Wednesday, May 6, 2020

Integration between Salesforce and QUIP Where Salesforce Work as Identity Provider (SP-Initiated SAML)


Thought Process behind this implementation


Two days ago I got one requirement of integrating between Salesforce and Quip, where Salesforce will act as Identity Provider and Quip will be acting like Service Provider.
To achieve this functionality I have used Self Signed Certificate for authentication and Single Sign on is being made by Security Assertion Markup language (SAML).


Use Case


Once Quip has been set up and connection is being made with Salesforce user will be able to see all the documents (whatever they have created in Quip) in Account Layout (took the Account as example, you can add the quip component to other layouts as well).
Now the problem is while working into Salesforce environment if User wants to open that document in Quip by clicking it from Salesforce, every-time users’ needs to login in to Quip with their credentials. They don’t want login every time as it is time taking and at the same time monotonous as well. So we have to create some integration between them to achieve this functionality.

How Architecture works behind

  • The user tries to access a service provider already defined in Salesforce.
  • Salesforce sends a SAML response to the service provider.
  • The service provider identifies the user and authenticates the certificate.
  • If the user is identified, the user’s logged in to the service provider.




Things needs to be checked before start the development

  1. You need to be a Salesforce Admin for your instance.
  2. You need to have a Quip for Salesforce license or be on a Quip for Salesforce Trial.
  3. You need to be a Quip Admin if your Quip Site already exists.
  4. Configure a domain using My Domain and deploy it to all users. For instructions, see Set up a My Domain Name.
  5. Your Salesforce email/username/Federation ID must match the email you use within Quip.
  6. Double check that your permission sets have been set to allow access to Single Sign On to all necessary users. This can be found within Salesforce under the Quip Permission Sets.

Process to Implement:

Download the Quip Metadata File

  1. Open the Quip Admin Console, and go to the “Accounts and Access” tab
  2. Click on the “For entity ID and destination URL, download Quip’s metadata” to Download the Quip metadata file. It will look like below :  
From the metadata.xml we need the Entity Id and the Location URL to configure the Connected App in Salesforce. We will discuss on it in sometime.

Once above steps are completed, you can then continue to configure Salesforce as an Identity Provider.


Configuration needs to be done in Salesforce:


  1. Select the gear icon within your Salesforce instance, and select “Setup”. Search for Certificate and Key Management and click “Create Self-Signed Certificate.”




 [Note: By default, a Salesforce identity provider uses a self-signed certificate generated with the SHA-256 signature algorithm. Use the certificates when securely communicating with other services. If you want to use a CA-signed certificate instead of self-signed certificate, you can use that also. For this POC have used self-signed certificate.]
  • Label Name <Give any name> (have given as “QuipTest”)
  • Key Size  <keep it default as 2048>
  • Keep all the others attribute as it is.

Click “Save”.



     2.     Once you save this, it will look like below:-






           3. On the left hand side of the screen, within the Quick Find search bar, enter Identity Provider, select Identity Provider, and click Enable Identity Provider.

4.   Select the certificate which you just created (in our case it will be QuipTest) and click Save.


5.    Once you click Save, you will then see at the bottom of the page “Use Connected Apps to create a Service Provider”



[Note :As a reminder, your Identity Provider (Salesforce) would be what your Service Provider (Quip or any other connected App Program) authenticates into when logging in.]

6.  Within the Service Provider configuration, you can then enter the following items.

  • Name: Name your Service Provider, (i.e. Quipconnect)
  • Include your contact email
    • Click the “Enable SAML” checkbox to fill the below parameters: -
  • Entity ID: (This can be found within the Quip metadata file. Refer section Download the Quip Metadata File)
  • Start URL: (This would be the location URL within your Quip metadata file.Refer section Download the Quip Metadata File)
  • ACS URL: (This would be the location URL within your Quip metadata.Refer section Download the Quip Metadata File)
  • Subject Type  : It should be the attribute which is unique in the your Salesforce org , and match with the email id of Quip)
  • Name ID Format  : urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
  • IdP Certificate  : Select the self-signed Certificate which you have created (in your case it will be “QuipTest” )
Keep all the other filed as it is and save.








7.   Make sure to check that your users have been correctly assigned the permission sets within Salesforce. You can do this by going to the newly created Quip Service Provider, and assign Quip and the specified users that are within Salesforce and your Quip Site.

8.   After the Service Provider section is completed, you can then download the metadata from the Identity Provider page.


9.    Once done please go to the Profile for the User (by which the configuration is being done) in Salesforce and give the permission for the newly created connected App. 


10.    Open the Quip Admin Console, and go to the “Accounts and Access” tab.


 11.    Create a new SAML configuration, by naming the configuration and uploading the Salesforce Metadata (Just downloaded from Identity provider section) into the "Upload File" section.


 12.   Uploading the correct file you will get a Successful message:


13.    Enter your email that is being used to log you into the Quip Admin portal as the initial “Test Email”.




14.      After this, you should then see a pop-up window for Salesforce, use your specified credentials to log into Salesforce and complete the authentication process.



15.      You will then be prompted to “Configure for Test Users” or to “Configure for Entire Company”. If you would like to test users, you can use any users within your Quip instance that has Salesforce credentials set up. Then hit “Enable”.




16.       You should then see that the configuration is set to “Enabled” for SAML! You can always go into the configuration and “Disable” if you would like to turn it off or change the configuration to either “Enable for entire company” or “Enable for Select Users”.


[Note: If you would like to exempt certain users from your site for SAML, add their domain to the “Exempted Domain” option within the configuration. The correct way to enter the exempted domain is to follow this format website.com, you will not need to include the ‘@’ symbol or www. Format.]

Your setup is ready to use.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)