Hi, currently I'm using the web services API to provision Salesforce users. I'm setting the email header to send the new user the temporary password in the following way:
EmailHeader emailHeader = new EmailHeader(); emailHeader.setTriggerUserEmail(true); binding.setHeader("urn:partner.soap.sforce.com", "EmailHeader", emailHeader); sr = binding.create(user);
For some reason, the first time the new user logs in to salesforce with my SAML-based SSO feature, it says the password is expired and asks the user to set a new password for security reasons with no fields for entering the old password or the security question. What the new user should really be seeing is a prompt to change his password, with fields for the old password, new password, and the security question. Why is this not happening?
I noticed that when I reset the password for the new user using the API, salesforce said that the password is expired and showed the first case that I talked about. So I'm guessing maybe, when I set the email header, salesforce also resets the password? But that doesn't make any sense...Anyway, when I take out that chunk of code about the email header, I get the correct prompt to change the password from old to new with the security question. Only problem is now I won't get the email with the temporary password that I can enter. So it's kind of a circular problem. Any ideas?
Hi, currently I'm working on provisioning salesforce users using the Web Services API. I can create the User object just fine, but the email message with the temporary password is not being sent to the new user's email. So when I single sign on with the new user into Salesforce, it's expecting the user to type in the old password which didn't get emailed.
Also, is there any way to get around this temporary password emailing system that is set up now.
I'm really new to the api and i've been trying my best to go through it to get a better understanding of it. But there's nothing like the opinion of seasoned salesforce developers...so here goes.
Is there any way to access the SSO settings for an organization through the web services api? Whenever an organization wants enable Saml-based SSO, the administrator has to go to the SSO settings and set the fields like who the issuer is going to be, whether a username or federation id will be in the SAML assertion, and also upload a certificate. I want to eliminate this for the administrator if possible through any capabilities in the api. I've been through some of the api and I don't really see any standard objects that help with this. Does this mean I have to create a custom object myself?
This next part is more of a verification than an actual question. I want to have the ability to click on a link in an external application, which would result in the creation of salesforce user automatically using the whatever email that is associated with that user in the external app. This looks possible with the api through the use of calls like create() to make a new User object. Am I on the right track here? Are there any tutorials out there that can maybe help with this part of what i'm trying to do?
how do you post the saml assertion and the relaystate url to the recipient url? I've tried a bunch of methods but none of them seem to work because I don't even see error messages in the login history. So this means that it's not even getting my assertion properly never mind check the validity of it. Right now i'm just trying this:
<form name = "acsForm" action ="(recipient url that salesforce gives)" method = "post">
<input type = "hidden" name = "SAMLResponse" value = "(assertion that I came up with)" />
<input type = "submit" value = "Submit" />
</form>
I also tried replacing TARGET with RelayState and replacing SAMLResponse with SAMLart. None of them seem to work. When I use SAMLResponse, I actually get a general error message initially in the screen. When I use SAMLart, I just go to the page where it prompts me for my salesforce username and password. Both however, don't show any error messages in the login history. PLEASE HELP ME.
I'm sending some assertions to the recipient url that salesforce told me but it doesn't let me sign on. When I go to the login history, I don't even see any failed attempts. Anything right off the bat that I'm not doing?
Also, are these messages I send to salesforce supposed to be a saml response or a saml assertion. Both ways don't work for me but I'd just like to know. Is Salesforce expecting the x509 certificate in the assertion? In the response I know where to put in the signature tag and so on, but with a normal assertion, I don't know where to put in the certificate.
could someone explain better how SAML assertions fit in with the delegated authentication scheme that Salesforce has? The article I found here (http://wiki.apexdevnet.com/index.php/How_to_Implement_Single_Sign-On_with_Salesforce.com) talks about tokens and how SAML tokens can be used. That is where I get confused. Is the token generator something that we have to implement? How do I know what to put in the SAML assertions?
And also, complete SAML support for SSO is available for the summer 08 release and I was wondering if there any articles like the one above for that.
Does anybody know how the new saml support for single sign on works for salesforce apps? I've seen how SSO can be done with salesforce's delegated authentication protocol but I couldn't find anything on the new saml support that is mentioned as part of the summer 08 upgrades.
Hi, currently I'm working on provisioning salesforce users using the Web Services API. I can create the User object just fine, but the email message with the temporary password is not being sent to the new user's email. So when I single sign on with the new user into Salesforce, it's expecting the user to type in the old password which didn't get emailed.
Also, is there any way to get around this temporary password emailing system that is set up now.
how do you post the saml assertion and the relaystate url to the recipient url? I've tried a bunch of methods but none of them seem to work because I don't even see error messages in the login history. So this means that it's not even getting my assertion properly never mind check the validity of it. Right now i'm just trying this:
<form name = "acsForm" action ="(recipient url that salesforce gives)" method = "post">
<input type = "hidden" name = "SAMLResponse" value = "(assertion that I came up with)" />
<input type = "submit" value = "Submit" />
</form>
I also tried replacing TARGET with RelayState and replacing SAMLResponse with SAMLart. None of them seem to work. When I use SAMLResponse, I actually get a general error message initially in the screen. When I use SAMLart, I just go to the page where it prompts me for my salesforce username and password. Both however, don't show any error messages in the login history. PLEASE HELP ME.
could someone explain better how SAML assertions fit in with the delegated authentication scheme that Salesforce has? The article I found here (http://wiki.apexdevnet.com/index.php/How_to_Implement_Single_Sign-On_with_Salesforce.com) talks about tokens and how SAML tokens can be used. That is where I get confused. Is the token generator something that we have to implement? How do I know what to put in the SAML assertions?
And also, complete SAML support for SSO is available for the summer 08 release and I was wondering if there any articles like the one above for that.
