Okta SSO Setup between Salesforce and Pricefx
Salesforce itself can be used as an identity provider: when you create Connected Application it works as an IdP (with the SAML Initiation Method set to 'Identity Provider initiated').
But it is also possible to use Okta in this role. To do that, you switch the method to 'Service Provider initiated' and set up Okta and Pricefx as described below.
Set up SSO between Pricefx Unity and Okta
In Okta
Access Okta Admin, switch to Classic UI (on the top-left of the screen).
Click 'Add Applications'.
Search the keyword "salesforce", choose "Salesforce.com".
Go to the Sign On tab and click 'Edit'.
Fill in the 'Login URL' field (according to the setup in Pricefx SAML configuration):
This URL is equivalent to ACS URL defined in the canvas app settings (this is where you set the URL to consume):Go to the Assignments tab, click Assign > Assign to People and select people you want to assign.
Click 'Save'.
Make sure the account in Pricefx (email mapping) and Okta are the same.
In Pricefx
In the SAML Configuration section fill in the following fields:
NameID Mapping – Select 'email'.
SAML IdP Provider URL – Get it from Okta:
Go to the Sign On tab and click 'View Setup Instructions'.
Find "Identity Provider Login URL", then copy and paste the value.
IdP certificate (X.509, Base64) – Copy and paste the following (PEM Text format):
-----BEGIN CERTIFICATE----- MIIDpDCCAoygAwIBAgIGAW0aCD81MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi02NDU1MzQxHDAaBgkqhkiG9w0BCQEW DWluZm9Ab2t0YS5jb20wHhcNMTkwOTEwMDcxNTUxWhcNMjkwOTEwMDcxNjUxWjCBkjELMAkGA1UE BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNjQ1NTM0MRwwGgYJ KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA pANm/L3S+IuZ6GlTRlhvdN4UDn8AraoXx3OU6wCgqbnPc8aJ3hsnskrkKVCBeth1583U+WZn5Hi/ 1XMuSEgeFScZrFUbn2AU2utlTV121aKiaNct7+boHZWjjRZs71RzH3wDHN/nxcPw8iI18fnq35eN B3hoV1LLRZBumjKH7RxgIHz9e2cWmUW7o0q8HI+/xLDf2BcqaRo8IJUWakV2ukoJaqDRkohd+rDG TpwY6q12UQeipZcSws4dQnAgaYoNry/ZeGA3lE+T+vE36jILrB5hde5S+ahv13jfypvS4KW0Hct1 QhzHdpzbBZt3GcCBfDLclHBMi8ihSl7Vy51auQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAMPPOD 1UV2db17cNgDVLtfWi91ksgLSM0oav/7C2akL9XiMARnxv65tVON1MWt2CNfnz8grkDDaCglw0a1 NxoNj3yLmldZinEs07IGL6E451PipuQ82OLRtuVuUaa2Wf9mx+eoUlm4DjmJ1uMbhv4vPipnEAoG 5ajfymjtHKCOJIpfTCQnnsEUnNPAIdhniFGt8paBMge7qVB1X9JKexRhAfzBIr0lcmpY95K4wugi nWuSHjqyDZHft8/6Xy4TzGWzpAhyGTA1l+3fnqcaOFr/pRg1QA+YGna5jPIH+L7nLLBMzHDESBiC sIKf5ZmayxKoJGydR8m6aJD1KCMdYtSu -----END CERTIFICATE-----
Click Save.
Set up SSO between Okta and Salesforce
In Okta, add a "Salesforce.com" application (as described in detail above).
Go to the General tab.
Custom Domain:
Make sure that the Custom Domain field matches the name of the custom domain you have created.
If your domain is pricefx-unity-dev-ed.my.salesforce.com, enter pricefx-unity-dev-ed.
Go to the Sign On tab and click 'View Setup Instructions'.
Add a new "SAML Single Sign-On Settings" in Salesforce as described at https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-in-Salesforce.html.
Make sure the Login URL has the below type:
Go to the Assignments tab, click Assign > Assign to People and select people you want to assign.
Make sure the accounts in Salesforce and Okta are the same.
Modify Connected App Setting
In Salesforce, scroll down to the Canvas App Settings tab and fill in these fields:
Canvas App URL – Change to saml/signon type: https://xxx.pricefx.eu/pricefx/<Partition>/saml/signon/<SAMLConfigurationName>?RelayState=<Relay State Name>
SAML Initiation Method – Select 'Service Provider Initiated'.
Configure Okta for iFrame
By default, Okta does not allow logins from iFrames. You can override this as follows:
In Okta, go to Settings > Customization.
Make sure Allow iFrame Embedding is selected.
References
Found an issue in documentation? Write to us.
Pricefx version 13.1