Rublon 2FA for Salesforce

Last updated on February 15, 2024

Overview

The purpose of this document is to introduce Rublon Authentication (Rublon Access Gateway) into the Salesforce authentication process and enable the Two-Factor authentication process for Salesforce users. In order to achieve that, it is required to create a Rublon Access Gateway application as well as registrate a domain, configure Single Sign-On, and enable SAML authentication in Salesforce . All needed steps will be described within this document.

Supported Authentication Methods

Authentication Method	Supported	Comments
Mobile Push	✔	N/A
WebAuthn/U2F Security Key	✔	N/A
Passcode	✔	N/A
SMS Passcode	✔	N/A
SMS Link	✔	N/A
Phone Call	✔	N/A
QR Code	✔	N/A
Email Link	✔	N/A
YubiKey OTP Security Key	✔	N/A

Installation

Download the Rublon Access Gateway metadata

1. Sign in to your Rublon Access Gateway instance using the administrator password.
2. Open the Applications tab.
   1. Click the Download XML metadata button at the bottom of the page to get your metadata. 
   2. You can also download the certificate which Rublon Access Gateway will use to sign and encrypt SAML messages.
   3. If your application does not support XML importing, you can also manually copy the metadata values.

Salesforce Configuration

1. Sign into Salesforce as an administrator.
2. Select the cog icon in the top right corner. Select Setup from the menu.
   

Domain registration

You have to configure your Salesforce domain first if you want to use Single Sign-On with Rublon Access Gateway.

If you have not configured a domain yet, please do it by using the Register domain button.

1. In the Settings area toggle the Company Settings section, and select My Domain. 

After the domain registration is finished, you will receive a confirmation e-mail and you will have to log in again using the registered domain. After a successful login, open the My domain page again, and click the Deploy to Users button.

Enable SAML

1. To enable SAML in Salesforce, open Single Sign-On Settings and:
   1. Select the Edit button,
   2. Check SAML Enabled,
   3. Save the changes.

Setup the Rublon Access Gateway integration

Salesforce has an in-built module which handles Single Sign-On using the SAML standard. You can use this feature to integrate your Salesforce instance with Rublon Access Gateway.

1. Under the Settings section toggle Identity, and select Single Sign-On Settings.
2. Click the New from Metadata File button. Select the XML file with Rublon Access Gateway metadata. Click the Create button.
   
3. You will see a form with Rublon Access Gateway data.
   1. Change Name and API Name to Rublon
   2. Set Service Provider Initiated Request Binding to preferred value: HTTP POST
   3. You can also change Entity ID to the name which will uniquely identify your Salesforce application. This name will be visible in Rublon Access Gateway.
   4. Copy the Logout URL from the Rublon Access Gateway metadata page to Identity Provider Single Logout URL
      1. This feature allows for automatically logging out the user from all applications integrated with Rublon Access Gateway.
   5. Set Single Logout Request Binding to HTTP POST.
   6. Save the settings. In case of any errors, please resolve them using the Rublon Access Gateway metadata.

Enable SAML authentication

1. Open the My domain page in the Company Settings menu.
2. Select the Edit button in the Authentication Configuration section.
3. The Rublon option in the Authentication Service area is inactive by default. Activate and Save it to enable the use of Rublon Access Gateway on the Salesforce login page.
   
4. If you leave Login Form unchecked, you won’t be able to login if something goes wrong. Make sure everything works before you decide to disable this method!

SAML security (optional – recommended)

For better security you can generate a new CA-signed certificate, or use an existing one which will be used to sign SAML messages and optionally encrypt them.

1. Open the Certificate and Key Management page in the Security area of the Settings menu.
   
2. A ready-made self-signed certificate is available, but it’s highly recommended that you create a new one (the best option is a CA-Signed certificate), or import an existing and trusted one.
3. If you changed the certificate to be used in Rublon Access Gateway SAML communication, you have to update the SAML Single Sign-On settings: select the new certificate from the Request Signing Certificate list.
   
   To strengthen the security of the SAML communication, you can enable Assertion Decryption Certificate on the Rublon Single Sign-On Settings page. Select the best available certificate for encryption. It can be different from the certificate you have used in Request Signing Certificate.
   

Add an application to Rublon Access Gateway

1. Open the Single Sign-On Settings page.
2. Select the Rublon name to open the settings overview page.
3. Select the Download Metadata button. An XML file will be downloaded.
   

   

4. Sign into your Rublon Access Gateway instance, open the Applications perspective and select the Import application metadata tab.
5. Enter the name of your Salesforce instance, select the downloaded XML file and click Upload.
6. Your entry will appear on the applications list.

Validate the integration with Salesforce

1. Go to your Salesforce domain login website, e.g. my_domain.salesforce.com
2. You can either login to Salesforce using your email address and password, or choose to login using Rublon
   

Provide your login and password

Please fill in with your organization’s account credentials (Active Directory, LDAP).

Choose one of the available authentication methods to complete Rublon second factor authentication

Get access to Salesforce account

Troubleshooting

If you encounter any issues with your Rublon integration, please contact Rublon Support.

Related Posts

Rublon Access Gateway

Rublon Access Gateway – Integrations