[英]Unable to implement SSO in Salesforce
I am implementing service provider-initiated SSO for Salesforce where the service provider will be Salesforce and the identity provider will be a lambda code.我正在为 Salesforce 实施服务提供商发起的 SSO,其中服务提供商将为 Salesforce,身份提供商将为 lambda 代码。 The lambda code will allow a user after verifying the user's mobile number.
lambda 代码将在验证用户的手机号码后允许用户使用。 Once the mobile number is verified a SAMLResponse will be sent by lambda.
验证手机号码后,将通过 lambda 发送 SAMLResponse。
I have configured SSO on Salesforce as below:-我在 Salesforce 上配置了 SSO,如下所示:-
I am also able to generate a valid SAML response and have validated it on Salesforce SAML validator as below:-我还能够生成有效的 SAML 响应并在 Salesforce SAML 验证器上对其进行验证,如下所示:-
I have created a login page that will be redirected from Salesforce.我创建了一个将从 Salesforce 重定向的 登录页面。
I have also created an API to get a unique SAML response every time for the given federation ID as below:- https://qodz4saz9a.execute-api.us-west-2.amazonaws.com/v1/generate-saml-response?FederationID=rahul@xyz.com我还创建了一个 API,以便每次针对给定的联合 ID 获得唯一的 SAML 响应,如下所示:- https://qodz4saz9a.execute-api.us-west-2.amazonaws.com/v1/generate-saml-response ?FederationID=rahul@xyz.com
URL for Salesforce login page is- https://im--partial.my.salesforce.com/ . URL 对于 Salesforce 登录页面是 - https://im--partial.my.salesforce.com/ 。
After all this setup I am able to get redirected to the login page I have created from Salesforce by selecting "Log In with a Different Account" option and then selecting "Twilio" as below:-完成所有这些设置后,我可以重定向到我从 Salesforce 创建的登录页面,方法是选择“使用不同的帐户登录”选项,然后选择“Twilio”,如下所示:-
Salesforce is redirecting to the login page with a SAMLRequest parameter in the URL as below:- Salesforce 正在使用 URL 中的 SAMLRequest 参数重定向到登录页面,如下所示:-
http://salesforce-sso-page.s3-website-us-west-2.amazonaws.com/?SAMLRequest=fZJRc6IwFIX%2FC ..... http://salesforce-sso-page.s3-website-us-west-2.amazonaws.com/?SAMLRequest=fZJRc6IwFIX%2FC .....
I am not sure how to proceed from here and allow login to Salesforce from my login page.我不确定如何从这里开始并允许从我的登录页面登录到 Salesforce。 Once the user enters a mobile no and OTP, I am redirecting the user to below URL -
用户输入手机号码和 OTP 后,我会将用户重定向到以下 URL -
https://im--partial.my.salesforce.com?SAMLResponse=PD94bWwgdmVyc2lvbj0i ..... https://im--partial.my.salesforce.com?SAMLResponse=PD94bWwgdmVyc2lvbj0i .....
Here I am using SAMLResponse as a query parameter to pass the base 64 encoded SAML response for login to Salesforce. But I am not sure if it is a correct way to authenticate and login to Salesforce.在这里,我使用 SAMLResponse 作为查询参数来传递用于登录 Salesforce 的 base 64 编码 SAML 响应。但我不确定这是否是验证和登录 Salesforce 的正确方法。
After entering the OTP(test OTP is 1234) I am getting the below error.输入 OTP 后(测试 OTP 为 1234),出现以下错误。
I am not at all using the SAMLRequest generated by Salesforce for generating the SAMLResponse for now.我暂时没有使用Salesforce生成的 SAMLRequest 来生成SAMLResponse 。
I have gone through many documents but couldn't find a way to pass the SAMLResponse to Salesforce for login.我浏览了很多文档,但找不到将 SAMLResponse 传递给 Salesforce 进行登录的方法。 Please let me know if anybody has any idea about it or if I am following the wrong steps.
如果有人对此有任何想法,或者我是否遵循了错误的步骤,请告诉我。
The SAML response is sent to the service provider in a specific "way", the protocol refers to this as a binding . SAML 响应以特定的“方式”发送给服务提供商,协议将此称为绑定。 In this case the expected binding is HTTP POST.
在这种情况下,预期的绑定是 HTTP POST。 With HTTP POST as your binding, the SAML response must be submitted in a body of HTTP request sent to the service provider via a POST method.
使用 HTTP POST 作为您的绑定,SAML 响应必须在通过 POST 方法发送给服务提供商的 HTTP 请求正文中提交。 The
Login URL
listed in the Single Sign-On Settings screen is the endpoint where the SAML response should be POSTed.单点登录设置屏幕中列出的
Login URL
是应该发布 SAML 响应的端点。 It might look something like this:它可能看起来像这样:
POST / HTTP/1.1
Host: im--partial.my.salesforce.com
Content-Type: application/x-www-form-urlencoded
Content-Length: nnn
SAMLResponse=response
Do you need to worry about the SAML request?您需要担心 SAML 请求吗? It depends on your workflow and desired end-user experience.
这取决于您的工作流程和所需的最终用户体验。 The considerations that go into this decision deserve their own SO question.
将 go 纳入此决定的考虑值得他们自己提出 SO 问题。 Meanwhile, take a look at SAML Technical Overview for a summary of these workflows.
同时,查看SAML 技术概述以获得这些工作流程的摘要。
Last but not least, this whole sequence of authentication via your mobile number is supported by Salesforce out of the box on some Salesforce products.最后但同样重要的是,Salesforce 在某些 Salesforce 产品上开箱即用地支持通过您的手机号码进行的整个身份验证序列。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.