Highlighted
Absent Member.
Absent Member.
452 views

Salesforce: SAML UserIDType is Assertion with Federation ID


Hi. I'm using AM for Salesforce integration. Due to a technical
limitation (see my posthttp://tinyurl.com/p75hbvw for details), I'm
considering using the SAML user Type "Assertion contains the Federation
ID from the User object". I can't find any documentation or instructions
on how to use this setting. The following is my setup:

Users are stored in eDirectory which has a custom attribute "employeeID"
.. In Salesforce, the username is employeeID@mycompany.com, which is NOT
the email address of the user.
The federationID is the cn of the user.
So for example, for user "John Doe", employeeID is 111, Salesforce
username is "111@mycompany.com", email address is "jdoe@mycompany.com",
cn is "jdoe", so the federation ID is "jdoe".

My configuration is roughly based on the Cool Solutions
articlehttp://tinyurl.com/n2lbdj7 except for the SAML UserID type as
well as attribute mapping and authentication response configuration.

My questions are as follows:

1. In attribute mapping, what is the name of the Remote Attribute in
Salesorce for federation ID? I tried using "Federation ID",
"FederationIdentifier" (this one is according to the Salesforce SOAP API
Reference Guide).

2. In configuring the authentication response for the Service Provider,
what should be the settings in this case?
I have tried the following:
Checking the persistent, transient and Unspecified checkboxes,
clicked on the radio button beside the "Unspecified" name identifier
format under "default", and select the "Ldap attribute cn[LDAP attribute
profile] beside the "default" that is selected.

The overall configuration above (after doing Identity Server -> Update
all) gave me an error "Error:The request to provide authentication to a
service provider has failed. (300101050-CFA89914371A42D7) "

3. Are there any settings that I missed for using this SAML UserID
Type?

Any help is appreciated.

-Andrew


--
ndrw_cheung
------------------------------------------------------------------------
ndrw_cheung's Profile: https://forums.netiq.com/member.php?userid=5241
View this thread: https://forums.netiq.com/showthread.php?t=47951

0 Likes
3 Replies
Highlighted
Absent Member.
Absent Member.

Re: Salesforce: SAML UserIDType is Assertion with Federation ID

On 13.06.2013 17:14, ndrw cheung wrote:
>
> Hi. I'm using AM for Salesforce integration.


I assume you have chosen SAML2.0 rather than SAML1.1 (based on some
further details in your posts)

> Due to a technical
> limitation (see my posthttp://tinyurl.com/p75hbvw for details), I'm
> considering using the SAML user Type "Assertion contains the Federation
> ID from the User object". I can't find any documentation or instructions
> on how to use this setting. The following is my setup:


What option have you chosen for "SAML Identity Location"?

have you chosen "Identity is in the NameIdentifier element of the
Subject statement" or "Identity is in an Attribute element" ?

> Users are stored in eDirectory which has a custom attribute "employeeID"
> .. In Salesforce, the username is employeeID@mycompany.com, which is NOT
> the email address of the user.
> The federationID is the cn of the user.
> So for example, for user "John Doe", employeeID is 111, Salesforce
> username is "111@mycompany.com", email address is "jdoe@mycompany.com",
> cn is "jdoe", so the federation ID is "jdoe".
>
> My configuration is roughly based on the Cool Solutions
> articlehttp://tinyurl.com/n2lbdj7 except for the SAML UserID type as
> well as attribute mapping and authentication response configuration.
>
> My questions are as follows:
>
> 1. In attribute mapping, what is the name of the Remote Attribute in
> Salesorce for federation ID? I tried using "Federation ID",
> "FederationIdentifier" (this one is according to the Salesforce SOAP API
> Reference Guide).


Try User.FederationIdentifier

This is based on this example:

http://login.salesforce.com/help/doc/en/sso_saml_assertion_examples.htm#saml_assertion_examples_JIT

Why do you need attribute mapping at all? Are you doing provisioning in
addition to Federation?

> 2. In configuring the authentication response for the Service Provider,
> what should be the settings in this case?
> I have tried the following:
> Checking the persistent, transient and Unspecified checkboxes,
> clicked on the radio button beside the "Unspecified" name identifier
> format under "default", and select the "Ldap attribute cn[LDAP attribute
> profile] beside the "default" that is selected.


If you choose "Assertion contains the Federation ID from the User
object" and "Identity is in the NameIdentifier element of the Subject
statement", then you can use either "unspecified" or "email" as the
default and "select Ldap attribute cn[LDAP attribute profile]" as the
value to send.

Don't use persistent or transient (as they auto-generate an ID for you,
rather than allow you to specify the CN as you want).

> The overall configuration above (after doing Identity Server -> Update
> all) gave me an error "Error:The request to provide authentication to a
> service provider has failed. (300101050-CFA89914371A42D7) "


This might be a separate problem, that I would try and solve first.
Often this error is caused by failing to import/assign the right
certificate.

If you get this error after Identity Server -> Update, before you
actually try to federate at all with a user - then it's almost certainly
certificate or metadata related.


--
----------------------------------------------------------------------
Alex McHugh
NetIQ Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support is provided via email.
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Salesforce: SAML UserIDType is Assertion with Federation ID

On 13.06.2013 17:14, ndrw cheung wrote:
>
> Hi. I'm using AM for Salesforce integration.


I assume you have chosen SAML2.0 rather than SAML1.1 (based on some
further details in your posts)

> Due to a technical
> limitation (see my posthttp://tinyurl.com/p75hbvw for details), I'm
> considering using the SAML user Type "Assertion contains the Federation
> ID from the User object". I can't find any documentation or instructions
> on how to use this setting. The following is my setup:


What option have you chosen for "SAML Identity Location"?

have you chosen "Identity is in the NameIdentifier element of the
Subject statement" or "Identity is in an Attribute element" ?

> Users are stored in eDirectory which has a custom attribute "employeeID"
> .. In Salesforce, the username is employeeID@mycompany.com, which is NOT
> the email address of the user.
> The federationID is the cn of the user.
> So for example, for user "John Doe", employeeID is 111, Salesforce
> username is "111@mycompany.com", email address is "jdoe@mycompany.com",
> cn is "jdoe", so the federation ID is "jdoe".
>
> My configuration is roughly based on the Cool Solutions
> articlehttp://tinyurl.com/n2lbdj7 except for the SAML UserID type as
> well as attribute mapping and authentication response configuration.
>
> My questions are as follows:
>
> 1. In attribute mapping, what is the name of the Remote Attribute in
> Salesorce for federation ID? I tried using "Federation ID",
> "FederationIdentifier" (this one is according to the Salesforce SOAP API
> Reference Guide).


Try User.FederationIdentifier

This is based on this example:

http://login.salesforce.com/help/doc/en/sso_saml_assertion_examples.htm#saml_assertion_examples_JIT

Why do you need attribute mapping at all? Are you doing provisioning in
addition to Federation?

> 2. In configuring the authentication response for the Service Provider,
> what should be the settings in this case?
> I have tried the following:
> Checking the persistent, transient and Unspecified checkboxes,
> clicked on the radio button beside the "Unspecified" name identifier
> format under "default", and select the "Ldap attribute cn[LDAP attribute
> profile] beside the "default" that is selected.


If you choose "Assertion contains the Federation ID from the User
object" and "Identity is in the NameIdentifier element of the Subject
statement", then you can use either "unspecified" or "email" as the
default and "select Ldap attribute cn[LDAP attribute profile]" as the
value to send.

Don't use persistent or transient (as they auto-generate an ID for you,
rather than allow you to specify the CN as you want).

> The overall configuration above (after doing Identity Server -> Update
> all) gave me an error "Error:The request to provide authentication to a
> service provider has failed. (300101050-CFA89914371A42D7) "


This might be a separate problem, that I would try and solve first.
Often this error is caused by failing to import/assign the right
certificate.

If you get this error after Identity Server -> Update, before you
actually try to federate at all with a user - then it's almost certainly
certificate or metadata related.


--
----------------------------------------------------------------------
Alex McHugh
NetIQ Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support is provided via email.
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Salesforce: SAML UserIDType is Assertion with Federation ID


This is my third attempt at replying as my replies via NNTP seem to have
gone AWOL.

ndrw_cheung;230411 Wrote:
> My questions are as follows:
>
> 1. In attribute mapping, what is the name of the Remote Attribute in
> Salesorce for federation ID? I tried using "Federation ID",
> "FederationIdentifier" (this one is according to the Salesforce SOAP API
> Reference Guide).



Try User.FederationIdentifier

This is based on this example:

http://tinyurl.com/q5kpnhc

Why do you need attribute mapping at all? Are you doing provisioning in
addition to Federation?

ndrw_cheung;230411 Wrote:
> 2. In configuring the authentication response for the Service Provider,
> what should be the settings in this case?
> I have tried the following:
> Checking the persistent, transient and Unspecified checkboxes,
> clicked on the radio button beside the "Unspecified" name identifier
> format under "default", and select the "Ldap attribute cn[LDAP attribute
> profile] beside the "default" that is selected.


If you choose "Assertion contains the Federation ID from the User
object" and "Identity is in the NameIdentifier element of the Subject
statement", then you can use either "unspecified" or "email" as the
default and "select Ldap attribute cn[LDAP attribute profile]" as the
value to send.

Don't use persistent or transient (as they auto-generate an ID for you,
rather than allow you to specify the CN as you want).

ndrw_cheung;230411 Wrote:
> The overall configuration above (after doing Identity Server -> Update
> all) gave me an error "Error:The request to provide authentication to a
> service provider has failed. (300101050-CFA89914371A42D7) "


This might be a separate problem, that I would try and solve first.
Often this error is caused by failing to import/assign the right
certificate.

If you get this error after Identity Server -> Update, before you
actually try to federate at all with a user - then it's almost certainly
certificate or metadata related.


--
alexmchugh
------------------------------------------------------------------------
alexmchugh's Profile: https://forums.netiq.com/member.php?userid=461
View this thread: https://forums.netiq.com/showthread.php?t=47951

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.