Patron Manager - End User Guide

Patron Manager – Admin Guide

Login URLs

Production SSO URL: https://caclive.my.salesforce.com

Production Bypass SSO Login: https://caclive.my.salesforce.com/?login

Sandbox SSO URL: https://caclive--ssotest.my.salesforce.com

Sandbox Bypass SSO Login: https://caclive--ssotest.my.salesforce.com/?login

User Administration handled by 

CAC Senior Accountant/Cac Financial Specialist - Kristen Walker 

Add users to the system

• Search Active Directory for groups “Access-App_PatronManager”
• The PatronManager/Salesforce Profile is assigned by these groups.
• Add users to an appropriate group.
• Users should only be in one group. If they are in multiple groups, then the least privileged group will apply.
• When the user accesses the system by the SSO URL above, Salesforce will automatically create a user with the following attributes.

               

First Name	Last Name	Alias
Email	UserName	Community Nickname
Title	Department	Profile
Email Encoding	Street	Federation ID

 

Remove users from system

• Search Active Directory for groups “Access-App_PatronManager”
• The PatronManager/Salesforce Profile is assigned by these groups.
• Remove users from group.
• Log in to PatronManager as a System Administrator
• Perform PatronManager procedure for removing user – (migrating reports to other users)
• Click on the gear in the upper right and select Setup

               

 

In the left column, type “Users” in the Quick Find box.

Select “Users”

Click “Edit” next to the user to be disabled

Uncheck the “Active box in the right column

Click “Save” at the top

 

Add new profile in PatronManager

                If a new Profile is created in PatronManger/Salesforce, Open a ticket with ITS

                Provide the exact name of the new profile and short description of profile

ITS Tasks

Create a new Active Directory group following the naming convention

•  Access-App_PatronManager_#PROFILE#
• Group Description will be the description provided that identifies what the profile does               

In the Azure Enterprise Application “PCT-PatronManager”

• Select “Users and Groups”
  • Add the new group “Access-App_PatronManager_#PROFILE#”
• Select “Single sign-on”
  • In the Attributes & Claims box, Click Edit
  • Click on “User.ProfileID” to edit
  • Under Claim Conditions, Add a new line
  • User type: Members
  • Scoped Groups: Access-App_PatronManager_#PROFILE#
  • Source: Attribute
  • Value: Type the exact name of the new profile (not the group name)
  •  Click on the 3 dots on the right to order the list from Most access to least access
    •  When users log in they are matched to these conditions from top to bottom. 

SSO Certificate renewal

The SSO Certificate will expire on 1/19/2025

• ITS will create a new certificate in the Azure Enterprise Application and download the .CER file
•                 In PatronManager/Salesforce setup, Locate the “Single sign-on Settings”
•                 Edit the “Azure-PCT-PatronManger” item
•                 Select the “Choose File” button next to “Identity Provider Certificate”
•                 Select the .CER File provided by ITS
•                 Select Open
•                 Click on Save
•                 Verify the “Request Signing Certificate” and “Assertion Decryption Certificate” are set to new certificate

 

Troubleshooting

                User not in the Active Directory group: Error--User is not assigned to a role

 

Bypass SSO

If SSO is suffering an extended outage, certificate has expired, or external user needs access, they can use the bypass SSO URL at the top of this document.

 

Multi-Factor Authentication

User that are not part of Pennsylvania College of Technology

Salesforce MFA will need setup for any external user.

Set MFA user permission via permission set - https://help.salesforce.com/s/articleView?id=sf.mfa_enable_core.htm&type=5