4

In our web application I want Identity provider (IdP) which authenticate users using salesforce.com.

I have done with Single Sign-On Settings at salesforce.com.

After these setting salesforce provide a metadata file.

Please tell me:

  • Is there any other setting I need to make at salesforce.com?
  • What to do next in my java code to authenticate user?
Muhammad Imran Tariq
  • 22,654
  • 47
  • 125
  • 190

1 Answers1

4

If you have Salesforce.com acting as a SAML Service Provider, then you will need to send SAML Assertions from your IdP to Salesforce.com to authenticate users. These are basically signed XML blobs that get passed around in an HTTP Redirect or HTTP POST to authenticate users.

From the Salesforce.com configuration side it's quite simple. Here is a sample of what is required on that side to configure with the OpenSSO solution: https://indirat.wordpress.com/salesforce/

What you enter in that configuration, largely depends on what your IdP can do. For example, what version of SAML, what & where the user identifier is in the SAML assertion, and the public verification certificate that matches the key used by your IdP to digital sign assertions.

How you handle this in "your java code" is a huge question with many answers. You should be using a proven SAML solution as your IdP, rather than trying to implement the SAML specification yourself. There are several open source libraries such as OpenSAML that work nicely in a Java context, but will require significant effort to integrate. Commercial solutions such as those offered by SSO & federation solution vendors (like Ping Identity) make things considerably easier if you have a budget.

Scott T.
  • 6,152
  • 1
  • 26
  • 32
  • I am using SAML2.0. Please tell me how to make SAML Assertion. What things I need to make assertion? i.e (metadata file, userid etc) – Muhammad Imran Tariq May 10 '11 at 12:36
  • 1
    Again that's a very complex question with a huge answer. The core SAML 2.0 spec defines exactly what goes in a SAML Assertion (http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) you will be using the SSO Profile which is defined by the SAML 2.0 Profiles spec (http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf). Again, how you form Assertions and responses depends on what SAML solution you use, or if you build it yourself. For example, with OpenSAML: https://wiki.shibboleth.net/confluence/display/OpenSAML/OSTwoUserManual – Scott T. May 11 '11 at 00:57
  • Thanks for such a nice help. I am looking into it. As my task is IDP based. Please confirm this flow. "I will parse metadata file given by salesforce and create SAML Assertion to be send to Salesforce for authentication." This is what I need to do in order to achieve my task? – Muhammad Imran Tariq May 11 '11 at 03:15
  • Metadata will tell you the initial configuration info (such as any signing certificates, and the URL for the Assertion Consumer Service). You don't need to parse it in your application, you could just manually take what you need from it, as it may not change much. The main bulk of your work will be: 1.) Receive SAML AuthnRequests from SFDC at your configured IdP URL (configured at SFDC SSO config), 2.) Authenticate the user, 3.) Send signed SAML Response with Assertion back to SFDC via HTTP POST/Redirect to the Assertion Consumer Service URL. – Scott T. May 11 '11 at 05:03
  • @ Scott Tomilson. Do you know that I am building an IDP like OpenSSO and OneLogin. – Muhammad Imran Tariq May 11 '11 at 07:38
  • Yes. :-) Again, that would involve steps 1-3 I mentioned. – Scott T. May 11 '11 at 08:48
  • Points you mentioned are for sp-initiated authentication. For idp-initiated i will not receive any AuthnRequests from SF. The flow will be: 1) User will login my application. 2) I will send Response with Assertion to SF (based on already configured settings). 3) SalesForce will then authenticate and allow access to resource. Can you post example response that will be sent to SF via post request for authentication? Send to my email if its lengthy m.imran.tariq@gmail.com or post here. – Muhammad Imran Tariq May 12 '11 at 03:41
  • There are samples available at this URL: http://indirat.wordpress.com/salesforce/, as well as generic SAML ones here: http://en.wikipedia.org/wiki/SAML_2.0 (but should still apply to SFDC as it is SAML 2.0 conformant). – Scott T. May 12 '11 at 07:08
  • I have created a hard coded response to be sent to SalesForce. I validated it through SF validator and its ok. Now I want to make this Response by using openSAML libraries. Do you know any nice help. – Muhammad Imran Tariq May 12 '11 at 12:42
  • The link to the OpenSAML libraries above is a good starting point. – Scott T. May 12 '11 at 13:05
  • @imrantariq I am also implementing the same. Can you share the hard coded response which you sent to salesforce removing the digest value etc... I m stuck very bad. If you have documented the steps to follow please share it with me .. my mail id is rozartharigopla@gmail.com – rozar Jul 17 '12 at 13:33