+ Start a Discussion
Jason L.ax300Jason L.ax300 

SSO question using an iframe

I've read through the SSO doc provided by Salesforce ( http://blogs.salesforce.com/support/files/self_service_portal_with_sso.doc )

We are planning to use an iframe within our secure application to expose the self-serve portal.  The document shows that you simply pass the self-service users' credentials via a querystring however there is no ability to retreive the users' self-service password through Salesforce.  The only option is to generate a password and send to the user.

So bascially this Word doc makes it look like you don't need to access the API to do this type of integration.  From what I understand, I will actually have to do some type of integration and it's not as simple as this doc suggests.

Has anyone tried the approach in this document?
I don't believe that the white paper makes it look like you don't need the api. If you look at the second page there is a section there called "key functions and objects". You are going to need to use these to create users automatically.

I can't imagine Salesforce.com API would have anything to get other users passwords. This would be a large security risk and give admin users complete access to all passwords. Most of the time passwords are stored with one way encription (MD5) anyways.

From what I understand, from looking at the white paper and the PHP example instructions, the users will no longer directly log into salesforce.com at all so the password is not needed. They only need to log into your secured portal. You create one "common password" for all existing users and use the "common password" when creating new users. Instead of setting this password manually for your already existing users, you may want to use the api to set them all.

In the instructions for the PHP Toolkit https://sourceforge.net/project/showfiles.php?group_id=96634&package_id=188531, it says, "Since the Self-Serive User will never know his or her password, we recommend that a common Self-Service Password. This should be used in creating and authenticating a Self-Service user. " This is why step 1) in the white paper is cucial. The users is no longer being authenitcated through salesforce. You're essentially loggin in for them.

Now that you have a "common password" you just need to know the users username to log into Salesforce.com for the user. This could be done by mapping in a database as the white paper sugest in "2)".

So the steps to log into salesforce are: (api use optional)
1) user logs into portal and is authenticated through your portal login
2) at some point (usually in the login script but doesn't have to be) Log user into salesforce
    a) query database on username to get salesforce username
    b) use toolkit or url (
https://<instance>.salesforce.com/sserv/login.jsp?orgId=<org_id>&un=<user>&pw=<password>) to log user in using salesforce username and "common password" ( you don't necissarily need the api for this, however it will require server side programming unless you want to expsose your "common password".)

Creating a user:
1) If you want this to be automatic you will need to use the api; otherwise, do it manually.

It is not completely straight forward and simple. It may be if your a developer that has done it before.

Message Edited by bjohnson on 02-13-2008 01:50 PM

Message Edited by bjohnson on 02-13-2008 01:51 PM

Message Edited by bjohnson on 02-13-2008 01:53 PM

Message Edited by bjohnson on 02-13-2008 01:56 PM
Just a little more on the example...

In the example, the user logs into the website, they authenticate and log in to salesforce for them using the URL https://<instance>.salesforce.com/sserv/login.jsp?orgId=<org_id>&un=<user>&pw=<password> using the PHP utiltiy fopen. Fopen utility will open a web page for reading i.e. make an http request and capture the response. They parse the response for the url, which contains the session information for salesforce. They then store the URL as a $_SESSION variable (just a global variable storing users session info for that particuar session that can be obtained across web aplication).

Now that they have the session url they use it like this:

// they check for login

  <IFRAME src="<?php echo $SSU_URL; ?>" width="600" height="600"

Once you have the url you can use the IFrame or redirect to it if you want.

Message Edited by bjohnson on 02-15-2008 01:15 PM

I have a problems trying to log to SF with IE.

In some IE SF appears on the top frame, escaping from the iframe and asks for enter  the correct login.

I'm always aiming to https://www.salesforce.com/login.jsp?org_id=pimapmpum&pw=<% =spw %>&un=<% =slogin %>.

As I say usually it works and I can work with SF inside a IFRAME. I solved the problem allowing the third party cookies handling, but I prefer to use a better solution... by software if it's possible.

Any idea?