2

I am trying to implement SAML in my web applicatin as a service provider and i am using salesforce as a identity provider.

I tried lots of google and did not found anything helpfull. Could any one help me.

Thanks in advance.

Vikas Kumar
  • 71
  • 1
  • 5
  • You have to tell more information on what have you tried or what have you stumbled upon. The sample application from Spring-SAML gives you enough information and it has very good documentation. – kotacc Feb 23 '15 at 13:58

2 Answers2

3

First of all, you need to configure your Spring SAML as one of the connected applications in Salesforce and make sure that SAML is enabled for that application. You will also need to provide entity ID and assertion consumer URL, which can both be found in Spring SAML's generated metadata.

Integration of Salesforce with Spring SAML has one specific issue. The SAML Responses are signed both by certificate included in the IDP's metadata and by an additional certificate (proxy.salesforce.com).

This second certificate needs to be available to Spring SAML. One way to add the certificate is to update the IDP metadata imported to Spring SAML by adding the following element representing the proxy.salesforce.com certificate:

<md:KeyDescriptor use="signing">
   <ds:KeyInfo>
      <ds:X509Data>
           <ds:X509Certificate>MIIFYDCCBEigAwIBAgIQQ4KxN7E3aAGP1rpwQm6gZzANBgkqhkiG9w0BAQUFADCBvDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDE2MDQGA1UEAxMtVmVyaVNpZ24gQ2xhc3MgMyBJbnRlcm5hdGlvbmFsIFNlcnZlciBDQSAtIEczMB4XDTEzMTAxODAwMDAwMFoXDTE3MTAxNzIzNTk1OVowgY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHFA1TYW4gRnJhbmNpc2NvMR0wGwYDVQQKFBRTYWxlc2ZvcmNlLmNvbSwgSW5jLjEVMBMGA1UECxQMQXBwbGljYXRpb25zMR0wGwYDVQQDFBRwcm94eS5zYWxlc2ZvcmNlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJtS/8tJmPZ/CKOz/dJ7MXrgz0MPQKxEAdgrdOFdRjsavTY+RviREe+zwjrKd9ZsCS3GltV2GBFD+YxXzuptQr+ZUDC8Vwx+49WQ13D55nmoUJVcB1nHlTXBICJQDo87cZ4AIViuSVkUfQRG7BeMfKTMngyGdAOIsnSFwp1ONmRqaIarWTfr2w0SNFNPikW9rQjehAF/eh6Ib4H3bJEE/kAwRS4mFJoxEKsiJQhnymqeoVgLMSb3UTS8J9R1RmQi+kisC39NAzVwQjM1X677cdQt0FaF6GlZ97vCH/rpNAJnAVwaWiRNQ32AR2X39rp8DVpSk9eynNGp1JI/6mIv3ECAwEAAaOCAYcwggGDMB8GA1UdEQQYMBaCFHByb3h5LnNhbGVzZm9yY2UuY29tMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWgMCgGA1UdJQQhMB8GCCsGAQUFBwMBBggrBgEFBQcDAgYJYIZIAYb4QgQBMEMGA1UdIAQ8MDowOAYKYIZIAYb4RQEHNjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzMB8GA1UdIwQYMBaAFNebfNgioBX33a1fzimbWMO8RgC1MEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9TVlJJbnRsLUczLWNybC52ZXJpc2lnbi5jb20vU1ZSSW50bEczLmNybDByBggrBgEFBQcBAQRmMGQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTA8BggrBgEFBQcwAoYwaHR0cDovL1NWUkludGwtRzMtYWlhLnZlcmlzaWduLmNvbS9TVlJJbnRsRzMuY2VyMA0GCSqGSIb3DQEBBQUAA4IBAQAEMsL4HAd5uYW3j0SQFX4Opl7p0Vo4o7HKBHCtV4ZjzkSFwvRR9+5zijYqlhe4ou1SL4WAWAsTKMTpKz0CL1S9Npt0IcKmIWeRsjJKKznFa8sxHhgEvm3O11a9uVfgvmnwn0VEpuTmGvXvIUSAZ5q0CVDgzbGsrjWnZXllgO6krwPonEg6MdFarA87bAkLCrLZ0HqWeUVlf2ntfvR7kjr0trUM/EBxPdcPxeMK70EJqku7GMEPOxkexTr2O0yD/2lZM0il+AUuOboZDl0SyfjU0N7YIKNKZq5hcoUP/sCpcReMNj0dAWeVYmADrV7LlOVvndgHKcLrUydS/9obQHen</ds:X509Certificate>
      </ds:X509Data>
   </ds:KeyInfo>
</md:KeyDescriptor>

You also need to make sure the user you are authenticating with has permission to your connected app (Spring SAML SP), by updating its Permission Set. You will otherwise get back AuthnFailed status code.

MarcFasel
  • 1,080
  • 10
  • 19
Vladimír Schäfer
  • 15,375
  • 2
  • 51
  • 71
  • We have previously been able to use SalesForce as the IDP without having to change the metadata. It seems like this is a recent change. Any idea why Salesforce is doing this now? And why are they not including the certificate in the metadata themselves? – MarcFasel Dec 14 '16 at 05:03
  • After having to add the second certificate for a while to properly use Salesforce as the IDP we now are able to connect to Salesforce without the second certificate. Seems like Salesforce SSO has changed (again)? – MarcFasel Jan 15 '18 at 04:54
  • @MarcFasel Can you please share some code of how you are connecting to and using Salesforce as IdP? I have tried various library/code from the web but somehow cannot get it working with Salesforce as Idp. My use case is quite simple - User visits my java web app in browsers, clicks on a link to go authenticate with Salesforce, and is redirected back to my app. – sunitkatkar Jan 15 '18 at 18:17
  • Here is a solution that adds the 2nd signature that Salesforce requires to the keystore: https://stackoverflow.com/questions/23059203/http-status-401-authentication-failed-incoming-saml-message-is-invalid-with – MarcFasel Oct 24 '18 at 03:11
-1

https://developer.salesforce.com/page/Single_Sign-On_with_SAML_on_Force.com

You can visit this website for more dev related queries..Its purely for developers

CandleCoder
  • 1,387
  • 4
  • 21
  • 45
  • i have configured my sales force as a identity provider and i redirect my web apps to salesforce login page and when i login there it does not redirect on my website page it logged inside salesforce account only. – Vikas Kumar Feb 23 '15 at 11:09
  • i also used spring-saml extention sample application and configured salesforce as a idp but it giving me this error as: Error: Unable to resolve request into a Service Provider – Vikas Kumar Feb 23 '15 at 15:04