Salesforce FederationIdentifier Setup

We have a group who would like to use our internal University IDs to map campus users to Salesforce users for SSO. There are several ways to achieve this with a Shibboleth IdP and Salesforce, but this is the simplest.

Shibboleth IdP Configuration

We already have the University ID attribute defined in our (v2 and v3 with legacy setup) IdP's attribute resolver, so we just need to add another attribute definition to create a new NameID.

<resolver:AttributeDefinition
  xsi:type="ad:Simple"
  id="suUnivIDNameID"
  sourceAttributeID="suUnivID">

  <resolver:Dependency ref="suLDAP" />

  <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID"
    nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>

</resolver:AttributeDefinition>

We're not using JIT provisioning for this Salesforce instance, but if we were, we'd have to ensure that the User.FederationIdentifier attribute value matched the NameID value, so we'd need another attribute definition:

<resolver:AttributeDefinition
  xsi:type="ad:Simple"
  id="sfdcUnivIDFedID"
  sourceAttributeID="suUnivID">

  <resolver:Dependency ref="suLDAP" />

  <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID"
    nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>

  <resolver:AttributeEncoder xsi:type="enc:SAML2String"
    name="User.FederationIdentifier" />

</resolver:AttributeDefinition>

Modify the attribute filter to use the new attribute:

<afp:AttributeFilterPolicy id="Salesforce">
  <afp:PolicyRequirementRule
    xsi:type="basic:AttributeRequesterString"
    value="https://itlab-developer-edition.my.salesforce.com" />

  <afp:AttributeRule attributeID="transientId">
    <afp:DenyValueRule xsi:type="basic:ANY" />
  </afp:AttributeRule>

  <afp:AttributeRule attributeID="suUnivIDNameID">
    <afp:PermitValueRule xsi:type="basic:ANY" />
  </afp:AttributeRule>

</afp:AttributeFilterPolicy>

(If we were using JIT user provisioning, we'd also have to release the sfdcUNivIDFedID attribute, along with the other provisioning attributes.)

Salesforce Configuration

Edit the Single Sign-On Settings (from under Security Controls in Administration Setup)

Select Assertion contains the Federation ID from the User object for SAML Identity Type, and Identity is in the NameIdentifier element of the Subject statement for SAML Identity Location.

Screenshot of Salesforce Single Sign-On Settings

Save the updated configuration, and try logging in via SSO. If your Federation Identifiers and University IDs match, you should be logged in.