Salesforce SSO (IDP and User Provisioning) - Configuration Guide

Overview

This document provides a step-by-step walk through for configuring Salesforce.com as the Identity Provider for Eloqua. Configuration is required for both Eloqua and Salesforce, which can only be done using Administrator level access to both systems.

Deployment Wizard

Login to Eloqua as an Administrator and navigate to Setup> Management> User Management (for Eloqua 9) and Setup> Users for Eloqua 10. Click on the Single Sign-On drop down and select Salesforce.com Identity Provider Settings. This will start the four-step configuration wizard for deploying Salesforce as the Identity Provider for your instance of Eloqua.

1.     Salesforce Domain: 

Login to Salesforce.com and navigate to Administration Setup> Security Controls> Identity Provider. Click Configure a Domain Name and complete the process for creating a Salesforce.com domain for your organization (this is a one-time process and will not be required if you have already configured the Domain Name). It is important to educate your Salesforce users to start using this new Salesforce login URL specific to your organization to take advantage of the SSO capabilities.

2.    Create a SAML-enabled Web App in Salesforce

1. In Eloqua, from the Service Provider tab, follow the instructions to download the Eloqua certificate using the link provided in the step.
2. In Salesforce, navigate to App Setup> Create> Apps.
3. Scroll to the bottom of the Salesforce window and in the Connected Apps section, click New.
4. Scroll to the App Settings section and select Enable SAML.
5. The information required to fill out the fields for the new app are provided in Step 2 of the deployment wizard in Eloqua.
   
   
6. Also in the App Settings section in Salesforce, check the Service Provider Certificate box and upload the Eloqua certificate downloaded from Step 2 of the wizard by clicking Browse and navigating to the location where your certificate was saved.
7. Click Save.
   
   

3.     Associate a Profile with your App

1. In Salesforce, navigate to Administration Setup> Manage Apps> Connected Apps.
2. Select the app that you created in section 2 above.
3. In the Profiles section, select Manage Profiles.
4. Select the appropriate profile(s) for the user(s) who should have access to this application.
5. Click Save.
   
   

4.     Metadata:

1. In Salesforce, navigate to Administration Setup> Security Controls> Identity Provider.
2. Navigate to Identity Provider Setup> Download Metadata and save to a location of your choosing.
   
3. Switch back to Eloqua and in Step 3 of the Deployment Wizard upload the Metadata file from Salesforce by selecting the XML file you downloaded in step b) and clicking Upload.
4. Click Next Step in the lower-right corner of the window.
   
   

5.     User Mapping:

1. Select which Salesforce user Eloqua will use to authenticate with Salesforce. This is typically the same user configured for your standard Eloqua-Salesforce Integration. It is important that this user has access to the User Entity and Profile Entity in Salesforce.
2. Click the Test button to verify that this user can authenticate with Salesforce, access the User entity and access the Profile entity.
   
3. Click Save once all three validations are successful.
   
4. Check Enable Single Sign on using Salesforce.
   
5. Under Eloqua Security Mapping, specify a Salesforce User Profile and check the box to grant users with that Salesforce User Profile access to Eloqua.
   
6. In order to specify what level of access a Salesforce user has in Eloqua, you must map Salesforce User Profiles to a corresponding Eloqua Security Group.  Under Eloqua Security Groups, select the Eloqua Security Group(s) the corresponding Salesforce User Profile will have access to. Click Add.  One Salesforce User Profile can be granted access to many Eloqua Security Groups. In the example below, Users with the Salesforce Profile selected above (Authenticated Website) will be assigned to both the Customer Administrator and Active Users – Sales security groups.
   
7. Click Save.
   
   

6.  Test Single Sign-on Configuration

• Navigate to the URL for the login page that corresponds to your instance of Eloqua.  The URLs are: secure.eloqua.com, www02.secure.eloqua.com and secure.p03.eloqua.com for Instance (POD) 1, 2 and 3, respectively.
• Enter your company name.
  
• Click Sign in using Another Account.
• If you are already authenticated with Salesforce, you will be logged in to Eloqua.  If not, you will be redirected to enter your Salesforce user credentials.  Once you click Log in to Salesforce, you will be logged in to Eloqua.
• To verify that a user was created in Eloqua for this account, navigate to Seutp> Management> User Management (in Eloqua 9) or Setup> Users (in Eloqua 10) and search for the user using the Email address registered with Salesforce.

Mapping Existing Eloqua Users to Salesforce Users

This section explains how to map existing Eloqua users to their corresponding Salesforce User in order for them to be managed by Salesforce.

Single User

1. Login to Eloqua and navigate to the User Management area (in Eloqua 9, Setup> Management> User Management; in Eloqua 10, Setup> Users).
2. Select the specific user you wish to map and scroll down to the Salesforce Details section.
   

  3. Enter in the 18 digit Salesforce User ID for this user and click Link To Salesforce.

Bulk Users

1. Login to Eloqua and navigate to the User Management area (in Eloqua 9, Setup> Management> User Management; in Eloqua 10, Setup> Users).
2. Export a list of all Eloqua users by clicking Users> Download Users> Export> Export to CSV or Export to Excel.
3. Open the file on your computer and find the CRMUsername Column.
4. Populate this column with the 18 digit Salesforce user IDs for each user.
5. Save your changes and update the users in Eloqua by navigating to User Management> Users> Upload Users and completing the wizard.
6. To complete the mapping, you must contact the Eloqua Product Support in order to bulk link the Eloqua users to their corresponding Salesforce users.

Frequently Asked Questions

How frequently will field changes to the Salesforce User update in Eloqua?

User fields are updated every time the user accesses Eloqua. This includes a user in Salesforce rendering Eloqua Profiler.

What happens if users don’t login to Salesforce using the new Salesforce domain I configured?
Full access to Salesforce and SSO access to the application will still work.

What happens when a user is deactivated or deleted in Salesforce?
When a user's identity is managed by Salesforce, access to Eloqua is completely dependant on the user having access to Salesforce. If the user's access to Salesforce is disabled, they will no longer have access to Eloqua.

Can I have a hybrid of some users logging in with an Eloqua user name and password and some users managed by Salesforce as the Identity Provider?
Yes. For example, you may have partners that do not have access to your Salesforce instance but need access to Eloqua. Once you configure Salesforce as the Identity Provider, you can still continue to create regular Eloqua users that login with an Eloqua username and password.

What authenticaton method is Eloqua using to allow Salesforce to be the Identity Provider for Eloqua?

Eloqua uses industry standard SAML token authentication in order to allow users to access Eloqua using their Salesforce credentials.

Why don’t I see all Salesforce users in Eloqua?
Users will be created in Eloqua, linked to their Salesforce user the first time they access Eloqua. The mapping between Salesforce User Profiles and Eloqua Security Groups allows for the user to automatically be created in Eloqua and assigned the correct security permissions. If a user never accesses Eloqua from Salesforce (includes loading Eloqua Profiler) then they will never appear as a user in Eloqua.

Is there a limit on the number of users configured using Salesforce as the Identity Provider?
There is no hard limit as to how many users can be configured. If the number of configured users exceeds the number you have purchased, your Account Manager will contact you. Total users includes both Sales and Marketing users.