+ Start a Discussion
nishantnishant 

SAML SSO startURL and logoutURL not working

Hello,

I've developed an application to implement SSO using SAML assertion. Earlier i used to post the startURL and logoutURL along-with the SAML assertion to the salesforce login page and after validation of the assertion I was redirected to the start page I had posted. Also when I logged out I was redirected to the logout URL I had posted while logging in. But it has stopped working for me now. Now even though I post these URL's I'm still redirected to the salesforce default start page and logout page. This feature is working for SSO using delegated authentication. Can someone please clarify if there has been changes with respect to support for these features for  SAML assertion based SSO.

Thanks
Nishant


mettis_softwaremettis_software

Has anyone found a solution to this?  I am having the same problem. According to this document:

 

   https://na6.salesforce.com/help/doc/en/sso_saml.htm#customizing_saml_start_logout

 

logoutURL, ssoStartPage, startURL are support by SAML.

 

Thanks
<david />

dkraundkraun

Any update on this?  I am using federated authentication with SAML 2.0, and I am confused about the lack of the startURL attribute.  According to the docs, SAML 1.1 supports startURL, but in 2.0 the landing page is "the page the user attempted to access before they were authenticated."  Unfortunately, in the federated model where we just send a SAML assertion without having received a request from Salesforce, there is no "page the user attempted to access."

 

It seems like I am missing something at a fundamental level (or maybe salesforce is).  How would I go about sending a SAML 2.0 assertion that says "take me to /apex/MyPage".

 

Thanks.

 

David

Martin_DeloitteMartin_Deloitte

Hi,

 

I'm using OpenSSO with Salesforce.com and it it working fine for now.

But recently we had the request to be able to redirect users to a specific landing page when they were connecting to Salesforce using OpenSSO, and to another page when connecting from the usual login page (login.salesforce.com).

 

I would like to use StartUrl parameter that I would add to the SAML assertion but do not know how to do it.

 

Does anyone has an good howto or trick for that?

 

Thanks a lot already,

Martin.

guitarmanvtguitarmanvt

I was able to configure SAML 2.0 properly. However, at some point, my installation lost the ability to edit the Login URL and Logout URL. I seem to recall some magic javascripty thing that showed those fields when I selected "2.0" from the version dropdown. But now it's not doing that. So, I'm stuck with the URLs I entered.

 

The documentation says that you can edit these URLs, IIUC. (I'm NOT talking about passing them in the assertion.) But I can't find these fields anywhere. They should be under Settings > Security > Single Sign On > Edit, but they're gone now.

 

It looks like others are having this same difficulty, too.

guitarmanvtguitarmanvt

OK, so I think I've found the problem. (And it looks like a bug. I'll try to figure out how to report it after I post this.)

 

That dropdown does indeed have this javascript onchange event:

if(document.getElementById('saml_un_location0').checked && document.getElementById('saml_version').options[2].selected) { document.getElementById('saml2_settings_attributes_edit').style.display='block'; ;document.getElementById('saml_settings_attributes_edit').style.display='none';} else if(document.getElementById('saml_un_location0').checked && document.getElementById('saml_version').options[1].selected) {document.getElementById('saml2_settings_attributes_edit').style.display='none';document.getElementById('saml_settings_attributes_edit').style.display='block';};if(document.getElementById('saml_version').options[2].selected) document.getElementById('saml_settings_login_edit').style.display='inline';else document.getElementById('saml_settings_login_edit').style.display='none';

Unfortunately, in my dev account at least, the "saml_settings_login_edit" element is missing. But this proves that the dropdown should be showing more input boxes for version "2.0".

 

Until this bug gets fixed, you may not be able to configure SAML 2.0 properly.