Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Integrate Skyhigh CASB for Salesforce with OpenAM

You can redirect SAML flow through the Skyhigh CASB proxy for Salesforce while using OpenAM as the IAM provider.

Prerequisites

  1. In Skyhigh CASB, add a Salesforce instance. 
  2. Configure SSO without the Skyhigh CASB proxy.
  3. Get the IdP and SP metadata files. 

Extract SP and IdP Certificates

SP Certificate

  1. In a text editor, open the SP metadata XML file, SP.xml.
  2. Copy the .x509 certificate text.
  3. In a new text file, paste the text between the lines "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".
  4. Delete all new line characters. In other words, transform the certificate text into all one line, or the Skyhigh CASB tenant may not accept the certificate.
  5. Save the file as SP.crt.

IdP Certificate

  1. In a text editor, open the IdP metadata XML file, IDP.xml
  2. Copy the .x509 certificate text.
    ping_key_descriptor.png

IMPORTANT: <KeyDescriptor use="signing"> & <KeyDescriptor use="encryption">. In the IdP metadata file, you may find two different nodes containing the same .x509 certificate text: one used for signing the certificate and the other for encrypting the assertion. For this procedure, you only need to re-sign the certificate. The encryption remains intact. Only use the signing certificate.

  1. In a new text file, paste the text between the lines "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".
  2. Save the file as IDP.crt.

Upload SP and IdP and SP Certificates to Skyhigh CASB

  1. Log in to Skyhigh CASB.
  2. Go to Service Management and find your instance of Salesforce
  3. On the Setup tab, under Proxy, enable SAML
  4. Upload the SP and IdP certificates.
  5. Download the Proxy Server Certificate by clicking Export Proxy Server Certificate. For example, proxy.crt.

Add Custom URLs to Skyhigh CASB Properties

In the customer org, collect the corresponding URLs and replace the myDomain name and the Salesforce instance with it. ??

  1. In the following URLs, your myDomain name is customer and the Salesforce instance is cs20. Replace: ??
    • customer–dev.cs20.my.salesforce.com
    • customer--dev--c.cs20.content.force.com
    • customer--dev--c.cs20.visual.force.com
  2. Go to Service Management and find your instance of Salesforce
  3. Go to Actions > Add Properties
  4. Add the following URLs as custom domains as shown. Make sure the MyDomain is in the same case as it is on Salesforce.
    ping_edit_properties.png
  5. Click Save.

Modify Metadata

Modify Salesforce SP Metadata

  1. In a text editor, open the SP Metadata XML file, SP.xml.
  2. If you want to enable SP-initiated login, required by some integrations like Salesforce for Outlook, modify the entityID. Replace the URL with the corresponding Skyhigh CASB proxy URL. For example, https://customercrm.customer.shnpoc.net.
  3. Replace the certificate:
    • From the Skyhigh CASB Proxy Server Certificate, proxy.crt, copy the certificate text (excluding "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----").
    • Replace the .x509 certificate text with the Skyhigh CASB proxy certificate text.
  4. Modify your Location URL. Look for the <md:AssertionConsumerService> node, then modify the Location URL to the one through proxy, and add the shnsaml parameter to it. 
https://customer–dev.cs20.my.salesforce.com?so=00Dm00000008dtx --> 
https://<Corresponding SHN URL>?so=00Dm00000008dtx&shnsaml 
e.g.
https://customer–dev.cs20.my.salesforce.com?so=00Dm00000008dtx --> 
https://customercrmdev.customer.shnpoc.net?so=00Dm00000008dtx&shnsaml
  1. Save the file as SP_SHN_modified.xml.

Modify the IdP Metadata

  1. In a text editor, open the IDP Metadata XML file, IDP.xml.
  2. Replace the .x509 certificate text (only the "signing" cert) with the Skyhigh CASB proxy certificate text.
  3. Save the file as IDP_SHN_modified.xml.

Upload the Modified Metadata Files into OpenAM and Salesforce

Upload the files SP_SHN_modified.xml and IDP_SHN_modified.xml files into OpenAM and Salesforce respectively.

Test

Finally, test both SP and IdP initiated logins.

  • Was this article helpful?