Hi,

I guess what i'm looking for is a dummy's explanation of what I need for an SSO configuration.  I've read the articles on http://wiki.developerforce.com/index.php/How_to_Implement_Single_Sign-On_with_Force.com and http://wiki.developerforce.com/index.php/Single_Sign-On_with_SAML_on_Force.com but still have questions (I'm very new to this).

The process I need to setup is as follows:

A user click on a link on a 3rd party website which brings them to my salesforce.com ssytem. It authenticates the user (details are passed in the URL) then returns the user to the 3rd party external site (using a returnulr) with some user details from salesforce as part of the url string.

My understanding is that SAML authentication on Salesforce.com can be setup for my part of the requirements.

On reading the above articles. It specifies "In Salesforce, specify your organization’s Single Sign-On Gateway URL by clicking Setup | Security Controls | Single Sign-On settings."

There are also examples detailed on using an Identity provider & a service provider.  Open source identity providers such as OpenSAML are also detailed.

Questions I have:

If the authentication is to occur on salesforce.com, Do I need to setup salesforce.com as the identity provider (It would seem to me that the 3rd party company who need authentication from Salesforce would therefore be the service provider?).

Do I need external identity provider software/configurations (such as OpenSAML for example) or can this be built using built in using existing salesforce functionality? 

Thanks in advance. Any help would be appreciated!

I have configured SSO using SalesForce as an Identity Provider and an external software system acting as a Service Provider. In order to ensure the identity of the external SP, a CA-Signed certificate was generated, signed by a CA, and uploaded to SalesForce. For the SalesForce Identity Provider, a CA-Signed certificate was generated on SalesForce.com, a CSR exported, signed by a CA, and re-imported back to SalesForce. However, when attempting to assign this CA-signed certificate for use with the SalesForce Identity Provider, it is not available to be used. Further research into the documentation uncovered that CA-signed certificates cannot be used for the SalesForce Identity Provider.

I am perplexed as to why SalesForce does not allow CA-signed certificates to be used for the Identity Provider, permitting only self-signed certificates to be used. This forces any external integrating application acting as a SP to expose a hole in their security to permit self-signed certificates.

Is there reasoning I am not seeing as to why this is still secure? Can an exception be made to use the uploaded CA-signed certificate for the SalesForce IDP? If not, is the ability to use CA-signed certificates planned for future enhancement? 

Thanks in advance!
 

Is there any way to configure what attribute information SalesForce will provide on the SAML Response assertion? It looks like userId, username, email, and is_portal_user are what's sent by default.

Ideally, I'd like to have a custom field sent as an attribute on the response.

I am attempting to configure single sign-on settings for a Salesforce IdP on an Enterprise Edition instance. I am logged in as a user with System Administrator profile, but I cannot see the "My Domain" link in the Setup screen (Setup->Company Profile->My Domain).

Has anyone else encountered this problem? I've logged a support ticket 10 days ago on this and can't seem to get anywhere...

Does Salesforce support digital signatures on the outbound/inbound web service call to the endpoint? If so, where can this be configured?

Good afternoon. I am working on implementing an SSO solution with SF acting as the IdP. In doing so, I have generated a self-signed certificate (Setup->Security Controls->Certificate and Key Management) and downloaded the resultant cer file for import into an existing keystore. However, I am receiving an error when I import the cert into my keystore:

 keytool error: java.lang.Exception: Public keys in reply and keystore don't match
java.lang.Exception: Public keys in reply and keystore don't match
        at sun.security.tools.KeyTool.establishCertChain(KeyTool.java:2618)
        at sun.security.tools.KeyTool.installReply(KeyTool.java:1870)
        at sun.security.tools.KeyTool.doCommands(KeyTool.java:807)
        at sun.security.tools.KeyTool.run(KeyTool.java:172)
        at sun.security.tools.KeyTool.main(KeyTool.java:166)

I am thinking the alias used on Salesforce.com to generate the cert does not match the alias I am specifying in the keystore. I thought this was the unique name assigned when the self-signed certificate was created on SF, but it does not appear to be the case. Is there any way of telling the alias SF uses when the certificate is generated?

Good afternoon. I am looking at implementing an SSO solution between a 3rd party application and SalesForce.com. One of the "requests" for the SSO solution is that the user login from SalesForce. For business reasons associated with a federated approach, I have been asked to provide a solution that does not use a federated model. Hence, I am investigating the delegated authentication approach detailed by SalesForce documentation. In the delegated authentication approach, however, if the user is going to login using the SalesForce login page it does not appear that a true single sign-on solution can be attained to the 3rd party application. I'll explain my understanding, but please offer any corrections:

From the Salesforce login page, once a user enters his credentials SalesForce checks to see if the user is designated for delegated authentication. If so, a web service request including the user's username, password, and source IP is sent to the 3rd party software (which implements the web service) for authentication. After authenticating, the 3rd party software returns only a boolean result to SalesForce. SalesForce then creates a secure session for the user. The problem I see, conceptually, is how the session is persisted on the 3rd party software as no session information is passed via the webservice? As such, any time a user accesses a resource on the 3rd party application, the user would need to re-authenticate as there is no method of persisting the authenticated session between the SalesForce and the 3rd party software.

I realize there is a solution using the 3rd party software login (and forwarding a token back to SalesForce for delegated authentication) and creating a session on the 3rd party application first, but I want to be sure there is no reasonable solution using the SalesForce login first.

Thanks in advance for any insight.

Hi,

I guess what i'm looking for is a dummy's explanation of what I need for an SSO configuration.  I've read the articles on http://wiki.developerforce.com/index.php/How_to_Implement_Single_Sign-On_with_Force.com and http://wiki.developerforce.com/index.php/Single_Sign-On_with_SAML_on_Force.com but still have questions (I'm very new to this).

The process I need to setup is as follows:

A user click on a link on a 3rd party website which brings them to my salesforce.com ssytem. It authenticates the user (details are passed in the URL) then returns the user to the 3rd party external site (using a returnulr) with some user details from salesforce as part of the url string.

My understanding is that SAML authentication on Salesforce.com can be setup for my part of the requirements.

On reading the above articles. It specifies "In Salesforce, specify your organization’s Single Sign-On Gateway URL by clicking Setup | Security Controls | Single Sign-On settings."

There are also examples detailed on using an Identity provider & a service provider.  Open source identity providers such as OpenSAML are also detailed.

Questions I have:

If the authentication is to occur on salesforce.com, Do I need to setup salesforce.com as the identity provider (It would seem to me that the 3rd party company who need authentication from Salesforce would therefore be the service provider?).

Do I need external identity provider software/configurations (such as OpenSAML for example) or can this be built using built in using existing salesforce functionality? 

Thanks in advance. Any help would be appreciated!

I am trying to use the "Identity Provider" operations in Salesforce to connect to another service provider and am having some issues.  There are Identity Provider Error Log functions provided under the Manage Users menu, but I cannot seem to get these to work.  Is there any way of logging and reviewing the outgoing SAML transaction so that I can verify what is being provided to the remote service provider?

I am attempting to configure single sign-on settings for a Salesforce IdP on an Enterprise Edition instance. I am logged in as a user with System Administrator profile, but I cannot see the "My Domain" link in the Setup screen (Setup->Company Profile->My Domain).

Has anyone else encountered this problem? I've logged a support ticket 10 days ago on this and can't seem to get anywhere...

Good afternoon. I am working on implementing an SSO solution with SF acting as the IdP. In doing so, I have generated a self-signed certificate (Setup->Security Controls->Certificate and Key Management) and downloaded the resultant cer file for import into an existing keystore. However, I am receiving an error when I import the cert into my keystore:

 keytool error: java.lang.Exception: Public keys in reply and keystore don't match
java.lang.Exception: Public keys in reply and keystore don't match
        at sun.security.tools.KeyTool.establishCertChain(KeyTool.java:2618)
        at sun.security.tools.KeyTool.installReply(KeyTool.java:1870)
        at sun.security.tools.KeyTool.doCommands(KeyTool.java:807)
        at sun.security.tools.KeyTool.run(KeyTool.java:172)
        at sun.security.tools.KeyTool.main(KeyTool.java:166)

I am thinking the alias used on Salesforce.com to generate the cert does not match the alias I am specifying in the keystore. I thought this was the unique name assigned when the self-signed certificate was created on SF, but it does not appear to be the case. Is there any way of telling the alias SF uses when the certificate is generated?

Good afternoon. I am looking at implementing an SSO solution between a 3rd party application and SalesForce.com. One of the "requests" for the SSO solution is that the user login from SalesForce. For business reasons associated with a federated approach, I have been asked to provide a solution that does not use a federated model. Hence, I am investigating the delegated authentication approach detailed by SalesForce documentation. In the delegated authentication approach, however, if the user is going to login using the SalesForce login page it does not appear that a true single sign-on solution can be attained to the 3rd party application. I'll explain my understanding, but please offer any corrections:

From the Salesforce login page, once a user enters his credentials SalesForce checks to see if the user is designated for delegated authentication. If so, a web service request including the user's username, password, and source IP is sent to the 3rd party software (which implements the web service) for authentication. After authenticating, the 3rd party software returns only a boolean result to SalesForce. SalesForce then creates a secure session for the user. The problem I see, conceptually, is how the session is persisted on the 3rd party software as no session information is passed via the webservice? As such, any time a user accesses a resource on the 3rd party application, the user would need to re-authenticate as there is no method of persisting the authenticated session between the SalesForce and the 3rd party software.

I realize there is a solution using the 3rd party software login (and forwarding a token back to SalesForce for delegated authentication) and creating a session on the 3rd party application first, but I want to be sure there is no reasonable solution using the SalesForce login first.

Thanks in advance for any insight.

There is lots of good information on developer.force.com about SSO and Salesforce as the service provider but I can't find any information on using Salesforce as the identity provider to another service. I would like to be able to use my salesforce user and contact objects as my identity store for an outside application. Can it be done? Do I have to role my own SAML SSO service within Salesforce to get the job done? What kind of license agreement issues would I have to deal with?

Any thoughts?