With the August ’19 new feature release, Salesforce began to support Identity Provider-initiated single sign-on for Social Studio. While Service Provider-initiated single sign-on is not yet supported, it is possible for Social Studio users who have a Salesforce account to log into Social Studio using their Salesforce credentials after they complete a one-time setup.
This post provides step-by-step instructions for setting up single sign-on (SSO) from Salesforce to Social Studio (formerly Radian6) where Salesforce is the identity provider.
Prerequisites
- Social Studio account with system administrator access.
- Salesforce org with identify features (developer or enterprise and up) with system administrator access. Sign up for a free developer edition org here.
Step 1: Set up My Domain in Salesforce
The My Domain feature creates a custom subdomain for your org and is required to use Salesforce as an identity provider. Go to Setup -> My Domain, enter a name for your subdomain and click “Check Availability”. Once you get a confirmation that the subdomain is available, click “Register Domain”. Salesforce will send you an email when the custom domain has been registered.
Click the link in the email and log in using your new domain. Navigate back to the My Domain page in setup. Click the “Deploy to Users” button.
Step 2: Enable Salesforce as an Identity Provider
You’ll need a self-signed or commercially signed certificate in order to enable Salesforce as an identity provider. If you don’t already have a certificate in the Salesforce org, you can quickly create one by going to Setup -> Security -> Certificate and Key Management. Click the “Create Self-Signed Certificate. Enter a descriptive name for the label and the unique name will be populated automatically. Click the “Save” button.
Now we can enable the Salesforce org to be an identity provider. Go to Setup -> Identity -> Identity Provider. Click “Enable Identity Provider”. Select the certificate you just created, or an existing one.
Step 3: Configure Single Sign-on Settings in Social Studio
Download the Certificate from Salesforce
First, download the certificate you used when enabling Salesforce as an identity provider by navigating to Setup -> Security -> Certificate and Key Management. Click the name of the certificate and then the “Download Certificate” button.
Update SSO Settings in Social Studio
Log into Social Studio and navigate to Admin -> Single Sign On.
Enter the following values on the page:
- Name: descriptive name for the SSO connection, such as “Salesforce”
- Entity ID/Issuer URL: this should be your custom Salesforce domain: https://<custom-domain>.my.salesforce.com (may also look like this if you are using a developer edition org: https://<custom-domain>.dev-ed.my.salesforce.com)
- Identity Provider Certificate: (upload the certificate file you just downloaded)
Click “Apply Changes”.
You will need the information on this page in the next step.
Step 4: Create a Connected App in Salesforce
The connected app is going to store information about Social Studio and is also going to be used to create the tile in the App Launcher so that users can quickly launch Social Studio from Salesforce.
Navigate to App Manager in Setup and click “New Connected App” in the top right of the page. Use the following values
- Connected App Name: Social Studio
- API Name: Social_Studio
- Contact Email: (any email address)
- Logo Image URL: (click “Upload logo image” and upload an image file that is 125×125 pixels – this will appear in the app launcher tile)
- Enable SAML: true
- Entity Id: https://socialstudio.radian6.com
- ACS URL: (copy value from from the Single Sign On page in Social Studio)
- Subject Type: Federation ID
- Name ID Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient
- Issuer: this should be your custom Salesforce domain: https://<custom-domain>.my.salesforce.com (may also look like this if you are using a developer edition org: https://<custom-domain>.dev-ed.my.salesforce.com)
- IdP Certificate (Keep default value)
Click the “Save” button.
Next we need to give users access to the connected app. Navigate to Manage Connected Apps. Click the “Social Studio” app to open the detail page of the connected app. Click Manage Profiles and add the System Administrator profile.
Finally, we need to set the Start URL for the connected app. Copy the IdP-initiated login URL in the SAML Login Information section of the connected app detail page. Click the “Edit Policies” button. Paste the IdP-initiated URL into the Start URL field and click the “Save” button.
Step 5: Test the Single Sign-on Flow
In the Admin -> Users page in Social Studio, create a new user to test the SSO authentication flow. Enter values for the following fields: Display Name, Username and Email Address and User Role. Set SSO User to “Active” and copy the user’s email address to the Federation ID field.
Navigate to the user record in the Salesforce org that you are going to use to test single sign-on. This user should be a system administrator, because that is the only profile we granted access to in the connected app. Click the “Edit” button and enter the value of the Email Address you used when creating the new user in Social Studio into the “Federation ID” field. Save the user record.
Open the App Launcher. You should see a tile for your Adobe Sign app. Click the tile and Social Studio should open and you should be logged in automatically.
Resources
- Salesforce documentation: App Launcher
- Salesforce documentation: Single Sign On for Social Studio