Boomi AtomSpere is one of the leading integration platform as a service offerings on the market. Boomi’s offerings can accommodate nonprofts and small businesses on a budget all the way up to large enterprises. This post provides step-by-step instructions for setting up single sign-on (SSO) from Salesforce to Boomi AtomSphere.
Prerequisites
- Boomi AtomSphere account with system administrator access. Sign up for a trial here.
- Salesforce org with identify features (developer or enterprise and up) with system administrator access. Sign up for a free developer edition org here.
Step 1: Set up My Domain in Salesforce
The My Domain feature creates a custom subdomain for your org and is required to use Salesforce as an identity provider. Go to Setup -> My Domain, enter a name for your subdomain and click “Check Availability”. Once you get a confirmation that the subdomain is available, click “Register Domain”. Salesforce will send you an email when the custom domain has been registered.
Click the link in the email and log in using your new domain. Navigate back to the My Domain page in setup. Click the “Deploy to Users” button.
Step 2: Enable Salesforce as an Identity Provider
You’ll need a self-signed or commercially signed certificate in order to enable Salesforce as an identity provider. If you don’t already have a certificate in the Salesforce org, you can quickly create one by going to Setup -> Security -> Certificate and Key Management. Click the “Create Self-Signed Certificate. Enter a descriptive name for the label and the unique name will be populated automatically. Click the “Save” button.
Now we can enable the Salesforce org to be an identity provider. Go to Setup -> Identity -> Identity Provider. Click “Enable Identity Provider”. Select the certificate you just created, or an existing one.
Step 3: Enable SSO in Boomi AtomSphere
Log into Boomi AtomSphere and click on the “Setup” option in the Account drop down menu. Then click on the “SSO Options” item in the Setup menu. Check the box “Enable SAML Single Sign-On”. Click the “Save” button.
You’ll use the information on this page in the next step.
Step 4: Create a Connected App in Salesforce
The connected app is going to store information about Boomi AtomSphere and is also going to be used to create the tile in App Launcher so that users can quickly launch Boomi AtomSphere from Salesforce.
Navigate to App Manager in Setup and click “New Connected App” in the top right of the page. Use the following values
- Connected App Name: Boomi AtomSphere
- API Name: Boomi_AtomSphere
- Contact Email: (any email address)
- Logo Image URL: (click “Upload logo image” and upload an image file that is 125×125 pixels – this will appear in the app launcher tile)
- Enable SAML: true
- Entity Id: (enter the value from the “AtomSphere Login URL” field from the previous step)
- ACS URL: (enter the value from the “AtomSphere Login URL” field from the previous step)
- Subject Type: Federation ID
- Name ID Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient
- Issuer: this should be your custom Salesforce domain: https://<custom-domain>.my.salesforce.com (may also look like this if you are using a developer edition org: https://<custom-domain>.dev-ed.my.salesforce.com)
- IdP Certificate (Keep default value)
Click the “Save” button.
Next we need to give users access to the connected app. Navigate to Manage Connected Apps. Click the “Boomi AtomSphere” app to open the detail page of the connected app. Click Manage Profiles and add the System Administrator profile.
Finally, we need to set the Start URL for the connected app. Copy the IdP-initiated login URL in the SAML Login Information section of the connected app detail page. Click the “Edit Policies” button. Paste the IdP-initiated URL into the Start URL field and click the “Save” button.
Step 5: Configure SSO Settings in Boomi AtomSphere
Download and Convert the Certificate from Salesforce
First, download the certificate you used when enabling Salesforce as an identity provider by navigating to Setup -> Security -> Certificate and Key Management. Click the name of the certificate and then the “Download Certificate” button.
The file downloaded from Salesforce is Base64-encoded with a .crt extension and Boomi AtomSphere accepts binary files with .cer or .der extensions. You can convert the certificate using a Windows utility, or with the following OpenSSL command in a terminal
openssl x509 -in certificateName.crt -inform PEM -out certificateName.cer -outform DER
Update Settings in Boomi AtomSphere
Navigate to the SSO Options page in Boomi AtomSphere Setup and update the following settings
- Identity Provider Certificate: import the certificate file you just converted to the .cer extension
- Identity Provider Login URL: (enter the value of the “SP-Initiated POST Endpoint from the Connected App created in Step 4)
- Federation Id Location: Federation Id is in NameID element of the Subject
Save the updated settings.
Create SSO User
In the Setup -> User Management page in Boomi AtomSphere, create a new user to test the SSO authentication flow. Note the value you enter in the Federation ID field for the user record.
Finally, navigate to the user record in the Salesforce org that you are going to use to test single sign-on. This user should be a system administrator, because that is the only profile we granted access to in the connected app. Click the “Edit” button and enter the value you used when creating the new user in Boomi AtomSphere into the “Federation ID” field. Save the user record.
Step 6: Test the Connected App from App Launcher
Open the App Launcher. You should see a tile for your Boomi AtomSphere connected app. Click the tile and Boomi AtomSphere should open and you should be logged in automatically. If you click on Setup – User Information you will see that you are logged in as the user you created while configuring Boomi AtomSphere SSO settings.
Resources
- Boomi AtomSphere documentation: Single sign-on with SAML
- Salesforce documentation: App Launcher
- Tutorial: convert .crt file to .cer file using Windows