Body
Patron Manager – Admin Guide
Login URLs
Production SSO URL: https://caclive.my.salesforce.com
Production Bypass SSO Login: https://caclive.my.salesforce.com/?login
Sandbox SSO URL: https://caclive--ssotest.my.salesforce.com
Sandbox Bypass SSO Login: https://caclive--ssotest.my.salesforce.com/?login
User Administration handled by
CAC Senior Accountant/Cac Financial Specialist - Kristen Walker
Add users to the system
- Search Active Directory for groups “Access-App_PatronManager”
- The PatronManager/Salesforce Profile is assigned by these groups.
- Add users to an appropriate group.
- Users should only be in one group. If they are in multiple groups, then the least privileged group will apply.
- When the user accesses the system by the SSO URL above, Salesforce will automatically create a user with the following attributes.
First Name
|
Last Name
|
Alias
|
Email
|
UserName
|
Community Nickname
|
Title
|
Department
|
Profile
|
Email Encoding
|
Street
|
Federation ID
|
Remove users from system
- Search Active Directory for groups “Access-App_PatronManager”
- The PatronManager/Salesforce Profile is assigned by these groups.
- Remove users from group.
- Log in to PatronManager as a System Administrator
- Perform PatronManager procedure for removing user – (migrating reports to other users)
- Click on the gear in the upper right and select Setup
In the left column, type “Users” in the Quick Find box.
Select “Users”
Click “Edit” next to the user to be disabled
Uncheck the “Active box in the right column
Click “Save” at the top
Add new profile in PatronManager
If a new Profile is created in PatronManger/Salesforce, Open a ticket with ITS
Provide the exact name of the new profile and short description of profile
ITS Tasks
Create a new Active Directory group following the naming convention
- Access-App_PatronManager_#PROFILE#
- Group Description will be the description provided that identifies what the profile does
In the Azure Enterprise Application “PCT-PatronManager”
- Select “Users and Groups”
- Add the new group “Access-App_PatronManager_#PROFILE#”
- Select “Single sign-on”
- In the Attributes & Claims box, Click Edit
- Click on “User.ProfileID” to edit
- Under Claim Conditions, Add a new line
- User type: Members
- Scoped Groups: Access-App_PatronManager_#PROFILE#
- Source: Attribute
- Value: Type the exact name of the new profile (not the group name)
- Click on the 3 dots on the right to order the list from Most access to least access
- When users log in they are matched to these conditions from top to bottom.
SSO Certificate renewal
The SSO Certificate will expire on 1/19/2025
- ITS will create a new certificate in the Azure Enterprise Application and download the .CER file
- In PatronManager/Salesforce setup, Locate the “Single sign-on Settings”
- Edit the “Azure-PCT-PatronManger” item
- Select the “Choose File” button next to “Identity Provider Certificate”
- Select the .CER File provided by ITS
- Select Open
- Click on Save
- Verify the “Request Signing Certificate” and “Assertion Decryption Certificate” are set to new certificate
Troubleshooting
User not in the Active Directory group: Error--User is not assigned to a role
Bypass SSO
If SSO is suffering an extended outage, certificate has expired, or external user needs access, they can use the bypass SSO URL at the top of this document.
Multi-Factor Authentication
User that are not part of Pennsylvania College of Technology
Salesforce MFA will need setup for any external user.
Set MFA user permission via permission set - https://help.salesforce.com/s/articleView?id=sf.mfa_enable_core.htm&type=5