使用SalesForce.com进行SSO
[英]SSO with SalesForce.com
问题描述
We want to do SSO with Salesforce.com. 
我们希望使用Salesforce.com进行SSO。 From their documentation, we found this option 'Delegated authentication' to suit our needs. 从他们的文档中,我们发现此选项“委托身份验证”以满足我们的需求。 Basically when given a user name and password, Salesforce.com would initiate a web service call to the original organization to get it validated. 基本上,当给定用户名和密码时,Salesforce.com将启动对原始组织的Web服务调用以使其经过验证。
We are thinking of implementing this the following way - Our users would login into our system with user id and password, we would get them authenticated. 我们正在考虑以下方式实现这一点 - 我们的用户将使用用户ID和密码登录我们的系统,我们将对其进行身份验证。 Then when they have to access Salesforce.com, we would supply the username and the cookie(that we got from the authentication) to Salesforce.com which would then pass these in the web service call to our organization and we would be able to validate the user using this cookie. 然后,当他们必须访问Salesforce.com时,我们会将用户名和cookie(我们从身份验证中获得)提供给Salesforce.com,然后Salesforce.com会在Web服务调用中将这些传递给我们的组织,我们将能够验证使用此cookie的用户。
Has anyone tried/heard of this approach ? 有没有人尝试/听说过这种方法? Are there any known limitations. 有任何已知的限制。 Any help would be appreciated. 任何帮助,将不胜感激。
2 个解决方案
解决方案1
3 2013-10-05 01:01:22
This is a common approach when using delegated auth, the main issue is if your DA listener only accepts the authentication cookie, then logging into salesforce from applications other than the web site are not possible (eg mobile apps, data loader, etc). 这是使用委托身份验证时的常用方法,主要问题是如果您的DA侦听器仅接受身份验证cookie,则无法从网站以外的应用程序登录salesforce(例如移动应用程序,数据加载程序等)。 You can write your DA listener to accept either an auth cookie or a password and work that way, or you can look into the newer SAML based SSO features which many apps now support. 您可以编写DA侦听器以接受身份验证cookie或密码并以此方式工作,或者您可以查看许多应用程序现在支持的基于SAML的新功能。
解决方案2
2 2014-02-25 22:30:55
One way to do it is by using the SAML2 Web Browser SSO profile which is supported by Salesforce. 一种方法是使用Salesforce支持的SAML2 Web浏览器SSO配置文件。 You need to configure the SAML2 SSO in Salesforce admin settings. 您需要在Salesforce管理设置中配置SAML2 SSO。 Here is the brief overview: https://help.salesforce.com/apex/HTViewHelpDoc?id=sso_saml.htm&language=th 以下是简要概述: https : //help.salesforce.com/apex/HTViewHelpDoc?id = sso_saml.htm&language =
The flow for an end-user looks like this: 最终用户的流程如下所示:
- user navigates to Salesforce and provides a fully qualified username (eg joe@acme.com) in a login form. 用户导航到Salesforce并在登录表单中提供完全限定的用户名(例如joe@acme.com)。
- Salesforce redirects user and sends SAML2 authentication request to the identity service (idp.acme.com) responsible for authenticating the user. Salesforce重定向用户并将SAML2身份验证请求发送到负责验证用户身份的身份服务(idp.acme.com)。 SAML2 authentication request is sent as GET parameter of HTTP redirect. SAML2身份验证请求作为HTTP重定向的GET参数发送。
- identity service authenticates user (eg by presenting a login form and validating username and password) 身份服务对用户进行身份验证(例如,通过提交登录表单并验证用户名和密码)
- identity service returns a SAML2 assertion to Salesforce. 身份服务将SAML2断言返回给Salesforce。 Actually, the assertion is sent in HTTP response to the user, and it's automatically POSTed to Salesforce through javascript function fired up when page loads. 实际上,断言是通过HTTP响应发送给用户的,并且它会在页面加载时通过javascript函数自动POST到Salesforce。
- Salesforce validates assertion (digital signature, time validity period etc.) and lets the user in. Salesforce验证断言(数字签名,时间有效期等)并让用户进入。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.