Salesforce SSO - unique usernames needed between Sandbox and environment?

garryshape
garryshape used Ask the Experts™
on
Our team is trying Salesforce and we have a sandbox and a production Salesforce.
To use SSO (Okta) are we able to use same SSO login to both environments? Or can we only use say our email attribute in one or the other (Sandbox or Production)? My understanding is Sandbox only allows you a login that is unique across both environments. And if that’s the case, what’s the usual workaround ? Don’t want to reinvent the wheel.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
You should be able to have the same Users on both.  You need to have your Admin profile non-single sign on enabled in production as well sandbox. This will allow you to debug and fix your SSO if needed.

Author

Commented:
I think the issue is that the users email which is unique cannot be in both environments?
Nakul VachhrajaniTechnical Architect, Capgemini India
Commented:
Salesforce requires you to have a globally unique username. If I am not mistaken, Sandbox user names have the SandboxName appended to them (e.g. if the user name is "abc@xyz.com" in production, it would be "abc@xyz.com.sandboxName" in the Sandbox).

However, you should be able to use the E-mail address for both - your production and sandbox environments. Same goes for your federation Id (for SAML), because the domain user is the same.

Only difference would be that when setting up federation, Sandboxes will have a partner URL as - https://test.salesforce.com and not https://login.salesforce.com. Similarly, the SSO request should be sent to the appropriate URL depending upon which one you want to connect.

Author

Commented:
Ok thanks I will try. So how would you do it in Okta if you know to setup the app to tell it what username format to use so their email matches the modified email on the target site?
Nakul VachhrajaniTechnical Architect, Capgemini India
Commented:
I have used Microsoft AD with Salesforce for SAML 2.0 authentication, so I could help you with Microsoft ADFS but I have never used Okta - sorry about that. But, if I had to guess, you would need to do the following high-level steps:
1. Exchange certificates (or somehow build a trust relationship) between the identity provider (Okta/ADFS) and Salesforce (both production & sandbox orgs). When doing so, specify the appropriate URL
2. Take the Federation Id of a domain user from the identity provider (Okta/ADFS) and add it to the appropriate field in both the orgs
3. Generate an assertion request (SAML 2.0) for the respective application (Production/Sandbox)
4. Test the authentication by copying and pasting the SAML 2.0 assertion from the identity provider into Salesforce and use the "SAML Assertion Validator" mechanism to confirm successful login

From an identity providers' perspective, it's as if you are setting up a 2nd application to authenticate to - it doesn't care if one is a production Salesforce and other is a Sandbox or any other application (like Office 365 or a home-grown product).

If I go by my 10-minute glace of (https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-in-Salesforce.html), all you need to do is make sure to specify appropriate URLs on step #8 (general SAML configuration) and step #5 (SP-initiated login). Rest of the process remains the same.

Author

Commented:
I have it working with email. But I guess it’s best to change login if possible to a different attribute? Could I use just username or employee number  to map to the user Okta login?

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial