Set up SSO with Salesforce (Service Initiated)

This article describes how to set up Salesforce as an Identity Provider in a service initiated flow; this means users can log in directly to Pricefx using Salesforce credentials without running  the Salesforce app. If you want to run Pricefx as an app in Salesforce, follow the guide at Create and Configure an App in Salesforce Classic.

Read the Configure SAML in Pricefx section first. Salesforce documentation can be found here: Salesforce as a SAML Identity Provider

In this section:

Create Connected Application

  1. Log in to Salesforce as administrator.

  2. Go to Build > Create > Apps and click 'New'.

  3. Fill in the following fields in the Basic Information section:

    1. Connected App Name – The unique name of your application, e.g., Quote Configurator.

    2. API Name – Application name used by the API (cannot contain spaces or special characters), so e.g., Quote_Configurator.

    3. Contact Email – support@pricefx.com

  4. Check the Enable OAuth Settings box and:

    1. Enter the Callback URL: https://<cluster name>.pricefx.com/sdk/callback.html (it can be different, please ask the Pricefx support).

    2. Add 'Full access (full)' as the Selected OAuth Scope.

  5. In the Web App Settings section: 

    1. Check the Enable SAML box.

    2. Enter the Entity Id: https://<cluster name>.pricefx.com/pricefx/<partition name>/saml/consume/<SAML Configuration Name> (customize for your partition. You can omit SAML Configuration Name, in that case Configuration Name "DEFAULT" will be used).

    3. Enter the ACS URL: https://<cluster name>.pricefx.com/pricefx/<partition name>/saml/consume/<SAML Configuration Name> (customize for your partition. You can omit SAML Configuration Name, in that case Configuration Name "DEFAULT" will be used).

    4. If you want all users to use the same RelayState parameter, append ?RelayState=<relay state name> (use your relay state name as the value, e.g. ?RelayState=quoteConfigurator) to the end of both URLs above. If you don't specify it in the URLs, you need to provide the RelayState parameter in the signon URL that will be given to the end users.

    5. Leave the default settings for the other options.

  6. Save the settings.

  7. Go to Apps > Connected Apps > Manage Connected Apps and find your new application in the list.

  8. Click Edit and set OAuth Policies to 'Admin approved users are pre-authorized'.

  9. Click Save and in the list of applications click your application's name.

  10. In the Profiles section, click Manage Profiles and add all profiles which will use this application and click Save.

Configure SAML SSO in Pricefx

Take the following steps:

  1. In Salesforce, go to Setup > Identity > Identity Provider and click Download Certificate to get the public certificate of the Identity Provider.

  2. In Pricefx, go to Configuration > System Configuration > External Systems > SAML Configuration and create a new configuration ("DEFAULT" or any other name).

  3. In this new SAML configuration in Pricefx make the following settings:

    1. Select 'email' in NameID Mapping.

    2. Enter the 'IdP Initiated Login URL' of the SAML SSO page of the Identity Provider. This can be found in Salesforce > Setup > Settings > Identity > Single Sign-On Settings if SSO is enabled.

    3. Paste the previously downloaded public certificate into the IdP Certificate field. Use the following commands to convert the certificate file from .crt to .pem format.

      Mac

      openssl x509 -in SelfSignedCert_13Jul2017.crt -outform PEM -out o.pem cat o.pem

      Windows

      type SelfSignedCert_13Jul2017.cr
    4. Add a new relay state:

      • Set relayStateName to "quoteConfigurator" (or any other name).

      • Set relayStateURL to where the canvas app is located. The pattern will be as follows: https://<cluster name>.pricefx.com/app/?partition=<partition name>&applicationEnvironment=standalone&confName=<config name>

  4. Click Save.

  5. Once all this is configured, you can provide this specific URL to the users to log in: 
    https://<cluster name>.pricefx.com/pricefx/<partition name>/saml/signon 
    If you did not set up the RelayState parameter in the web app settings, append ?RelayState=<relay state name> (use your relay state name as the value, e.g. ?RelayState=quoteConfigurator) to the end of both URLs above. Only then the SSO login will work. If you go to the regular Pricefx home page URL, e.g. https://<cluster name>.pricefx.com, there will still be the Pricefx login screen.
    Note that this sign-on link is different for each partition.

Found an issue in documentation? Write to us.

 
Pricefx version 13.1