Integrate Salesforce with Zero Trust Network Access

In this topic, you will find general instructions on how to integrate Salesforce with Portnox™ Zero Trust Network Access using the conditional access method.

Create a Portnox Cloud application configuration

In this step, you will create a configuration in Portnox Cloud that will contain all the information necessary to integrate with Salesforce.

  1. In a new tab of your browser, open your Portnox Cloud account by accessing the following URL: https://clear.portnox.com/

    From now on, we will call this tab the Portnox tab.

  2. In the Cloud portal top menu, click on the Zero Trust Resources option.

  3. On the Resources screen, click on the Create resource button.

    1. In the What type of resource is this? section, select the SSO web resource option.
    2. In the Authentication protocol section, select the SAML option.
    3. Click on the Next button.

  4. Optional: If you have more than one SAML identity provider configured, select the identity provider in the Select an identity provider to use for this resource section.
  5. In the Resource details section, enter a Resource name and optionally a Description.

    In this example, we used the name Salesforce for the new application configuration but you can use any name you like.

  6. Keep this browser tab open. You will need it later.

Open your Salesforce SSO settings

In this section, you will access your Salesforce administrative interface and find the single sign-on (SSO) settings.

  1. In another tab of your browser, open your Salesforce dashboard by accessing the following URL: https://your_tenant.my.salesforce.com/, substituting your_tenant with your Salesforce tenant name.

    From now on, we will call this tab the Salesforce tab.

  2. Click on the  ⚙  icon in the top-right corner next to your Salesforce profile picture, and then click on the Open Advanced Setup button below.

    Advanced setup options will open in a new browser tab.

  3. In the left-hand side menu, scroll down to the SETTINGS section, and then select the Identity > Single Sign-On Settings option.

  4. In the Single Sign-On Settings pane, in the SAML Single Sign-On Settings section, click on the New from Metadata File button.

    Note: You can also click on the New option and configure the data manually.

Copy configuration values from the Portnox tab to the Salesforce tab

In this section, you will copy the values displayed by Portnox Cloud and paste them in the relevant fields in the Salesforce SSO setup section.

  1. In the Portnox tab, in the Service details section, click on the Download metadata XML file link to download the metadata.xml file that contains all configuration values.

  2. In the Salesforce tab, click on the Browse button, select the metadata.xml file that you just downloaded from Portnox Cloud, and then click on the Create button.

  3. Change the value of the Name field so that it clearly identifies the login method.
    Note: This text will be displayed on the button on your instance’s login page as Login with name, where name is the content of this field.

    In this example, we used the name Portnox Conditional Access but you can use any name you like.

  4. Click on the Save button below to save the configuration in Salesforce and show data that you will need to copy to the Portnox tab.

Copy configuration values from the Salesforce tab to the Portnox tab

In this section, you will copy the values displayed in your Salesforce SSO setup section, and paste them in the relevant fields in Portnox Cloud.

  1. In the Salesforce tab, select the value of the Entity ID field and use the operating system shortcut to copy it to the clipboard.

  2. In the Portnox tab, in the Resource properties section, click on the empty field under the Entity ID / Service Provider Entity URL heading and paste the value copied from Salesforce.

  3. In the Salesforce tab, select the value of the Login URL field and use the operating system shortcut to copy it to the clipboard.

    Note: For new Salesforce tenants, the Entity ID and the Login URL may be the same but for older tenants, they may be different. Make sure to copy the correct values even if in this example the values look the same.
  4. In the Portnox tab, in the Resource properties section, click on the empty field under the Assertion Consumer Service (ACS) URL / Reply URL heading and paste the value copied from Salesforce.

  5. In the Salesforce tab, select the value of the Logout URL field and use the operating system shortcut to copy it to the clipboard.

  6. In the Portnox tab, in the Resource properties section, click on the OPTIONAL SETTINGS heading to show additional fields, then click on the empty field under the Allowed Logout URIs (Optional) heading and paste the value copied from Salesforce.

Finalize the configuration

In this section, you will finalize the configuration in Portnox Cloud and Salesforce.

  1. Finalize the configuration in the Portnox tab.
    1. Optional: In the Policy enforcement section, in the Device risk assessment section, change the setting to Override with custom policy and then select a risk assessment policy if you want to assess risk with this application using a custom risk assessment policy, and in the Access control section, change the setting to Override with custom policy and then select an access control policy if you want to control access to this application using a custom access control policy.
    2. Scroll all the way down to the end of the page, and then click on the Save and Close button.

  2. Finalize the configuration in the Salesforce tab.
    1. Click on the Back to Single Sign-On Settings link under the pane heading.

    2. Click on the Edit button.

    3. In the Federated Single Sign-On Using SAML section, activate the SAML Enabled checkbox, and then click on the Save button.

    4. In the left-hand side menu, scroll down to the SETTINGS section, and then select the Company Settings > My Domain option.

    5. In the My Domain Settings pane, scroll down to the Authentication Configuration section, and then click on the Edit button.

    6. Activate the checkbox representing the Authentication Service that you just created, and then click on the Save button.

      Important: Initially, for testing, we recommend that you do not turn off the default Login Form authentication service. After you test that Portnox Zero Trust Network Access is working correctly, you can turn off the default service, which will require all your Salesforce users to log in using Zero Trust Network Access.

Result: You have configured Salesforce to be accessible using Portnox Zero Trust Network Access.