Overview
This document walks through setting up Single Sign-On (SSO) between Eloqua and Salesforce, using Salesforce as the Identity Provider. It will cover setting up the SSO for the Eloqua platform and SSO for Eloqua Profiler and/or Eloqua Engage embedded with Salesforce. The difference between this type of SSO and Salesforce SSO (IDP and User Provisioning) - Configuration Guide is the referenced type of SSO includes the automatic provisioning of users in Eloqua from Salesforce. If you are new to SSO, it is recommended to follow the guide below and continue creating users as you have been to date.
SSO Setup
In Salesforce:
1. {your name} > Setup
2. Administration Setup > Security Controls > Identity Provider
3. Identity Provider Setup > Download Metadata (NOTE: You must have configured a Salesforce sub domain for your organization before using Salesforce as an Identity Provider.)
Save the metadata file to disk.
In Eloqua:
4. Navigate to Eloqua User Management:
- E9: Setup > Management > User Management
- E10: Setup > Users
5. Single Sign-On > Identity Provider Settings
6. Identity Providers > Upload Identity Provider From Metadata
Enter a name for the identity provider, select the metadata file downloaded from Salesforce.com, and click Save.
SSO is now configured to take the Salesforce.com user’s username and map it to an Eloqua user’s username. However, Salesforce.com usernames must be in the form of an email address, while Eloqua usernames must not contain special characters including the ‘@’ character. In order for SSO to work, we must configure it to take the Salesforce.com user’s email address and map it to an Eloqua user’s email address.
7. Click to edit the Identity Provider you just saved above.
A) Select The user identity is located in an assertion attribute value.
B) Enter “email” in the field The name of the attribute that contains the user identity.
C) For the User Identity Mapping, select Assertion contains the Email Address from the User object.
Click Save.
8. Still in the User Management area, navigate to Single Sign-On > Certificate Setup
A certificate was automatically created from the metadata upload performed in step 6. Click on that service provider certificate.
Click to download the certificate and save to disk.
In Salesforce:
9. {your name} > Setup
10. Administration Setup > Security Controls > Identity Provider > Click to create a new Service Provider
11. Under Service Provider Edit:
A) Enter a name for the service provider.
B) Enter the ACS URL from step 6 (Identity Provider Details in Eloqua) in the field ACS URL.
C) Enter the Service Provider Entity from step 6 in the field Entity Id. Make sure you don’t accidentally enter the Identity Provider Entity.
D) Select Service Provider Certificate and browse to the certificate file you downloaded from Eloqua in step 8.
Click Save.
12. Select which profiles will have access to the service provider (it is easiest to just select all), and click Save.
Users can now log in to the Eloqua platform using their Salesforce credentials. If they are already logged in to Salesforce, it will be seamless. To test, follow the instructions below.
13. Navigate to Login.eloqua.com and click Sign In Using Another Account.
14. Enter your Company name and click Sign In Using Another Account.
15. If you are already authenticated with Salesforce, you will be logged in to Eloqua. If not, you will be redirected to enter your Salesforce user credentials. Once you click Submit, you will be logged in to Eloqua.
Eloqua Profiler with SSO
This section will walk through modifying Eloqua Profiler so it is seamlessly available to Sales users inside Salesforce.com. If you have not yet set up Eloqua Profiler inside Salesforce, visit the Eloqua Engage Resource Center.
In Salesforce
To modify Eloqua Profiler to work with the SSO, follow the steps below.
16. {your name} > Setup
17. Administration Setup > Develop > Pages > Click to edit the page setup for Eloqua Profiler on the Lead object
18. In the Apex code interface, you should see the following code:
<apex:page standardController="Lead">
<apex:iframe src="https://secure.eloqua.com/pp/pp.aspx?emailAddress={!lead.email}"/>
</apex:page>
Replace the URL highlighted in black above, with the following URL:
19. Replace the XXXX in the URL with the prefix of your Eloqua instance. If you do not know what your prefix is, contact Eloqua Support.
20. Replace the YYYY in the URL with the IDP unique ID.
A) To find this ID in Eloqua, navigate back to the Identity Management Provider interface. Right-click on the name of the Identity Provider you set up for Salesforce and click Open Link in New Tab.
B) On the new browser tab, look at the URL and copy the ID after "....Display/". This is the ID to paste into the YYYY of the URL.
21. Repeat steps 18-20 but for the Salesforce page setup with Eloqua Profiler on the Contact object. Instead use the following URL. Note that the URL is the same; we are simply referring to the Salesforce email field on the Contact instead of the Lead.
https://login.eloqua.com/auth/saml2/autologin?LoginPrefix=XXXX&Idp=YYYY&ReturnUrl=apps%2Fprofiler%3FemailAddress%3D{!contact.email}
Eloqua Profiler will now seamlessly appear for any user accessing a Salesforce Lead or Contact.
Eloqua Engage with SSO
This section will walk through modifying Eloqua Engage so it is seamlessly available to Sales users inside Salesforce.com. If you have not yet set up Eloqua Engage inside Salesforce, visit theEloqua Engage Resource Center. There are two ways Engage can be deployed within Salesforce: one, as a top navigational tab; and two, as buttons on the Lead and Contact Page layouts. Most customers will use both, so ensure you follow all the instructions below.
Modify Eloqua Engage Tab
1. {Your name} > Setup
2. Administration Setup > Create > Tabs > Click edit next to the Eloqua Engage tab setup for your Salesforce.
3. Click through the Tab settings until you are on Step 3, where you enter the URL for the button. Here you should see the URL for Engage. Replace the existing URL with the following URL:
https://login.eloqua.com/auth/saml2/autologin?LoginPrefix=XXXX&Idp=YYYY&ReturnUrl=apps%2Fengage
4. Replace the XXXX and YYYY in the URL with the same LoginPrefix and Idp values you used when setting up Profiler in the previous section.
5. Save your changes and refresh the browser. You should now be able to click on the Eloqua Engage tab and be logged in seamlessly to Eloqua Engage. Ensure you are logged in to Salesforce from your dedicated Salesforce domain and not the standard login.salesforce.com.
Modify Eloqua Engage Buttons on Salesforce Lead and Contact Page layouts
There can be multiple Eloqua Engage buttons on the Lead/Contact page layout within Salesforce. The following steps will walk through modifying the two most common buttons.
1. {Your name} > Setup
2. Administration Setup > Customize > Leads > Buttons, Links, and Actions
3. Find one of the buttons you created for Eloqua Engage and click to edit.
4. Replace the existing URL with the following:
https://login.eloqua.com/auth/saml2/autologin?LoginPrefix=XXXX&Idp=XXXX&ReturnUrl=ZZZZ5. Replace the XXXX and YYYY in the URL with the same LoginPrefix and Idp values you used when setting up Profiler in the previous section.
6. As mentioned you most likely have multiple Eloqua Engage buttons on the Lead/Contact objects. Each button will have a different value for "ZZZZ" in the Step 4 URL. Below are the values to enter for ZZZZ for each button on the Lead/Contact objects.
LEAD OBJECT
Send Blank Email To Contacts: apps%2Fengage%23SendBlankEmailToContacts%2F{!lead.email}
Send Template Email To Contacts: apps%2Fengage%23SendBlankEmailToContacts%2F{!lead.email}
CONTACT OBJECT
Send Blank Email To Contacts: apps%2Fengage%23sendTemplateEmailToContacts%2F{!contact.email}
Send Template Email To Contacts: apps%2Fengage%23sendTemplateEmailToContacts%2F{!contact.email}
NOTE: If you are using a custom button that performs another action other than the ones specified above, you need to make sure the ReturnURL specified is URL encoded.
7. Save all the changes to your buttons and test by loading a Lead/Contact. On a Lead/Contact record, clicking these Eloqua Engage buttons should give access to Eloqua Engage seamlessly. Ensure you are logged into Salesforce from your dedicated Salesforce domain and not the standard login.salesforce.com.