Welcome to another “How I Solved It.” In this series, we do a deep dive into a specific business problem and share how one #AwesomeAdmin chose to solve it. Once you learn how they solved their specific problem, you’ll be inspired to try their solution yourself! Watch how Gorav Seth, Salesforce Platform Manager at Ashoka, enables users to log into a sandbox directly from production, so they can easily test out and validate changes before they are deployed! Read more details in the post below.
Regularly using sandboxes can be difficult for users and even admins. They need to remember to go to a specific URL and use their sandbox username. Admins need to reset user passwords and update email addresses. In order for them to safely make changes, and for users to test these configuration changes prior to production, we need to make it easy, seamless, and secure for them to log in to the correct sandbox.
Building and testing changes in sandboxes is more than a best practice—it’s a fundamental requirement for building and maintaining high quality business-critical applications. Admins know that having users log in directly to a sandbox for testing can be a daunting task due to a number of hurdles, including:
Admins have to choose between taking time and effort to train users to access the sandbox and following clean development processes, resulting in wasted time and potential frustration for end users.
The identity provider is the system that manages identity information and provides authentication services. In our case, we want production to determine if a user has valid credentials, so we need to enable production as the identity provider—which we can easily do with a few clicks!
1. Go to Setup, then Identity Provider, and click Enable Identity Provider.
2. Salesforce automatically creates a certificate when you enable your org as an identity provider. Click Download Certificate to download it.
3. Copy the “Salesforce Identity” SAML Metadata Discovery Endpoint.
Now we need to configure the sandbox to allow users to access the sandbox by verifying their identity against the identity provider we created in Step 1. This is referred to as single sign-on (SSO) as it allows the user to log in to multiple systems (in our case, production and sandbox) using a single identity. Follow these steps:
1. Log in to sandbox.
2. Go to Setup, then Single Sign-On Settings, and click Edit.
3. Check the box for SAML Enabled.
4. Click Save.
5. Click New From Metadata URL in SAML Single Sign-On Settings.
6. Paste the SAML Metadata Discovery Endpoint URL you previously copied from production in Step 1. Then, click Create.
Note: This step fills in a few items automatically, like issuer and Entity ID. You need to fill out a few more items below.
7. In the Identity Provider Certificate field, click Choose File and upload the certificate that you downloaded in Step 1.
8. For SAML Identity Type, choose Assertion contains the User ID from the User object.
Note: This step tells the sandbox how to find the matching user. By selecting User ID, we tell the sandbox to match on the Salesforce UserId, which will be provided by the identity provider from production.
9. Uncheck ‘single logout enabled’ if checked (if enabled this would log users out of production when they log out of the sandbox, and would require additional configuration to enable).
10. Click Save.
11. Copy the Entity ID.
12. Copy the Login URL.
1. In Setup, go to App Manager and select New Connected App. Configure the new connected app as follows:
2. Click Save.
Next, you need to grant access to your connected app. For initial testing, you should only grant access to yourself.
1. Click Manage on the connected app.
2. Add to profiles (manage profiles) or permission sets (manage permission sets) that need access to this connected app.
Now, we need to give users a way to launch the connected app. We’ll make the connected app accessible via App Launcher in production.
1. Copy the IdP-Initiated Login URL from the SAML Login Information section on the connected app.
2. Click Edit Policies on the connected app.
3. In Basic Information, paste the IdP-Initiated Login URL into the Start URL field.
4. Click Save.
Note: Do not right-click and copy the link address. In Lightning, this includes JavaScript redirect language. You need to highlight the actual text of the link on the page and press ctrl+c on your keyboard to copy it.
Now, when you click on the app in App Launcher, it launches the start URL, which kicks off the “identity provider initiated” SSO flow to the specified sandbox!
Now, let’s test to see that the process works.
1. Go to App Launcher in production.
2. Find the name of your connected app and click on it.
3. You’ll be automatically logged in to your sandbox!
The certificate that was created in Step 1 encrypts the connection between production and sandbox, but the assertion—the information that production sends to the sandbox about the specific user—is currently sent in plain text and is not encrypted. Encrypting the assertion is recommended as it increases your security and helps prevent man-in-the-middle attacks.
This step is easy! Read my blog post for details on how to encrypt the assertion.
1. Create a new permission set, give it a name and a description, and click Save.
2. Click Assigned Connected Apps in the permission set, and select the connected app that you created in Step 3.
3. Click Manage Assignments and assign the permission set to users who need to log in to the sandbox.
Now, admins can provide users access to a sandbox with a permission set! Users can simply click on the app in App Launcher and they are magically logged in to the sandbox. This helpful shortcut works for admins, too.
Note:
This is a very real example, and while it has a number of steps, there is a huge payoff. Try this yourself and make it easy for you, and your users, to get the most out of the great development tools Salesforce offers.
Let us know what you thought of this solution, and tell us how you want to use it with #AwesomeAdmins #HowISolvedIt on Twitter.
Welcome to another “How I Solved It.” In this series, we do a deep dive into a specific business problem and share how one Awesome Admin chose to solve it. Once you learn how they solved their specific problem, you’ll be inspired to try their solution yourself! Watch how Kim Strauss built an automation for […]
Welcome to another “How I Solved It.” In this series, we do a deep dive into a specific business problem and share how one Awesome Admin chose to solve it. Once you learn how they solved their specific problem, you’ll be inspired to try their solution yourself! Watch how Erick Mahle improved user navigation within […]
Welcome to another “How I Solved It.” In this series, we do a deep dive into a specific business problem and share how one Awesome Admin chose to solve it. Once you learn how they solved their specific problem, you’ll be inspired to try their solution yourself! Watch how Karri Webster found a way to […]
