Configure single sign-on

This topic describes how to configure Salesforce as an identity provider for single sign-on to AppDirect.

Prerequisites

1. AppDirect must enable identifier-first user login in the marketplace.
2. You must have a Company Administrator user setup and verified access to the marketplace to prevent being locked out.
   SSO is not enforced for company administrators. This is a preventative measure to ensure that everyone is not locked out of the organization in the event that SSO is misconfigured or broken. Company administrators must log in using their AppDirect credentials.
3. Administrators must create Sales Support users for each sales agent in AppDirect and Salesforce organization. Add the AppDirect user permission set to these users.
4. Salesforce administrators must manually set the User.AppDirect_Username field to match the username in AppDirect.

   Note AppDirect usernames are case sensitive and the Salesforce email fields are not. You need a custom field to store the exact username from the AppDirect system to use in the SSO process.

Create the Salesforce identity provider

1. In Salesforce, click the gear icon and then select Setup.
2. Go to Settings > Identity > Identity Provider > Enable Identity Provider.
3. Click Create new certificate.
4. Add the following values to the fields:

   Field	Value
   Label	AppDirect SSO
   Unique Name	AppDirect_SSO
   Type	Self-signed
   Key Size	2048
   Exportable Private Key	True

5. Click Save. The Salesforce organization is enabled as an IdP and generates a self-signed certificate.
6. Click Download Certificate and then save it somewhere secure. You will need the certificate to upload to AppDirect.

To configure AppDirect single sign-on

1. In AppDirect, go to Manage > Account > Company Settings > Company Settings | Single Sign-on.
2. Add the following values to the fields:

   Field	Value
   Entity ID	Issued from Salesforce identity provider created in prerequisites.
   Login URL	The value is created when you create the connect app in the next step. For now, add the following place holder: https://login.saleforce.com.
   Verification Certificate	Upload the self-signed certificate that was generated when you created the Salesforce identity provider in the previous step.
   Service provider-initiated request binding	HTTP Redirect
   NameID policy (format)	Persistent
   Sign authentication request	Disabled
   Automatic user creation	Disabled
   User account linking by email	Enabled
   Force re-authentication on session expiration	Enabled
   Force SSO for end users	Enabled Note: To avoid getting locked out of the marketplace, ensure that you have set up a Company Administration user and have verified that you can log in as that user.
   Update user roles	Disabled

3. Click Save.
4. Note the Entity ID and the ACS URLs that were generated under SSO Config > Service Provider Configuration. These values will be added to the Salesforce connected app in the next step.

Configure custom attribute mapping

1. In AppDirect, go to Manage > Account > Company Settings > Company Settings | Single Sign-on.
2. Click Add Attribute Mapping. The Single Sign-on configuration page opens.
3. For the Email Attribute Key, add email as the attribute value.
4. Click Save. This explicitly calls out the value in the SAML assertion that Salesforce matches to the AppDirect user email address.

Create a new connected app in Salesforce

1. In Salesforce, click the gear icon and then select Setup.
2. Go to Platform Tools > Apps > App Manager.
3. Click New Connect App. The New Connected App page appears.
4. Add the following values to the New Connected App dialog:

   Field	Value
   Connected App Name	AppDirect Single Sign On
   API Name	AppDirect_Single_Sign_On
   Contact Email	Salesforce admin user or support department email.
   Contact Phone	Salesforce admin user or support department phone number.
   Description	Authentication Setup for AppDirect Single Sign On.
   Web App Settings
   Start URL	N/A
   Enable SAML	true
   Entity ID	Entity ID (issuer) URL listed in the AppDirect SSO configuration under Service Provider Configuration.
   ACS URL	ACS URL listed in the AppDirect SSO configuration under Service Provider Configuration.
   Enable Single Logout	false
   Subject Type	UserId Note: AppDirect will save this unique identifier to the External ID field on the user (only visible via the user API). It is used on subsequent logins for matching. It is recommended to use the user ID
   Name ID Format	urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
   Issuer	Issuer value is listed on the identity provider setup in the previous step and makes up part of the Salesforce org URL. For example, https://appdirect-qa-dev-ed.my.salesforce.com.
   IdP Certificate	Select the self-signed certificate associated with the identity provider created in the previous step.
   Verify Request Signatures	false
   Encrypt SAML Response	false
   Staging Algorithm for SAML Messages	SHA1

5. Click Save.
6. Click Manage. Note the IdP-Intiated login URL in the SAML Login Information section. You will need this URL to add to the AppDirect Single Sign-on configuration page in the Login URL field.

To provide access to the connected app

1. In Salesforce, click the gear icon and then select Setup.
2. Go to Administration > Users > Permission Sets.
3. From the Permission Sets table, click AppDirect User. The AppDirect User Permission Sets page appears.
4. From the Apps section, click Assigned Connected Apps.
5. Click Edit.
6. Select AppDirect Single Sign On and then click Add to add it to the list of Enabled Connected Apps.
7. Click Save.
8. Repeat these steps for the AppDirect Admin permission set by clicking AppDirect Admin instead of AppDirect User in the Permission Sets table.

To configure deep link SSO

1. In Salesforce, click the gear icon and then select Setup.
2. Go to Platform Tools > Custom Code > Custom Settings.
3. Click AppDirect Marketplace Settings. The AppDirect Marketplace Settings page appears.
4. Click Manage and then click Edit. There should already be a default org level record in this custom setting with the Marketplace Domain and Name listed. Edit this record and set the SSO Enabled field to true.
5. Click Save. This adds the SSO URL path elements into the deep link formula fields.
6. Select the SSO Enabled checkbox.
7. Click Save.

Deep link validation

1. Log in to Salesforce as a user that is set up in AppDirect without the Company Admin role (ensure that the User.Email field matches the corresponding UUID for the record in AppDirect).
2. Check that the AppDirect user is logged out of AppDirect.
3. Go to an account, contact, or opportunity that exists both in AppDirect and Salesforce. The AppDirect_ID_c should match the corresponding UUID for the record in AppDirect.
4. Click the AppDirect Link to open the link in a new browser.
   You are routed to the record details page in AppDirect.

AppDirect Login

1. While signed in to Salesforce, navigate to https://<marketplace>/byappdirect.com/login.
   1. Enter the AppDirect username and email address for the SSO user.
   2. Click Next.
      The browser redirects you to the default landing page in AppDirect.
2. While signed out of Salesforce, navigate to https://<marketplace>.byappdirect.com/login.
   1. Enter the AppDirect username and email address for the SSO user.
   2. Click Next. You are redirected to the Salesforce login page for the configured organization.
   3. Enter the username and password and then click Login.
      The browser redirects you to the default landing page in AppDirect.

Just-in-time provisioning

To configure just-in-time provisioning for sales agents, you must add custom attributes to the SAML response and provide a mapping in the AppDirect SSO configuration.

To configure custom attribute mapping

1. In Salesforce, click the gear icon and then select Setup.
2. Go to Platform Tools > Apps > App Manager.
3. From the App Name column, click the arrow in the row for AppDirect Single Sign On and then select Manage.
4. From the Custom Attributes section, click New.
5. Enter the following values for the new custom attribute:

   Required	Attribute Key	Attribute Value
   Required	FirstName	$User.FirstName
   Required	LastName	$User.LastName
   Required	Email	$User.Email (could be email, personal email, and/or work email depending on client installation)
   Optional	PersonalEmail	$User.Email (could be email, personal email, and/or work email depending on client installation)
   Optional	WorkEmail	$User.Email (could be email, personal email, and/or work email depending on client installation)
   Optional	HomePhone	$User.Phone (could be home and/or work depending on client installation)
   Optional	MobilePhone	$User.Mobile
   Optional	WorkPhone	$User.Phone (could be home and/or work depending on client installation)
   Optional	Country	$User.Country
   Optional	Role	$User.AppDirect_User_Role_c
   Optional	State	$User.State
   Optional	Title	$User.Title
   Optional	BillingDay	No standard field. Create this field for just-in-time provisioning.

AppDirect just-in-time configuration

1. In AppDirect, go to Manage > Account > Company Settings | Single Sign-on.
2. Enable Automatic User Creation. This automatically creates users in AppDirect on first SSO login.
3. Enable Update User Roles. This allows you to manage sales agent user roles from Salesforce.

AppDirect custom attribute mapping

1. In AppDirect, go to Manage > Account > Company Settings | Company Settings | Single Sign-on. The Single Sign-On Configuration page opens.
2. In the Attribute Mapping pane, click Add Attribute Mapping and create an entry for each of the following:

   Required	Attribute Key	Attribute Value
   Required	FirstName	FirstName
   Required	LastName	LastName
   Required	Email	Email
   Optional	PersonalEmail	PersonalEmail
   Optional	WorkEmail	WorkEmail
   Optional	HomePhone	HomePhone
   Optional	MobilePhone	MobileMobile
   Optional	WorkPhone	WorkPhone
   Optional	Country	Country
   Optional	Role	Role
   Optional	State	State
   Optional	Title	Title
   Optional	BillingDay	BillingDay

What's next?

Export products from AppDirect to upload to Salesforce

References

• AppDirect Set up single sign-on
• AppDirect Troubleshooting single sign-on
• Salesforce Single sign-on implementation guide