Enable Riva Delegated Authentication/Single Sign-on/Impersonation for Salesforce.com

Article ID: 286

Last updated: 15 Mar, 2016

WARNING: The Riva for Salesforce Single Sign-On connection strategy described in this article is not supported for new Riva On-Premise installations.

New Riva On-Premise installations include a new strategy to provide impersonation access into Salesforce: the Standard Impersonation Model. For instructions on implementing the Standard Impersonation Model, see Prepare Salesforce for Riva and Create and test a Salesforce connection.

For current Riva On-Premise installations that use Salesforce Single Sign-On, administrators are encouraged to upgrade their Riva for Salesforce connection setup to the Standard Impersonation Model. For assistance, contact the Riva Success Team.

The procedures in the following article have been deprecated. The information is being retained for clients who have not yet converted to the new Standard Impersonation Model.

Background

It is a best practice for customers who evaluate Riva Integration Server for Salesforce and Exchange to configure Riva to use a personal Salesforce connection and an individual CRM synchronization policy for each Salesforce user account being used during the testing. For testing for up to five Salesforce accounts, this is a workable solution. To support more than five Salesforce accounts, we recommend implementing Riva Delegated Authentication, Single Sign-on and User Impersonation (Riva DA-SSO for Salesforce). This will allow a single Riva policy to synchronize multiple Salesforce accounts.

Riva DA-SSO for Salesforce:

Riva Integration Server includes a free Riva Delegated Authentication and Single Sign-On for Salesforce service. The delegated authentication and Single Sign-on process mean users don't have to remember a separate Salesforce password. After implementing Riva DA-SSO, Salesforce accepts the user's ActiveDirectory/Exchange password. Users therefore only have one password to remember, their AD/Exchange password - the primary reason for delegated authentication and single sign-on in an enterprise implementation.

DA-SSO workflow is as follows:

Salesforce.com user attempts a login --> Salesforce sends the user credentials to the SSO Provider --> The SSO Provider connects to the authentication provider (SMTP/HTTPS) to test the user credentials (located on your internal server or as a service provided by Omni) --> SSO Provider responds to SFDC true/false.

The main benefit for end users after Salesforce SSO has been implemented is they only need to remember one password. Their Active Directory/Exchange password is used to access Salesforce.

The main administrative objective in implementing SSO is to allow for Riva to be able to impersonate users and thereby synchronize multiple Salesforce accounts from a single instance of Riva.

Planning for Riva DA-SSO for Salesforce

The customer needs to decide the authentication method and target against which the SSO provider will relay authentication attempts. The authentication attempt will be based on the email address associated with the Salesforce.com (SFDC) username matching the email address in Active Directory UPN (eg. user@domain.com).

Most companies will use their Exchange SMTP service or an Active Directory integrated authentication IIS website as the authentication provider. Both of these use the current users' Active Directory credentials.

The customer needs to decide where Riva SSO will be hosted:

Riva DA-SSO for Salesforce as a Service is provided free of charge with your Riva licence purchase. It runs in the same Amazon cloud environment as Riva Live.
or Riva DA-SSO On Premise can be configured on a system in the customer's environment,

Implementing Riva DA-SSO for Salesforce On-Premise (Installed at customer location)

STEP 1 - The first step in the process is for the customer to send a request to Salesforce to implement SSO against their account. This process is completed by submitting the request from the Salesforce admin account management interface. This should be done immediately because it might take Salesforce a couple of days to service this request. The customer also has to prepare their environment for Salesforce.com SSO.

STEP 2 - The customer must contact Omni technical support to schedule implementation of Riva SSO for their Riva Integration Server. Let us know when Salesforce has completed your request for SSO to be enabled and we will schedule a technician to work with you to install and configure the SSO piece. We recommend planning on approximately two hours for installing, configuring and testing.

STEP 3 - An Omni technician will implement Riva SSO Provider and reconfigure the Riva Salesforce Connection and Policy to properly use SSO.

There is an additional fee to install and configure Riva DA-SSO On Premise.

Implementing Riva DA-SSO for Salesforce as a Service (Hosted by Omni)

STEP 3 - An Omni technician will work with you to confirm the Riva DA-SSO Provider is properly configured against your Riva Salesforce Connection and that the Sync Policies work properly with the new Riva DA-SSO-enabled connection.

The first one hour of implementing Riva DA-SSO as a Service are included in the purchase price of your Riva licences.

Report an issue

Article ID: 286

Last updated: 15 Mar, 2016

Revision: 2

Also read

Preparing for Salesforce.com Delegated Authentication Single Sign-on (DA-SSO) for Impersonation

Enable Salesforce Trusted Network Access for the Riva Server

How to Request Salesforce "Delegated Authentication" Single Sign-On Feature Activation

« Archive: Older SSO Articles

Preparing for Salesforce.com Delegated Authentication Single... »