Configuring SAML Settings for InsideView in Your CRM

Follow

This article explains how to configure SAML settings in your CRM to enable single sign-on for your on-premise CRM system. To learn about configuring SAML settings for custom packages, refer to the article Configuring SAML Settings for Custom Packages on our Knowledge Base. 

If you'd like to get a peek into InsideView security authentication overview, refer to the article InsideView Security Authentication Overview on our Knowledge Base. 

Setting up a relying party in your identity provider is beyond the purview of InsideView. If you have any questions related to configuring relying party, please contact your Administrator or refer to your identity provider's documentation. 

Note: An administrator of the on-premises CRM deployment is a typical user of this article. Others whom this article may be useful include the administrator of InsideView account and anyone who manages an Identify Provider that supports unsolicited SAML-P or WS-federation endpoints (For example: Active Directory Federation Service, Windows Azure Active Directory, CA-FederationManager/Citrix OpenCloud/McAfee-CIM/Oracle Federation Identify etc.).

In order to configure SAML settings successfully, you must perform a series of following tasks. 

Configuring InsideView as a Relying Party in Your STS/IP

You must configure InsideView as your relying party in your Security Token Service (STS) / Identity Provider and to complete the process, you must perform the following steps:

StepDescriptionDetails
 1 Define your relying party time

You must define your relying party name. This name could be the URL of the service to which you are authenticating. For example, it could be  https://my.insideview.com or https://my.insideview.com/test.

Note: Make a note of the assertion names for each of these assertions. Ensure that the assertions are signed and not encrypted in SAML response as InsideView does not support encrypted assertion values.

 2 Define Attribute Statements You must define your attribute statements as part of your general sign-on settings. You must define the attributes for user ID, email, first name, last name and your organization ID. For further details, go to Mandatory Details table below.
 3 Set up Post-Back URL Set up your post-back URL/Return URL/Protected Landing Page with the following URL:

https://my.insideview.com/iv/<SSOName>/login.iv

Where SSOName is name of the SAML you added in InsideView. SSOName may require URL encoding based on what you choose to name it. For example, if your STS name is InsideViewADFSTest then your post-back URL will be https://my.insideview.com/iv/InsideViewADFSTest/login.iv.

Now, you’re done with configuring InsideView as a relying party. Next, complete your relying party setup, if any. Once this is done, note the following values from the above configured settings:

  1. Unsolicited URL for user authentication
  2. Your X.509 certificate that will be used to sign SAML response

Note: In order to check whether it is an X.509 DER certificate, you can visit https://www.sslshopper.com/certificate-decoder.html

 Mandatory Details Table

Field Name

Description

CRM User ID Mapping

User’s unique User ID in the source CRM/SFA. This ID must be unique across the CRM universe (online and on-premise, sandbox and production). It can be a GUID, DB primary key, etc. If this ID is not guaranteed to be unique, it must be appended with an underscore followed by the crm_org_id.

CRM Org ID Mapping

User’s organization unique ID in the source CRM/SFA. This ID must be unique across the CRM universe (online and on-premise, sandbox and production). It can be a GUID, installation license key, and even a DB primary key.

CRM Email Mapping 

User’s Email Address in the source CRM/SFA.

CRM First Name Mapping

First name of the user

CRM Last Name Mapping

Last Name of the user

Note: Your CRM Administrator will need to map all these user attributes to InsideView attributes.

Adding STS Settings for Single Sign-On

StepDescriptionDetails
 1 Open Admin Page Open admin. Go to SingleSign-On Settings page. 
 2 Add details Click SingleSignOn Settings. The following page opens: 

You must add the STS details to InsideView admin page (under single-sign-on tab). To add STS details, click Add SAML button in the above screen. Ensure the STS details are entered in a single line with no spaces. 

Note: Use the above two check-boxes to restrict users of your account from using their credentials to login or change their passwords. As an account admin, you can use this feature to ensure your users login via SSO (like Okta). This feature provides foolproof security when the employee leaves a company. An account admin, however, can login with the credentials even when the check box is selected. 

 3 Enter the Attribute Statements

In the Add SAML dialog, enter the Attribute Statements you defined previously. All fields require an entry. Details like first name, last name, email, persistent name identifier (CRM User ID), and CRM Org ID, and so on must be configured in claims for federated authentication with SAML. In the first step, you obtained all of these. Now, enter those details here. 

 4 Finish the Configuration

Click Save to finish the configuration.

Note: STS Name, SAML/WS-Fed Unsolicited Endpoint, STS Certificate, User ID, Email Mapping are mandatory fields. The Org ID, however, is an optional one. InsideView recommends email mapping and user ID be the same for ease-of-use. Also, note that the user ID coming from STS must belong to the same account where self-serve is configured. Just in case if a user is new, the system configures the user to the same account where SAML Self-serve is configured. You also need to ensure you provide an enterprise-wide unique name for the STS Name. Use the same STS name for your post-back URL. For example, if your STS name is InsideViewADFSTest then your post-back URL will be https://my.insideview.com/iv/InsideViewADFSTest/login.iv.

Validating and Editing SAML Configuration

After you’re done configuring SAML in your CRM system, you can verify and edit the settings.

StepDescriptionDetails
 1 Sign in into the System

Try signing in to the system from your Single Sign-On web page. Click the following link and enter your credentials:

https://my.insideview.com/iv/launchPad.do?ssoName=

 2 Re-edit SAML settings You will be successfully logged in to your destination URL without being prompted for the password. If the system persists in asking you to enter your password, you will need to edit and reconfigure your SAML settings. To edit your SAML settings, click Edit as illustrated below:

 3 Open the Edit Page On the EDIT SAML page, modify the required details.

 4 Save the changes Click Save. Try repeating the steps until you successfully set up Single Sign-On for InsideView in your on-premise CRM application.
Was this article helpful?
0 out of 0 found this helpful
Powered by Zendesk