Apex Code Development You need to sign in to do that
Don't have an account?
certi_vimal SSO Implementation from App A to Salesforce and Salesforce to App B
Hi,
We are looking for a SAML SSO solution for allowing User to login to Salesforce from web portal and from Salesforce to login to another web application.
Steps involved:
1. User logs into corporate web portal by providing his/her corporate credentials.
2. By clicking on a link provided on website, user must be able to login to Salesforce.com.
3. When user click on a custom link provided on Salesforce, user must be able to login to another web application.
Design proposal:
For step#2, Assume Federated Authentication (SAML) is implemented by providing federatedID and token(generated by one of the application within our environment) in the SAML assertion. While Salesforce uses federated ID for user authentication into salesforce, token is retrieved from SAML assertion and passed to the client’s authentication services for authenticating the user into 3rd application.
Questions:
1. Can we include a token (generated by one of the application within our environment) along with federatedID in the SAML assertion? If yes, can we retrieve this token from the assertion and store in salesforce for using it for login to another application?
2. Can Salesforce act as service provider (SP) and also as an Identity Provider (Idp).
Please advise.
Thanks,
Vimal
Let me try to answer step by step what I see would happen
1. User logs into corporate web portal by providing his/her corporate credentials.
2. By clicking on a link provided on website, user must be able to login to Salesforce.com.
[jlee]: this basically does what we call idp-initiated Single-Sign-On, where the 3rdparty website generates a SAML assertion which contains a mapping to SFDC user and SSO onto SFDC site. Here SFDC serves as a service provider.
3.When user click on a custom link provided on Salesforce, user must be able to login to another web application.
[jlee]: this sounds like another idp-inited SSO from SFDC onto another website, we are asking SFDC to generate another SAML assertion post to another 3rd party website, however the tricky part is the only user credential we can put in is SFDC username or federationid
At this point, we don't support getting custom token from SAML attribute and pass onto another SAML assertion for the callout.
Since your usecase is a bit specific, I would suggest you talk to Chuck, our product manager who handles identity management.
thanks
Jong
1) This isn't supported. If you want to get an assertion from the original IDP, I'd direct the user back to the IDP to get the token in realtime
2) Yes - a saleforce org can be both an SP and an IDP. This is probably the easiest way to meet your use-case
Thanks Jong, Chuck
So, could you please advise how should we work around the issue of calling out external application from Salesforce? Chuck, you mentioned Salesforce can act as IdP too, so could you please throw more light on how can we handle this scenario (of calling external app from Salesforce)?
Thanks,
Vimal
There's an IDP built into each salesforce org. If you configure the 'My Domain' feature ( Setup > Company Information > My Domain ) you'll then have a new page called "Identity Provider" under ( Setup > Security > Identity Provider ) Click the button, and with that one click we'll setup and configure a SAML IDP for you. You then can configure the IDP to talk to other websites using SAML.
Check the docs for more information. The help link on the Identity Provider page will help