Reputation: 73
SSO with SalesForce.com
We want to do SSO with Salesforce.com. From their documentation, we found this option 'Delegated authentication' to suit our needs. Basically when given a user name and password, Salesforce.com would initiate a web service call to the original organization to get it validated.
We are thinking of implementing this the following way - Our users would login into our system with user id and password, we would get them authenticated. Then when they have to access Salesforce.com, we would supply the username and the cookie(that we got from the authentication) to Salesforce.com which would then pass these in the web service call to our organization and we would be able to validate the user using this cookie.
Has anyone tried/heard of this approach ? Are there any known limitations. Any help would be appreciated.
Upvotes: 4
Views: 869
Answers (2)
Reputation: 444
One way to do it is by using the SAML2 Web Browser SSO profile which is supported by Salesforce. You need to configure the SAML2 SSO in Salesforce admin settings. Here is the brief overview: https://help.salesforce.com/apex/HTViewHelpDoc?id=sso_saml.htm&language=th
The flow for an end-user looks like this:
- user navigates to Salesforce and provides a fully qualified username (e.g. [email protected]) in a login form.
- Salesforce redirects user and sends SAML2 authentication request to the identity service (idp.acme.com) responsible for authenticating the user. SAML2 authentication request is sent as GET parameter of HTTP redirect.
- identity service authenticates user (e.g. by presenting a login form and validating username and password)
- identity service returns a SAML2 assertion to Salesforce. Actually, the assertion is sent in HTTP response to the user, and it's automatically POSTed to Salesforce through javascript function fired up when page loads.
- Salesforce validates assertion (digital signature, time validity period etc.) and lets the user in.
Upvotes: 2
Reputation: 19040
This is a common approach when using delegated auth, the main issue is if your DA listener only accepts the authentication cookie, then logging into salesforce from applications other than the web site are not possible (e.g. mobile apps, data loader, etc). You can write your DA listener to accept either an auth cookie or a password and work that way, or you can look into the newer SAML based SSO features which many apps now support.
Upvotes: 3
Related Questions
- Is sso (single sign on) without redirection good?
- What is SSO (single-sign-on)?
- necessary Information to connect with an SSO provider
- SSO with office 365
- Cookie based SSO
- Single Sign ON (SSO) in iOS 7
- How to use SSO with SAML2.0
- How does Stack Overflow's SSO model work?
- How to integrate STS with third party Single Signe On (SSO) in mvc web application
- SSO in webpages