Saleforce.com "Summer 08" has SAML 1.1 support
By rajeev on Sep 23, 2008
Kudos to Salesforce.com on SAML1.1 support with the Summer 08 release. This Release note covers it nicely:
...Unlike with delegated authentication, customers do not have to deploy Salesforce-specific software to use SAML. Also, SAML never sends passwords to Salesforce, so it is inherently more secure than other authentication mechanisms....
Wanted to try it out with OpenSSO for a while and finally got a window thanks to the successful OpenSSO code freeze on its way towards Open Express Build 6 / OpenSSO Enterprise 8 (Congrats team!).
Except for the initial learning curve and my rustiness on SAML1.1, it worked quite nicely! Shouldnt take you any more than 15 minutes:
Configuring OpenSSO End (Identity Provider) :
sa.idp.comas my hostname.
keytool -export -keystore keystore.jks -alias test -file cert.cer
Configuring SalesForce.com end (Service Provider) :
Note that I chose "Federated ID" for my name identifier to directly map the authenticated user in OpenSSO to Salesforce.com user. Alternatively I could have configured OpenSSO to send the Salesforce.com userid either as a part of the Subject or a attribute statement.
Save your settings - a "Recipient URL" will be shown on he screen. Select and copy this string - this will be needed in the last step.
id=amadmin,ou=user,dc=opensso,dc=java,dc=netAgain this is a shortcut - in a real deployment I would have created a new user in opensso and used that dn here.
One last step- thanks to the choice I made with respect to the name identifier. Login back to the OpenSSO instance, and navigate to SFDC SAML1.1 config. Paste the "Recipient URL" in the "POST URL" field.
Thats it - to test your setup : Enter the following URL in a browser :
http://sa.idp.com:8080/sa/SAMLPOSTProfileServlet?TARGET=http://salesforce.com Login as
amadmininto OpenSSO if prompted - you should be automatically single signed on to SFDC portal page.
A leading On-Demand/SaaS provider supporting a open standards based mechanism for single signon is indeed a significant step in accelerating the adoption of these standards over costly and often kludgy proprietary mechanisms. Hoping for SAML2/Logout/AuthZ/Attributes - other protocols in the future.