+ Start a Discussion
Marcel dos SantosMarcel dos Santos 

Log into Salesforce Communities from External Application

I have a web application where users log in using their login an password.
I'm creating a Salesforce Community for those users, for them to ask questions, read articles, start discussions, etc.

I have a scheduled process now that synchronizes the users I have in my application to Salesforce. I'm extending that process to create contacts and community users, so my users won't have to manually register into the community.

In the next step, I'm going to add a link to my application where the users can click and be logged into the community, in a new window. As the users are already logged into my application, I don't whan them to provide their login again to communities. How can I achieve that?

I read a lot of Salesforce documentation on loggin in using SAML and OAuth and couldn't find anything that suits my needs. OAuth is all about authenticating the user and giving me an access token, so my application can perform actions in the community on the behalf of my user. I don't want that. I only want to login the user.

A solution could be use SAML to single sign on, but then I would need to manage my user in a SSO provider and I don't want to do that. Is there any way to log my user into the communities using only its email or Salesforce Id, without requiring them to provide credentials? Can I provide some secret or key from my application and log in any user I want?

I found something close to that with OAuth 2.0 JWT Bearer Token Flow, but even then I would need a user first authentication to get an authorization token.

Thank you
Best Answer chosen by Marcel dos Santos
Pat PattersonPat Patterson
You can, in fact, pre-authorize users for JWT Bearer Token flow via connected app configuration, but you'll hit a dead end, since you can't use the resulting token for the 'front door' URL (frontdoor.jsp is not supported for communities (https://help.salesforce.com/apex/HTViewSolution?id=000193348&language=en_US)).

So, you will need to implement SSO via either SAML or OpenID Connect (http://openid.net/connect/) (see also this article (https://developer.salesforce.com/page/Inside_OpenID_Connect_on_Force.com)). The latter is probably more straightforward if you're wanting to build something yourself or use an open source library (http://openid.net/developers/libraries/#connect). Once you have enabled your web application as an OpenID Connect identity provider (effectively the equivalent of Google), you would configure an Authentication Provider (https://help.salesforce.com/HTViewHelpDoc?id=sso_provider_openid_connect.htm&language=en_US%22) in your community with the OpenID Connect URLs.

An alternative would be to flip the whole system around and have users login to the Salesforce Community, making it the OpenID Connect provider and your web application the OpenID Connect consumer.

All Answers

Pat PattersonPat Patterson
You can, in fact, pre-authorize users for JWT Bearer Token flow via connected app configuration, but you'll hit a dead end, since you can't use the resulting token for the 'front door' URL (frontdoor.jsp is not supported for communities (https://help.salesforce.com/apex/HTViewSolution?id=000193348&language=en_US)).

So, you will need to implement SSO via either SAML or OpenID Connect (http://openid.net/connect/) (see also this article (https://developer.salesforce.com/page/Inside_OpenID_Connect_on_Force.com)). The latter is probably more straightforward if you're wanting to build something yourself or use an open source library (http://openid.net/developers/libraries/#connect). Once you have enabled your web application as an OpenID Connect identity provider (effectively the equivalent of Google), you would configure an Authentication Provider (https://help.salesforce.com/HTViewHelpDoc?id=sso_provider_openid_connect.htm&language=en_US%22) in your community with the OpenID Connect URLs.

An alternative would be to flip the whole system around and have users login to the Salesforce Community, making it the OpenID Connect provider and your web application the OpenID Connect consumer.
This was selected as the best answer
Marcel dos SantosMarcel dos Santos
Thank you for your help Pat.

In case anyone have the same problem, the solution I adopted was to set my application as the Identity Provider.
I've created a SSO configuration in Salesforce with login and logout URLs pointing to my application and provide a SAML response to Salesforce with the user identity. The response is signed and the public key is informed in the SSO configuration.

 
nick zhangnick zhang
@marcel, I have the same scenario as yours. We also want to set our business application as the Identity Provider and can log users into salesforce community if they have logged into the application using their username and password.

I went through the related technical documents but still not clear how to implement this.
Could you give some detailed descriptions on how to send the SAML response to Salesforce? Define a text field with the content of SAML in a form or some other ways? And I also have no idea how to generate the content of the XML, by manual or use some utilities? How to sign the response and the public you used is the one generated in salesforce, right?

Thanks in advance.
 
nick zhangnick zhang
@Pat, I'm also thinking about using OpenID method. Could you please give some detailed instructions on this?
I have the same scenario as Marcel's. I'm not clear how to enable our web application as an OpenID Connect identity provider.

Thanks.
Marcel dos SantosMarcel dos Santos
Hey Nick.

I actually didn't use any framework to generate the SAML response to Salesforce. What I did was get the description from SAML 2.0 from Wikipedia and edit it with my company information.
Once you generate the XML, you can validate it in Salesforce on Security Controls > Single Sign-On Settings > SAML Assertion Validator.
I didn't used OpenId and used Java XML encryption to sign the XML assertion: https://docs.oracle.com/javase/7/docs/technotes/guides/security/xmldsig/XMLDigitalSignature.html.

Here is an example of a SAML Assertion I used to log into a community:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_c4a8d4ac-d662-4a74-ae14-b017dec4658b" IssueInstant="2015-11-13T18:59:09.921Z" Version="2.0">
    <saml:Issuer>http://www.mycompany.com</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <saml:Assertion ID="_506d56ef-2d93-4ac2-8567-4c3851504173" IssueInstant="2015-11-13T18:59:09.945Z" Version="2.0">
        <saml:Issuer>http://www.mycompany.com</saml:Issuer>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">user@email.com</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData NotOnOrAfter="2015-11-13T19:09:09.946Z" Recipient="https://sandbox-instance.force.com/community/login?so=00B18110000ADo6"/>
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2015-11-13T18:58:09.946Z" NotOnOrAfter="2015-11-13T19:09:09.946Z">
            <saml:AudienceRestriction>
                <saml:Audience>https://saml.salesforce.com</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2015-11-13T18:59:09.946Z" SessionIndex="_6d411898-6cb2-4cbb-b4ed-13e29628c137">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
    </saml:Assertion>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
        <ds:Reference Id="_c4a8d4ac-d662-4a74-ae14-b017dec4658b" URI="">
            <ds:Transforms>
                <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>eJ2TFy9Y66slg+3sgege2Kkst1wc=</ds:DigestValue>
        </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>FJeR+XMXlynFoRx2tdjhfhehm6QglMD1AOadQF9R3smCoSrTwTDTiizj+7NDOWt7k/st3d8LeH1as
    89MGM/EB+qFqUYt5lnbHtj87wrrOpl4KmSXD4A6JFIqkSne4MuRNVwn+9jlsn3Vws0KtI2rS/X+T
    6GvXdKepcJDM1i4YuTE=</ds:SignatureValue>
    <ds:KeyInfo>
        <ds:X509Data>
            <ds:X509Certificate>MIIDmTCCAwKgAwIBAgIJAOxJVCFThXIGMA0GCSqGSIb3DQEBBQUAMIGQMQswCQYDVQQGEwJVUzET
            MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZMBcGA1UEChMQVGhv
            dXNhbmRFeWVzIEluYzERMA8GA1UEAxMIRnJvbnRlbmQxJjAkBgkqhkiG9w0BCQEWF21hcmNlbEB0
            aG91c2FuZGVfm5ZXMuY29tMB4XDTE1MDczMDE4NTfdfwwTE2MDcyOTE4NTUxN1owgZAxCzAJBgNV
            BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRkwFwYD
            VQQKExBUaG91c2FuZEV5ZXMgSW5jMREwDwYDVQQDEwhGcm9udGVuZDEmMCQGCSqGSIb3DQEJARYX
            bWFyY2VsQHRob3VzYW5kZXllcy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANK6h/f9
            bbYsb0NsFcy3N2jaAezvcXMhRX29U2pH9tpuhIE1aEeZTTZPjbPrkVimhE1az2yBy7zhcNe+KrpC
            yvfZyLsuE4abfpMGtKvBsXnsHu2323+Im7iEY/y0mCwA8huiJhySDMHzY/gvkUmmET05S1LdVjTE
            uLz/zbw3g2SLAgMBAAGjgfgwgfUwHQYDVR0OBBYEFGNorH93c01uN65RufdR5ml7icBkMIHFBgNV
            HSMEgb0wgbqAFGNorH93c01uN65RufdR5ml7icBkoYGWpIGTMIGQMQswCQYDVQQGEwJVUzETMBEG
            A1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZMBcGA1UEChMQVGhvdXNh
            bmRFeWVzIEluYzERMA8GA1UEAxMIRnJvbnRlbmQxJjAkBgkqhkiG9w0BCQEWF21hcmNlbEB0aG91
            c2FuZGV5ZXMuY29tggkA7ElUIVOFcgYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQA/
            5VVyUclSlUm8tu2cqoWFCkhPdsr8hDc4r69vrlJ/SPYesOJUZRiWI9pf+73BnRaE2PcC4BcrXs/b
            ZwuilqZBFSlGvCXFZcr2afFz+KZ4gspSrFt8lxCxvsLk3MjWyCGin4S4yB4BGw7wrB1x2sdkRaeq
            tpIOAxKsTYtbps2OTg==</ds:X509Certificate>
        </ds:X509Data>
    </ds:KeyInfo>
</ds:Signature>
</samlp:Response>

If you need to test your SAML Assertions or view other examples, this site has very useful tools:
https://www.onelogin.com
 
nick zhangnick zhang
Hey Marcel,

Thanks for taking the time to respond. Much appreciated.
It helps me a lot. I do find some cool stuffs from onelogin.
Thank you so much, buddy!
Manuela Lorenzi-Kayser 5Manuela Lorenzi-Kayser 5
Hello Marcel.

You described exactly what I am trying to achieve. Another developer is taking care of the SAML response from the external application. I am trying to figure out what I need to do on the Salesforce end and where do I even start (I am a complete newbie for SSO). Would you be able to break down the steps required for the whole process? That would be incredibly helpful!
Thanks in advance!
Manuela Lorenzi-Kayser 5Manuela Lorenzi-Kayser 5
In case this might be useful to anyone else, I found these step-by-step instructions: https://developer.salesforce.com/page/Single_Sign-On_with_SAML_on_Force.com.