Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Introduction

Jitterbit supports single sign-on (SSO) for Salesforce using SAML 2.0. This page shows how to enable Salesforce as an Identity Provider and obtain the Identity Provider and Service Provider metadata needed for Setting Up SSO in Jitterbit. After SSO is configured in both Salesforce and Jitterbit, members of your Jitterbit org will be able to use their Salesforce credentials to log in to Jitterbit.

Tip
TIP: For additional options, see Salesforce documentation Setting up Salesforce as a SAML Identity Provider and Defining Service Providers as SAML-Enabled Connected Apps.

Demonstration

HTML
<iframe src="https://www.youtube.com/embed/5x5fNHC5IJI" width="480" height="270" frameborder="0" webkitallowfullscreen mozallowfullscreen allowfullscreen></iframe>

Obtain Salesforce Identity Provider Metadata

The steps below show how to make sure you have Salesforce enabled as an Identity Provider, and download the Identity Provider metadata that will be needed for Setting Up SSO in Jitterbit.

  1. Log in to your Salesforce instance as a Salesforce Admin.

    Note
    CAUTION: In order to set up SSO in Jitterbit, your Salesforce username must match your Harmony email address. This applies to the members of your org as well, unless they are configured to bypass SSO. See additional requirements in Setting Up SSO in Jitterbit.
  2. Navigate to Setup > Settings > Identity > Identity Provider.
  3. In the section Identity Provider Setup, click the button Download Metadata to obtain the Identity Provider metadata. This option will be available only if you have a domain configured and enabled.

    • If you do not have a domain configured, click the link to Configure a Domain Name and follow the steps to set up a domain and deploy it to users. This will automatically enable the Identity Provider, then download the metadata as described.

    • If you have a domain configured but disabled as an Identity Provider, click the button Enable Identity Provider, then download the metadata as described.

    Identity Provider Setup
     

    Tip
    TIP: After making changes in Identity Provider Setup, you may need to refresh the page.
    Note

    NOTE: If you receive an error of "No valid signing cert found" when testing SSO using SAML, you may be able to resolve it by checking that you have a KeyDescriptor tag and sub-tag with use="signing" specified in your identity provider metadata, similar to this example:

    Code Block
    <?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://example.my.salesforce.com" validUntil="2028-04-30T17:39:13.559Z" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:KeyDescriptor use="signing">
          <ds:KeyInfo>
            <ds:X509Data>
              <ds:X509Certificate>MIIErDCCA5SgAwIBA...

Set Up Harmony Clients as Service Providers in Salesforce

Now that Salesforce is configured as an Identity Provider, you need to configure each Harmony client as a Service Provider within Salesforce.

  1. On the same screen, in the section Service Providers, click the link to create via Connected Apps. Or, navigate to Setup > Platform Tools > Apps > App Manager and click the button to create a New Connected App in the top right.

  2. You will need to create a Connected App for each Harmony client:

    • WMC: This selection applies to the Harmony Portal (including Cloud Studio, API Manager, Citizen Integrator, Management Console).

      Info
      NOTE: Although the user interface refers to WMC, the former name for the Management Console, when you select WMC as the Harmony client, this configuration applies to all of the web-based products accessible via the Harmony Portal, including the Cloud Studio, API Manager, Citizen Integrator, and Management Console.
    • Studio: This selection applies to Design Studio versions 8.24 and later.

    For each Connected App:

    1. Under Basic Information, provide a Connected App Name (for example, Harmony Portal or Design Studio) and populate other required fields.
    2. Under Web App Settings, check the box for Enable SAML. This will open additional fields Entity Id and ACS URL, which you will need later to construct the Service Provider metadata when Setting Up SSO in Jitterbit.

      • Entity Id: The Entity Id is constructed manually but must be unique per Harmony client. As a recommendation, look in your downloaded XML metadata file from the Identity Provider and find the entityID listed. This should be the same as your Salesforce domain (https://yourdomain.my.salesforce.com/). To create a unique Entity Id per client, you can simply append "/wmc" or "/studio" to the default ID. For example:

        • WMC: https://yourdomain.my.salesforce.com/wmc

        • Studio: https://yourdomain.my.salesforce.com/studio

      • ACS URL: The ACS URL is also referred to as the Redirect URL in WMC, or as the Location within the Service Provider metadata. This value is also unique and depends on the Harmony client and your region (see Finding My Region):

        • WMC: 

          • NA: https://na-east.jitterbit.com/jitterbit-cloud-mgmt-console/saml

          • EMEA: https://emea-west.jitterbit.com/jitterbit-cloud-mgmt-console/saml

          • APAC: https://apac-southeast.jitterbit.com/jitterbit-cloud-mgmt-console/saml

        • Studio:

          • NA: https://na-east.jitterbit.com/jitterbit-cloud-mgmt-console/login/studio/callback

          • EMEA: https://emea-west.jitterbit.com/jitterbit-cloud-mgmt-console/login/studio/callback

          • APAC: https://apac-southeast.jitterbit.com/jitterbit-cloud-mgmt-console/login/studio/callback

      WMC – Web App Settings

      Studio – Web App Settings

  3. Fill out any other optional fields you wish, and click Save to create each of your Connected Apps.

Manage Profiles for Your Salesforce Connected Apps

Now that each Harmony client is configured as a Service Provider via Connected Apps, you should assign profiles to those apps so that users have the appropriate permissions to connect.

  1. On the resulting screen after creating your app, click the Manage button. Or return to this screen from Setup > Platform Tools > Apps > Connected Apps > Manage Connected Apps and click on the app you just created.
  2. You will need to assign profiles for each Connected App. For each:
    1. Under the Profiles section, click Manage Profiles.
    2. On the next page, Application Profile Assignment, select the checkbox for System Administrator to provide access to the Service Provider, as well as any profiles associated with the users you want to be able to connect using SSO through Jitterbit.

      Warning
      WARNING: Profiles associated with the users you want to be able to use SSO must be assigned to each app, or these users will not be able to log in to Jitterbit using SSO.
    3. When all desired profiles have been assigned, click Save.
  3. You should now see your Harmony clients under Manage Connected Apps. Do not be alarmed if you do not see the apps from the Identity Provider page listed under Service Providers. The apps are configured and ready to use with Jitterbit. See Setting Up SSO in Jitterbit for configuring the rest of the setup.

Construct Service Provider Metadata

This portion of the procedure is not configured from within the Salesforce UI but is provided for reference in Jitterbit. You will need to provide the Service Provider metadata as input while Setting Up SSO in Jitterbit.

WMC

This section shows how to construct the XML metadata for the Harmony Portal, to be entered for the WMC client.

Info
NOTE: Although the user interface refers to WMC, the former name for the Management Console, when you select WMC as the Harmony client, this configuration applies to all of the web-based products accessible via the Harmony Portal, including the Cloud Studio, API Manager, Citizen Integrator, and Management Console.

You will need to create the metadata manually, replacing information specific to the Identify Provider.

In the sample provided below, replace the [entityid] with the Salesforce Entity Id and replace the Location with the Management Console URL for your specific region (see Finding My Region):

  • NA: https://na-east.jitterbit.com/jitterbit-cloud-mgmt-console/saml

  • EMEA: https://emea-west.jitterbit.com/jitterbit-cloud-mgmt-console/saml

  • APAC: https://apac-southeast.jitterbit.com/jitterbit-cloud-mgmt-console/saml

Code Block
languagexml
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
    entityID="[entityid]">
    <md:SPSSODescriptor
        protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
        <md:AssertionConsumerService index="1" isDefault="true"
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
            Location="https://na-east.jitterbit.com/jitterbit-cloud-mgmt-console/saml"/>
    </md:SPSSODescriptor>
</md:EntityDescriptor>

Studio

This section shows how to construct the XML metadata for Design Studio, to be entered for the Studio client. You will need to create the metadata manually, replacing information specific to the Identify Provider.

In the sample provided below, replace the [entityid] with the Salesforce Entity Id and replace the Location with the Management Console URL for your specific region (see Finding My Region):

  • NA: https://na-east.jitterbit.com/jitterbit-cloud-mgmt-console/login/studio/callback

  • EMEA: https://emea-west.jitterbit.com/jitterbit-cloud-mgmt-console/login/studio/callback

  • APAC: https://apac-southeast.jitterbit.com/jitterbit-cloud-mgmt-console/login/studio/callback

Code Block
languagexml
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
    entityID="[entityid]">
    <md:SPSSODescriptor
        protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
        <md:AssertionConsumerService index="1" isDefault="true"
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
            Location="https://na-east.jitterbit.com/jitterbit-cloud-mgmt-console/login/studio/callback"/>
    </md:SPSSODescriptor>
</md:EntityDescriptor>
Panel
borderColor#65379B
titleColor#FFFFFF
titleBGColor#65379B
titleOn This Page
Table of Content Zone

Table of Contents
maxLevel3
minLevel2

Panel
borderColor#FF7C4C
titleColor#FFFFFF
titleBGColor#FF7C4C
titleRelated Articles
Panel
borderColor#00B886
titleColor#FFFFFF
titleBGColor#00B886
titleRelated Topics

HideElements
metastrue

Last updated: 

Lastmodifieddate