Riva CRM Integration - Documentation and Knowledge Base
Knowledgebase
...
toggle

Prepare for the Riva On-Premise SSO Provider for Salesforce

Article ID: 554
Last updated: 12 May, 2016
WARNING: The Riva for Salesforce Single Sign-On connection strategy described in this article is not supported for new Riva On-Premise installations.

New Riva On-Premise installations include a new strategy to provide impersonation access into Salesforce: the Standard Impersonation Model. For instructions on implementing the Standard Impersonation Model, see Prepare Salesforce for Riva and Create and test a Salesforce connection.

For current Riva On-Premise installations that use Salesforce Single Sign-On, administrators are encouraged to upgrade their Riva for Salesforce connection setup to the Standard Impersonation Model. For assistance, contact the Riva Success Team.

The procedures in the following article have been deprecated. The information is being retained for clients who have not yet converted to the new Standard Impersonation Model.

In order for the synchronization engine to fully comply with user data, profile, role and territory security, the Riva Delegated Authentication - Single Sign-on for Salesforce (Riva DA-SSO) must be configured. This additional service allows Salesforce.com to "Impersonate" multiple users from a single account and check the validity of user credentials against a server in your environment that confirms login and password information. After configuring Riva DA-SSO for Salesforce, the Riva server will be able "impersonate" each user's Salesforce account without needing to know each user's password.

Riva provides an On-Premise SSO Provider server for Salesforce that is installed on a public-facing IIS server in the customer's environment. The On-Premise SSO Provider server is required / recommended for:

  • When target email accounts are hosted on Exchange 2003 systems (required to support SSO)
  • When target email accounts are hosted on GroupWise systems (required to support SSO)
  • When customer requires authentication against Active Directory or other supported Directory Services (optional)
  • When the hosted Riva SSO Provider service will not support the customer's environment (as directed by Omni professional services).

To prepare for the deployment of the Riva On-Premise SSO Provider for Salesforce:

Prepare a Windows server to host the Riva SSO Provider server

The Riva DA-SSO Provider server must be installed on a Windows server that meets the following system requirements:

Prepare Salesforce for SSO

These steps will enable Delegated Authentication - Single Sign-On (DA-SSO) feature in a Salesforce organization.  If a company uses multiple Salesforce organizations, these steps must be repeated for each organization.

To prepare and enable a Salesforce organization for DA-SSO:

  1. Activate the “Delegated Authentication Single Sign-On” (DA-SSO) feature.

  2. Configure a “Network Trust” for the On-Premise Riva SSO Provider server.

  3. Configure a "Network Trust" for the Riva server.

  4. Verify the Salesforce "System Administrator" permissions to support administering SSO-enabled target users.

  5. Create SSO-enabled user profile(s) for the Salesforce target users.  Do not add target users at this time.

Configure corporate firewalls to support SSO

  • Prepare corporate firewalls to support communications between the Riva On-Premise server (which hosts the Riva application, CRM Monitor, and CRM Agent service) and the Riva On-Premise SSO Provider server.

  • Ensure that corporate firewalls safeguarding the Riva On-Premise SSO Provider server are configured with the applicable Salesforce.com Whitelist IP address range.

Salesforce.com Whitelist IP Address Range

To reduce the exposure of the single sign-on provider to the internet, consider white listing the specified ranges of IP addresses *OWNED* by Salesforce.com. It is not leased or shared in any way with any other organizations.

Salesforce.com has an IP address block allocated directly to salesforce.com by the American Registry for Internet Numbers (ARIN).

To provide continuity of service if you utilize IP address security filters, whitelist or otherwise add salesforce.com's IP address space to your list of trusted addresses.

The IP address spaces are as follows:

204.14.232.0/23 East Coast Data Center (set one)
204.14.237.0/24 East Coast Data Center (set two)
96.43.144.0/22  MidWest Data Centers
96.43.148.0/22  MidWest Data Centers
204.14.234.0/23 West Coast Data Center (set one)
204.14.238.0/23 West Coast Data Center (set two)
202.129.242.0/23 Singapore Data Center
182.50.76.0/22  Japan Data Center

To clarify, the "0/25" that you see in the ranges refers to an abbreviated form of Classless Inter-domain routing (CIDR) notation. In essence, this notation is a network number followed by a "/" and a number , the latter number indicates the number of 1's (starting a the left most bit i.e MSB - most significant bit) in the subnet mask i.e the number of bits relevant to a network portion of the IP address. So "/25" means 25 bits constitute the subnet mask of 255.255.255.128, and really 25 bits reserved for network address which is identified by performing bitwise "AND" to the full network number.

For example 204.14.232.0/25 means 2 possible networks in the form of 204.14.232.0 and 204.14.232.128 each having possible 126 hosts i.e total 252 hosts or IP addresses per specified range.

Schedule the Server Installation Appointment

To schedule the installation of the Riva On-Premise SSO Provider server, contact the Riva Success Team.

Article ID: 554
Last updated: 12 May, 2016
Revision: 4
Views: 5398
Also listed in

Prev
Next
« Set up using On-Premise SSO Provider
How to Request Salesforce "Delegated Authentication" Single... »

rss