Tuesday Sep 23, 2008

Saleforce.com "Summer 08" has SAML 1.1 support


Kudos to Salesforce.com on SAML1.1 support with the Summer 08 release. This Release note covers it nicely:

...Unlike with delegated authentication, customers do not have to deploy Salesforce-specific software to use SAML. Also, SAML never sends passwords to Salesforce, so it is inherently more secure than other authentication mechanisms....


Wanted to try it out with OpenSSO for a while and finally got a window thanks to the successful OpenSSO code freeze on its way towards Open Express Build 6 / OpenSSO Enterprise 8 (Congrats team!).

Except for the initial learning curve and my rustiness on SAML1.1, it worked quite nicely! Shouldnt take you any more than 15 minutes:

Configuring OpenSSO End (Identity Provider) :
  • Obtain OpenSSO.war, deploy it and configure it. If you want a quicker install, but with some risk since it is new: you can try OpenSSO QuickSetup using Java web start. I chose sa.idp.com as my hostname.
  • Login to the OpenSSO instance as amadmin.
  • Navigate to Federation -> SAML1.1 configuration
  • Register Salesforce.com as a "Destination site". I named it SFDC. Make sure the "POST profile" is chosen. Your config should look something like this :


  • Export the source site public key. OpenSSO provides a keystore with a test certificate in it.
    cd <basedir>/<deployuri>
    keytool -export -keystore keystore.jks -alias test -file cert.cer


    Configuring SalesForce.com end (Service Provider) :
  • Get a Saleforce.com account here.
  • Login to SFDC portal and navigate to Setup (right at the top)->Security Controls->Single Signon Controls
  • Enter all the mandatory fields, and import the OpenSSO public key experted earlier. My setup looks as follows :



    Note that I chose "Federated ID" for my name identifier to directly map the authenticated user in OpenSSO to Salesforce.com user. Alternatively I could have configured OpenSSO to send the Salesforce.com userid either as a part of the Subject or a attribute statement.
    Save your settings - a "Recipient URL" will be shown on he screen. Select and copy this string - this will be needed in the last step.
  • Navigate to Security->Manage Users-> Users - select a user and enter "Edit" mode. Enter the following string in "Federated NameID" field : id=amadmin,ou=user,dc=opensso,dc=java,dc=net Again this is a shortcut - in a real deployment I would have created a new user in opensso and used that dn here.
    One last step- thanks to the choice I made with respect to the name identifier. Login back to the OpenSSO instance, and navigate to SFDC SAML1.1 config. Paste the "Recipient URL" in the "POST URL" field.
    Thats it - to test your setup : Enter the following URL in a browser :
    http://sa.idp.com:8080/sa/SAMLPOSTProfileServlet?TARGET=http://salesforce.com Login as amadmin into OpenSSO if prompted - you should be automatically single signed on to SFDC portal page.

    A leading On-Demand/SaaS provider supporting a open standards based mechanism for single signon is indeed a significant step in accelerating the adoption of these standards over costly and often kludgy proprietary mechanisms. Hoping for SAML2/Logout/AuthZ/Attributes - other protocols in the future.
  • About

    rajeev

    Search

    Categories
    Archives
    « April 2014
    SunMonTueWedThuFriSat
      
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
       
           
    Today