Saleforce.com "Summer 08" has SAML 1.1 support


Kudos to Salesforce.com on SAML1.1 support with the Summer 08 release. This Release note covers it nicely:

...Unlike with delegated authentication, customers do not have to deploy Salesforce-specific software to use SAML. Also, SAML never sends passwords to Salesforce, so it is inherently more secure than other authentication mechanisms....


Wanted to try it out with OpenSSO for a while and finally got a window thanks to the successful OpenSSO code freeze on its way towards Open Express Build 6 / OpenSSO Enterprise 8 (Congrats team!).

Except for the initial learning curve and my rustiness on SAML1.1, it worked quite nicely! Shouldnt take you any more than 15 minutes:

Configuring OpenSSO End (Identity Provider) :
  • Obtain OpenSSO.war, deploy it and configure it. If you want a quicker install, but with some risk since it is new: you can try OpenSSO QuickSetup using Java web start. I chose sa.idp.com as my hostname.
  • Login to the OpenSSO instance as amadmin.
  • Navigate to Federation -> SAML1.1 configuration
  • Register Salesforce.com as a "Destination site". I named it SFDC. Make sure the "POST profile" is chosen. Your config should look something like this :


  • Export the source site public key. OpenSSO provides a keystore with a test certificate in it.
    cd <basedir>/<deployuri>
    keytool -export -keystore keystore.jks -alias test -file cert.cer


    Configuring SalesForce.com end (Service Provider) :
  • Get a Saleforce.com account here.
  • Login to SFDC portal and navigate to Setup (right at the top)->Security Controls->Single Signon Controls
  • Enter all the mandatory fields, and import the OpenSSO public key experted earlier. My setup looks as follows :



    Note that I chose "Federated ID" for my name identifier to directly map the authenticated user in OpenSSO to Salesforce.com user. Alternatively I could have configured OpenSSO to send the Salesforce.com userid either as a part of the Subject or a attribute statement.
    Save your settings - a "Recipient URL" will be shown on he screen. Select and copy this string - this will be needed in the last step.
  • Navigate to Security->Manage Users-> Users - select a user and enter "Edit" mode. Enter the following string in "Federated NameID" field : id=amadmin,ou=user,dc=opensso,dc=java,dc=net Again this is a shortcut - in a real deployment I would have created a new user in opensso and used that dn here.
    One last step- thanks to the choice I made with respect to the name identifier. Login back to the OpenSSO instance, and navigate to SFDC SAML1.1 config. Paste the "Recipient URL" in the "POST URL" field.
    Thats it - to test your setup : Enter the following URL in a browser :
    http://sa.idp.com:8080/sa/SAMLPOSTProfileServlet?TARGET=http://salesforce.com Login as amadmin into OpenSSO if prompted - you should be automatically single signed on to SFDC portal page.

    A leading On-Demand/SaaS provider supporting a open standards based mechanism for single signon is indeed a significant step in accelerating the adoption of these standards over costly and often kludgy proprietary mechanisms. Hoping for SAML2/Logout/AuthZ/Attributes - other protocols in the future.
  • Comments:

    Hello, Can you explain a little more how to get Source ID value from SalesForce?

    Posted by Victor on November 21, 2008 at 04:31 PM PST #

    This is great!

    However, the URL at the end is incorrect. It should be:
    http://sa.idp.com:8080/sa/SAMLPOSTProfileServlet?TARGET=https://na1.salesforce.com/home/home.jsp

    If you use the one provided you are redirected to the main SF.com web page, not the user's dashboard.

    I was unable to leave a comment at http://developers.sun.com/identity/reference/techart/salesforce.html with the same info. You should probably let them know to update the document also.

    Keep up the great work!

    Posted by Andrew Latham on May 04, 2009 at 07:11 PM PDT #

    Post a Comment:
    • HTML Syntax: NOT allowed
    About

    rajeev

    Search

    Categories
    Archives
    « April 2014
    SunMonTueWedThuFriSat
      
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
       
           
    Today