SSO with SalesForce.com
Question
We want to do SSO with Salesforce.com. From their documentation, we found this option 'Delegated authentication' to suit our needs. Basically when given a user name and password, Salesforce.com would initiate a web service call to the original organization to get it validated.
We are thinking of implementing this the following way - Our users would login into our system with user id and password, we would get them authenticated. Then when they have to access Salesforce.com, we would supply the username and the cookie(that we got from the authentication) to Salesforce.com which would then pass these in the web service call to our organization and we would be able to validate the user using this cookie.
Has anyone tried/heard of this approach ? Are there any known limitations. Any help would be appreciated.
2 answers
solution1
3 2013-10-05 01:01:22
This is a common approach when using delegated auth, the main issue is if your DA listener only accepts the authentication cookie, then logging into salesforce from applications other than the web site are not possible (eg mobile apps, data loader, etc). You can write your DA listener to accept either an auth cookie or a password and work that way, or you can look into the newer SAML based SSO features which many apps now support.
solution2
2 2014-02-25 22:30:55
One way to do it is by using the SAML2 Web Browser SSO profile which is supported by Salesforce. You need to configure the SAML2 SSO in Salesforce admin settings. Here is the brief overview: https://help.salesforce.com/apex/HTViewHelpDoc?id=sso_saml.htm&language=th
The flow for an end-user looks like this:
- user navigates to Salesforce and provides a fully qualified username (eg joe@acme.com) in a login form.
- Salesforce redirects user and sends SAML2 authentication request to the identity service (idp.acme.com) responsible for authenticating the user. SAML2 authentication request is sent as GET parameter of HTTP redirect.
- identity service authenticates user (eg by presenting a login form and validating username and password)
- identity service returns a SAML2 assertion to Salesforce. Actually, the assertion is sent in HTTP response to the user, and it's automatically POSTed to Salesforce through javascript function fired up when page loads.
- Salesforce validates assertion (digital signature, time validity period etc.) and lets the user in.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.