.3.Click Summary.4.

9. Save the Configuration

Click Save.

This concludes the configuration of the Salesforce Application, which now is available for All Users through the Workspace ONE AppCatalog.

Testing Salesforce SSO through Workspace ONE CatalogIn this activity, you test SSO to Salesforce through the Workspace ONE catalog.

Before you log in to Salesforce using the Workspace ONE Catalog, make sure that the email address for the user account inSalesforce matches the email address for the user in VMware Identity Manager.

Note: The user account in VMware Identity Manager can be either a local account or Active Directory. However, it is important that theemail addresses match between the accounts.


GUIDE | 25

1. Log In to Workspace ONE

From your web browser open a New Incognito Window and navigate to the Workspace ONE portal.

Enter the Username for the account you have in VMware Identity Manager (not the email address).1.Enter the Password.2.Click Sign in.3.

2. Open the Salesforce Application


GUIDE | 26

Now, test authenticating into Salesforce through the Workspace ONE catalog.

Click Open and you should be redirected directly to Salesforce through SSO.

3. Confirm Successful SSO Access to Salesforce

Upon successful authentication with VMware Identity Manager, you are granted access to Salesforce through the Workspace ONEcatalog.

Summary and Additional ResourcesConclusionThis tutorial provided steps to create and configure a Salesforce developer environment, and integrate Salesforce with VMwareIdentity Manager to enable single sign-on access to Salesforce.

https://media.screensteps.com/image_assets/assets/002/381/986/original/0d95c94d-5dfa-4b88-9584-1f05c6159af9.png


GUIDE | 27

Additional ResourcesFor more information about Workspace ONE, you can explore the following resources:

VMware Workspace ONE Activity PathVMware Workspace ONE product pageVMware Workspace ONE DocumentationVMware Identity Manager product pageVMware Identity Manager DocumentationVMware Workspace ONE UEM powered by AirWatch product pageVMware Workspace ONE UEM DocumentationVMware Workspace ONE free trialVMware Workspace ONE and VMware Horizon Reference ArchitectureVMware End-User-Computing BlogsWorkspace ONE UEM Hands-On Lab

About the AuthorThis tutorial was written by:

Andreano Lanusse, End-User-Computing Staff Architect, Technical Marketing, VMware.

FeedbackThe purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at [email protected].

https://techzone.vmware.com/becoming-workspace-one-hero

http://www.vmware.com/products/workspace-one.html

https://docs.vmware.com/en/VMware-Workspace-ONE/index.html

http://www.vmware.com/products/identity-manager.html

https://docs.vmware.com/en/VMware-Identity-Manager/index.html

https://www.vmware.com/products/workspace-one/unified-endpoint-management.html

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/index.html

http://www.air-watch.com/lp/free-trial/

https://techzone.vmware.com/resource/workspace-one-and-horizon-reference-architecture

https://blogs.vmware.com/euc/?s=Workspace+ONE

https://my.vmware.com/web/vmware/evalcenter?p=airwatch-18-hol

https://techzone.vmware.com/users/andreano-lanusse

mailto:[email protected]

VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001

www.vmware.com

Copyright © 2019 VMware, Inc. All rights reserved. This product is protected by U.S. and international

copyright and intellectual property laws. VMware products are covered by one or more patents listed at

http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in

the United States and/or other jurisdictions. All other marks and names mentioned herein may be

trademarks of their respective companies.

Documents

Integrating Salesforce with VMware Identity Manager ... · This tutorial helps you to integrate Salesforce to VMware Identity Manager to enable single sign-on access to Salesforce