Apex Code Development You need to sign in to do that
Don't have an account?
venkatacc SSO Implementation for portal user
Hi , I'm very new to SSO implementation can anyone help me in finding solution for the below listed question. 1)Can I support Multiple Federated IDP for customer portal users? If yes, then what certificates are required in the SAML enabled window on Salesforce? i. Seems that the answer is Yes. But no one is confirming this. Especially the question around certificates to be uploaded in SAML configuration window in salesforce. 2)Can I support SAML and non-SAML (non-SSO) enabled users together for my customer portal? Seems the answer is Yes with the assumption that if a user does not have the federated-Id text box filled in then he is a normal user else he is a SSO user with that federated id. But we don’t read any documentation on this. 3)Any tools in the market which do automatic user provisioning for SSO SAML users? (I.e. I get a valid SAML assertion from an IDP but the user is a new user i.e. not configured in Salesforce yet. Then can I setup something which will automatically create that portal user in salesforce?). 4)When an SSO user is marked Inactive then how do I stop a user from logging into the portal? i. Again seems an obvious thing. But we need confirmation for a SAML request (especially IDP initiated).
1) Currently we only support a single federation configuraiton per Salesforce org.
2) Yes - SAML is optional ( although there are ways to force everyone to use SAML if you want )
3) Ping Identity currentl supports this. In the Summer 11 Release we'll be supporting provisioning platform/crm/chatter users directly over SAML. Provisioning of Portal users over SAML is tenatively planned for the Winter release
4) Marking a user as inactive will prevent them from logging in. Obviously you might want to inactivate them at your IDP as well to prevent them seeing an error message on the Salesforce side.
Hi Chuck,
Could you help me in couple of my queries below on Same SSO for Customer portal lines.
1. In our customer portal, we have used a Custom VF Page as our logged-in home page. i.e. As soon as user logs into our portal (from our portal Site home), we land him into a Custom VF page with redirection from SiteLoginController class.
Now, with our SSO Setup for the same customer portal, how do we land the user into the same Custom VF Page. With our implementation (configuration) uptil now we go to the default home provided by salesforce i.e. https://cs9.salesforce.com/home/home.jsp.
I checked using the RelayState parameter but it did not work for me. I used the relay state parameter like below:
https://localhost:9031/idp/startSSO.ping?PartnerSpId=localhost:TEST:EntityId&RelayState=https%3A%2F%2Fmycustomerportal.research.cs9.force.com%2Fmysite%2Fmypage";
(my Customer portal landing page is: https://mycustomerportal.research.cs9.force.com/mysite/mypage (I have changed the names as per security guidelines of the project)
2) Secondly, how do I implement LOGOUT.
I added a SAML attribute for Logout named logoutURL with a value. But it does not pick that value.
Basically, our requirement is can we implement our configuration in a way that we redirect the user to wherever the IDP partner wants to redirect to on clicking logout
Any inputs from your would be very helpful.
Thanks a lot,
--Shiva
Check out the section called "Enabling Single Sign-On for Sites" in Help and Training. You basically need to include 3 attributes in an Attribute Statement:
https://help.salesforce.com/apex/HTViewHelpDoc?id=sso_sites.htm&language=en
On logout, the URL parameter should work. Try and get SSO into your Site working first using the instructions above and then if logout doesn't start working post back here.
Wow...Fantastic. The information helped me a lot Chuck and I was able to get both Login and Logout working for my customer portal.
Thanks a lot for your invaluble help
--Shiva.
Hello,
Could you please help me here?
My salesforce one org to another org SSO is working. I have done these things using salesforce GUI (I mean I didnt write any code.)
I need to do SSO with Partner portal. Could you please tell me where to set orgId and portalId ? I am totally stuck here..
Are you trying to use the Salesforce SAML IDP to go from a Saleforce Org into a Partner Portal? If so, that doesn't work today. You'll want to look at Social Sign-On using the Salesforce Auth Provider for that use-case.
Hello Chuck,
This was only for testing.
What we exactly need is..
We have a scenario where we want to login to an Identity Provider (Any third party web application which is not Salesforce), there would a link, clicking on that user should navigated to the Service Provider (this is Partner Portal in SFDC) without logging (Using SSO).
Now once we are into partner portal, there would some links that inturn should navigate to a web page (Not Salesforce) without logging again (using SSO).
What should be our approach, How can we achieve this? We have to demo this scenario to our client.
- Darshan
There are two basic approachs you could take to this
1) Protect both Salesforce Partner Portal and the third party application with the same single sign-on framework. Each gets their Identity from your IDP
2) Protect Salesforce Partner Portal with your IDP, and have Salesforce act as an IDP to the third party application.
The right approach would depend on a variety of criteria such as usage patterns, what IDP you have, how quickly you can deploy SAML connections in your environment vs salesforce, etc.
Thank you Chuck..
I'll try to do that.
Is it possible to go from Thirdparty application to direct salesforce Partner Portal using sso?
Any suggestion..?
It's possible using Single Sign-On, assuming the third party has the ability to generate the sso message and that's allowed by the org
Hey Chuck
We are facing same problem as Darshan told.
As you said it is possible to go to partner portal from 3rd party app using SSO.
Firstly I am trying to do SSO with one salesforce instance to another salesforce instance. (It is working correctly).
Now I Need to go Portal user from another's salesforce instance using sso.
I checked on google, I need to set Portal ID and Org Id in SAML assertion. I am not getting where to set this value. (Actually I didnt get where to find SAML assertion).
Could you please help me Chuck ?
Regards,
Kalyani
You can't currently do this. It will likely be supported in in our Winter release, but that's not yet commited.
You may want to look at Auth Providers which can do this today.
http://wiki.developerforce.com/page/Webinar:Social_Sign-On_with_Authentication_Providers_(2012-Apr)
See the example from Financial Force on how they do this about 2/3rds of the way through