DNN SAML Single Sign-On (SSO) with Salesforce as IDP

• After successful license activation, the plugin dashboard will open as shown below.

• In the plugin dashboard, click on the Service Provider Metadata button from the top menu. This will open the Service Provider Metadata page.
• Select the required NameID Format from the dropdown (for example, Email Address or Unspecified) based on your Identity Provider configuration, and click on the Save button to update the settings.
• The NameID Format defines which user identifier (such as email or username) will be sent during the SAML login process.

• Scroll down to the Share SAML Metadata section.

You can obtain the SAML SP metadata using either of the two methods described below to configure it on your Identity Provider end.

A] Using SAML metadata URL or metadata file

• On this page, you can find the Metadata URL as well as the option to download the SAML metadata XML file.
• Copy the Metadata URL or download the metadata file to configure the same on your Identity Provider end.
• You may refer to the screenshot below:

B] Uploading Metadata Manually

• On this page, you can manually copy the service provider metadata such as SP Entity ID, ACS URL, SP Logout Url and share it with your Identity Provider for configuration.
• You may refer to the screenshot below:

Steps to Configure Salesforce IdP

• Log into your Salesforce account as admin.

• Switch to Salesforce Lightning mode from profile menu and then go to the Setup page by clicking on setup button.

• From the left pane, select Settings Tab and click on Identity Provider.

• Click on Enable Identity Provider.

• In the Service Provider section, click on the link to create the Service Provider using Connected Apps.

• Enter Connected App Name, API Name and Contact Email.

• Under the Web App Settings, check the Enable SAML checkbox and enter the following values, which you will get from Step 2B.

• Click on Save to save the configuration.

• Now from the left pane, under Platform Tools section select Connected Apps.

• Then select Manage Connected Apps and click on the app you just created.

• In the Profiles section click Manage Profiles button.

• Assign the Profiles you want to give access to log in through this app.

• Under SAML Login Information, click on Download Metadata.

• Keep this metadata handy for configuring the Service Provider.
• Also keep the SP-Initiated Redirect Endpoint handy from the SAML Login Information section. This endpoint will be required as the IdP SSO URL while manually configuring the Salesforce Identity Provider metadata in the DNN SAML SSO plugin.

• Click on the Add new IDP button to configure a new Identity Provider.

• Under the Plugin Settings tab, select Salesforce as your identity provider from the list shown.

• After selecting your IdP from the list, the Identity Provider Settings page will open. Here, you can either click on the Upload IdP Metadata button to configure the Identity Provider automatically using metadata, or manually enter the required Identity Provider details under the Identity Provider Settings.

There are two ways detailed below with which you can configure your SAML Identity Provider metadata in the plugin.

A] Upload metadata using the Upload IDP Metadata button:

• Click Choose File to upload the metadata XML file using the Upload XML File option, then click Upload. Alternatively, provide the metadata URL in the Enter metadata URL section and click Fetch Metadata to retrieve the Identity Provider configuration automatically.
• You may refer to the screenshot below:

B] Configure the identity provider metadata manually:

• Alternatively, under the Identity Provider Settings tab, you can manually fill in the mandatory fields like IDP Name, IDP Entity ID and Single Sign-On URL and click Save Settings.

• After uploading the metadata details, navigate back to the Dashboard. Hover over the Select Actions dropdown next to the configured Identity Provider and click Test Configuration.

• On successful configuration, you will get attributes name and attribute values in the test configuration window.

Attribute Mapping

• After testing the configuration, Map your application attributes with the Identity Provider (IdP) attributes.

• From the Select Actions dropdown, choose Edit Configuration to open the Attribute Mapping settings.
• Map the required IdP attributes (such as Username, Email, Firstname, and Lastname) received in the SAML Response to their corresponding fields.

• Once the attributes are mapped, click Save to apply changes.

Default Role Mapping

• Navigate to the Default Role Mapping section and select the role you want to assign to users after successful SSO login from the Default Role dropdown.
• Choose the appropriate role (for example, Registered Users, Subscribers, or Administrators) and click on the Save button to apply the changes.

Advance IDP Settings

If you want to configure additional advanced settings, scroll up and click on the Advance IdP Settings button from the top menu.

Custom Attribute Mapping

• If you want to pass additional attributes from your IdP, enter the Attribute Name and corresponding Attribute Value under Custom Attribute Mapping.
• From the Attribute Value dropdown, select one of the attributes received in the Test Configuration results, for example: NameID.
• These attributes correspond to the values sent by your Identity Provider (IdP).

• In the Attribute Name field, enter the name of the DNN user attribute, it will get mapped to IDP attributes value during the SSO login.
• You can add multiple mappings if your application requires multiple attributes by clicking on the + button.
• After defining all the required mappings, click on Save Attribute Mapping to store the configuration.

• The plugin will translate the incoming SAML attributes from your Identity Provider (IdP) into the custom attribute names configured here for your DNN site.

Advance Role Mapping

• In the Advance Role Mapping section , enter the Group Attribute Name exactly as configured in your Identity Provider to fetch the user group information.
• Enter the Role Name received from the Identity Provider and map it to the appropriate Role Vaue field. In the Role Value field, enter the roles defined in your DNN site.
• For example: Map the IdP group Group1 or Group10 received under the UserGroups attribute to the corresponding role configured in your DNN site.
• After adding the required mappings, click on Save Role Mapping to save the configuration successfully.

Domain Restriction

• This feature can be used to restrict user access to the site based on the domain of their mapped “Email“ Attribute.
• In the Email Attribute field, enter the attribute name that contains the user's email address as received from your Identity Provider (IdP).

• In the Domain Name field, enter the domain(s) you want to allow or restrict, separated by commas if adding multiple domains.
• Enable the Restrict toggle based on your requirement to configure blacklist or whitelist access.
• After completing the configuration, click on Save to save the settings successfully.

Redirections After SSO and SLO

• In the Login Redirection section, enter the endpoint URL where users should be redirected after a successful SSO login.
• In the Logout Redirection section, specify the endpoint URL where users should be redirected after a successful logout (SLO), and click Save to update the configuration.

Modify SAML Request

• In the Modify SAML Request section, enter the required Parameter Name and Parameter Value, click the + button to add the parameter, and then click Save to apply the changes.

Additional Settings

• Enable Auto Register User to automatically create a new user account in DNN if the user does not already exist during SSO login.
• Enable Override Email Attribute to update the user’s email address in DNN with the email attribute received from the Identity Provider (IdP).
• Enable Find User By Email to allow the plugin to identify and match existing users in DNN using their email address.
• Enable Multiportal SSO if you want to allow Single Sign-On across multiple DNN portals using the same Identity Provider (IdP), then click Save to update the settings.

• Hover over the Select Actions dropdown next to the configured Identity Provider and click Copy SSO Link.
• Use this SSO link to initiate Single Sign-On (SSO) for users logging into your DNN portal.

• User gets logged in to the DNN site by entering the credentials of Salesforce.