Configuring Tenfold to use Salesforce as an identity provider
Overview: This article provides a walk through for configuring Salesforce as an identity provider for Tenfold.
1. From Setup, enter Identity Provider in the Quick Find box, select Identity Provider, and configure a Domain name. Enter a sub-domain name, and check its availability. If the name is available, then click “Register Domain”. Test the domain and deploy to users.
2. Download the certificate and metadata file after enabling Identity provider.
3. Enter “App Manager” in Quick find box. Click on “App Manager” > “New connected App”.
4. Create a new connected app and provide the details in Basic information and Web App settings.
- Name the connected app as Tenfold.
- Enable SAML.
- Enter the ACS URL and Entity ID.
ACS URL: https://dashboard.tenfold.com/corporate-login/callback
Entity ID: sso.tenfold.com
- Select Subject Type as Username, Name id format to “urn:oasis:name:tc:SAML:1:1:nameid:-format:emailAddress”.
- Select your IDP Certificate from dropdown options.
- Click on save button.
- Click “Manage profile” and select all the profiles for which you want to grant access to use SSO.
5. Enter “Single Sign on Settings” in Quick find box. Click the “SAML enabled” check box to enable SAML settings.
6. In Tenfold dashboard, navigate to Single Sign on feature. Set the domain to the value which you want your users to enter when logging in to Tenfold and upload the metadata XML file which was generated in step #2. Click save and your organisation is ready to use Salesforce SSO to authenticate your Tenfold account.
7. In Tenfold login page, navigate to “corporate login” tab and enter the domain name which you have configured in Tenfold’s SSO features tab in step #6. Enter your Salesforce login credentials for the first time and then you will be directed to Tenfold Dashboard.
8. You are ready to use Salesforce to authenticate to tenfold. The below gif demonstrates the login flow using Salesforce.
If you have multiple Tenfold organizations connected to a single Identity Provider you will need to enable the ‘Multi-Tenant’ preference in order for Tenfold to properly identify which organization a user belongs to during login. Tenfold accomplishes this by pairing a specific Attribute (field) from the SAML payload, and directing users to the applicable Tenfold environment based on the Value of the associated user.
- Identify an Attribute (field) within Salesforce, or create a new one, that can be used to group users based on the related Tenfold environment.
- Enable the ‘Multi-tenant’ setting on the ‘Single Sign-On’ feature. Select ‘Custom Field’ in the dropdown to use a Custom Field, or select ‘Standard Field’ to automatically pull in all Standard fields on the User object from Salesforce to use for grouping.
- Configure the Attribute and Value to relate users to the associated Tenfold environment you are updating. The Attribute is set first, and should follow the same syntax as Salesforce. This same Attribute can be, and often should, be used for any additional Tenfold environments you have. Value is set later, and should be unique to this Tenfold environment.
- Follow steps 2-3 in any additional Tenfold environments you may have, bearing in mind that although ‘Attribute’ can be shared across multiple Tenfold environments the ‘Value’ must always be unique to that Tenfold environment.
If you are encountering any issues with authenticating users into the proper Tenfold environments after configuring ‘Multi-Tenant’ settings, one should inspect the SAML payload that is sent from Salesforce to Tenfold when attempting login while using a SAML decoding tool. The payload will indicate both the ‘Attribute’ being pushed to Tenfold, as well as the ‘Value’ such as: