+ Start a Discussion
chadlikestorockchadlikestorock 

iPad Application SSO Approach to Salesforce APIs

Our client is looking to roll out 1100 iPad devices that will communicate with both internal web services and salesforce.com web services outside the corporate firewall with these additional specifications:

1. The salesforce service must be able to identify the end user to achieve data security requirements
2. It is desired to only require the user to enter/manage one set of credentials (EnterpriseWindows Active Directory)
3. It is desired to not require the user to go through the activation email process to confirm their identity
4. Current security requirements dictate that access to salesforce be restricted from any unknown/outside IP.

Delivering all of these requirements does not seem plausible given my understanding of the Salesforce API constraints. Any other folks out there have similar authentication challenges for enterprise customers?

BrendanOCBrendanOC

If the iPad devices will only be connected to trusted corporate networks, its quite simple.  If the iPads need to connect to Salesforce outside of a trusted corporate network, that's a different story.

 

Meeting items 1 and 2 are definitely achievable through the use of SAML or Delegate Authentication.  For simplicity and supportability, SAML is fantastic.

 

For 3 and 4, it depends heavily on the use case.  If users will be required to only access Salesforce from the corporate network or VPN, you can solve 3 and 4 with IP Range Restrictions.  This will only allow login to Salesforce.com through the specified IP Range Whitelist.  If a user is connecting from a Whitelisted IP address, the system will not prompt for Identity Confirmation.

 

If users need to access Salesforce from anywhere (customer's location, airport, coffee shop, etc.) and *NOT* be required to VPN, number 4 isn't feasible for obvious reasons.

 

Hope that helps!

 

chadlikestorockchadlikestorock

Thanks for your reply!

 

It is my understanding the salesforce web services API does not currently support SAML (UI only) although they are working on it.  Is that correct?

BrendanOCBrendanOC

You are correct that API Login does not support SSO/SAML, but there may be ways around it.  If the goal is to use an application like Chatter for iPad, you can get around that with OAuth.   If you aren't using a pure API client, you can get around API Login through the UI.  Logging in via the browser will grant the user a Session Id.  That Session Id can be used to make API calls to the Web Services API.  A lot of AJAX code works this way.  It uses the browser's Session Id to craft a POST request to the API in the background.

 


Can you give some additional details around your use case?

 

Hope that helps!

MeetaGulatiMeetaGulati

Please pardon if my question is amatuerish ... I know Salesforce but am new to Xcode development.... I have a  use-case where we created an Ipad app that authenticates with OAuth.... I need to have it working with SSO when we enable it ... So the question is what should I need to build in the App so if I give the Entity Id for SSO ... it would authorize with Single Sigh on ....

 

Should it work if I change the SFDCOAuthLoginHost


BrendanOC wrote:

You are correct that API Login does not support SSO/SAML, but there may be ways around it.  If the goal is to use an application like Chatter for iPad, you can get around that with OAuth.   If you aren't using a pure API client, you can get around API Login through the UI.  Logging in via the browser will grant the user a Session Id.  That Session Id can be used to make API calls to the Web Services API.  A lot of AJAX code works this way.  It uses the browser's Session Id to craft a POST request to the API in the background.

 


Can you give some additional details around your use case?

 

Hope that helps!



to the entity ID in my Ipad App ?