SAML 2 support is available since Winter 09 Release. OpenSSO console team is in the process of building a cool task flow for this, which will significantly reduce the number of steps listed here. Look out for it in Build 12. Prerequisites:
- For each OpenSSO user that needs to access Saleforce.com, choose a user profile attribute to map to a Saleforce.com user. We will call this the "federationID". Note that this value should be unique for each user. As an example we will use the OpenSSO email profile attribute (mail). Also note that for obvious security reasons the identified profile attribute must be changeable by authorized administrators only, ie it should not be changeable by the user. Please refer to OpenSSO Delegated Admin feature to set up appropriate privileges.
- Decide the exact SAML attribute name the IDP will populate the "federationID" with.
- Setup up OpenSSO IDP with xml signing turned on. Note the provider id of the IDP configuration. In my setup it is :
http://sa.idp.com:8080/sa - Export the OpenSSO (IDP) public key to a file
For example, if your OpenSSO IDP uses the out-of-the-boxtestcertificate, execute the following in a terminal on the box hosting the OpenSSO server:$ cd$ keytool -export -keystore keystore.jks -alias test -file cert.cer
- Login to
http://www.saleforce.comas admin user. - Navigate to
Setup->Security Controls->SingleSignOn Settings. Enable SAML and fill up the dialog presented.- Select version 2.0
- Import the IDP certificate - in my setup I entered
cert.cerfile saved in Prerequisites steps above. - Enter fields that tell Salesforce.com how the authenticated user is identified in the SAML assertion from the IDP. In my example I specified
mailsaml attribute. Note that this must match exactly the OpenSSO setup described in "OpenSSO end" steps below.
More Here
Courtesy:http://blogs.sun.com/rangal/entry/saml2_salesforce_com