Looking for SSO authentication for your Employee/Partner/Customer to login to community using? Okta is your friend then. Okta runs on the cloud, on a secure, reliable and extensively audited platform, which integrates deeply with on-premises applications, directories, and identity management systems. To make it simpler, we will just focus on setting up SSO authentication flow for SF communities using Okta. 

Before we dig further, please make sure you must have Okta account setup from here. Your Okta user must have Administrator access who can add users, add apps, manage users, add assignments. 

All Set? Fasten up your seat belt now! 

Here are the steps: 

  1. Login to Okta Account. After login, click on Admin tab on top right Corner. 
  2. Click on Add Application on Dashboard.
  3. Search for a salsforce.com application in search Bar and click on Add button
  4. On general Setting tab for Salesforce app select Salesforce Community User from the User Profile & Type dropdown and keep Rest as is
  5. Configuring SAML – 2.0
    • You can optionally configure SAML 2.0 settings to allow Community users to automatically login to Salesforce.
    • After clicking SAML-2.0 click on View Setup Instructions Button and follow the SAML setup instructions. Set the Login URL to the Community Login URL for your community, you can find this on the Salesforce Single Sign-On Settings page under Endpoints.
  6. After clicking Enabled API Integration Enter your Salesforce Credentials I.e Username and Password+Token. Once successfully connected, click on To App in Provisioning and give permission to Create User, update User, Deactivate Users, Sync Password etc.Note: As part of provisioning, for each new Community user, Okta creates a new contact in Salesforce and associate with the account you specify in the Account ID (required) field. This new contact contains the user’s name and email address. This contact is necessary because Community users in Salesforce must be associated with a contact.  Keep rest of the setting as is.

    Once successfully connected, click on To App in Provisioning and give permission to Create User, update User, Deactivate Users, Sync Password etc.

    Note: As part of provisioning, for each new Community user, Okta creates a new contact in Salesforce and associate with the account you specify in the Account ID (required) field. This new contact contains the user’s name and email address. This contact is necessary because Community users in Salesforce must be associated with a contact. Keep rest of the setting as is.
  7. Go to Assignment tab add User for app accessibility.

    Alright! You are all set on Okta side. Hold your horses. There is something required on Salesforce side as well. 
    Salesforce SAML 2.0 Configuration: Issuer Value, Okta Identity Provider Certificate, Identity Provider Login URL, Identity Provider Logout URL these will get when login into Okta Account then Under Sign-On tab, click on View Setup Instructions Button Instructions Button 

    1. From Setup, enter Single Sign-On Settings in the Quick Find box, then select Single Sign-On Settings. 
    2. Check the checkbox for SAML Enabled  
    3. The Configuration Page ask you to set up Name and API Name.  
    4. Copy and Paste the Issuer value into the Issuer Page  
    5. Download your Okta Identity Provider Certificate, and then upload it in the Identity Provider Certificate field. 
    6. For SAML Identity Type, select Assertion contains the User’s Salesforce username. 
    7. For SAML Identity Location, select Identity is in the Name Identifier element of the Subject Statement. 
    8. Copy and paste the following URL into Identity Provider Login URL  
    9. Copy and paste the following URL into Identity Provider Logout URL 
    10. For Entity ID, 
      a. If you have a custom domain setup, use https://<customDomain>.my.salesforce.com
      b. If you have a custom domain setup, use https://<customDomain>.my.salesforce.com
    11. For Service Provider Initiated Request Binding, select HTTP Post.
    12. Click Save.

Bingo! You are all done. Login to Okta and get yourself authenticated to SF community in just a click. 

#HappyCoding 

Reference: