+ Start a Discussion

Quick question on Delegated Authentication

    We are trying to implement SSO from our Intranet using the SalesForce Delegated authentication model.  We have covered a lot of steps and seems like are close to having this functionality but are running into the following issue -
    When the user clicks on GoTo SalesForce link from our Intranet, we receive the Delegated authentication callback and return true to validate the token.  Next, the users browser displays a blank page with a URL such as the following -
     It appears that the user session is established, because I can manually change this URL to https://na3.salesforce.com/home/home.jsp and the user is logged in.  But I am not sure how to make the browser automatically endup in this URL.
    Thanks for any suggestions,
If you examine the link you'll notice that the retURL param points at na2 instead of na3.  I'm not sure that's really the problem, but it's certainly a little odd.

Hi Vijay,

Even i am trying to implement SSO to access salesforce.com from our intranet.

I have gone through the available documents of salesforce and other stuff online, but not able to proceed in the right direction.

It would be kind of you if you can help in implementing this feature. I am having a developer edition account with salesforce.

It would be very nice of you if you can provide a means of contact to you ?








I need assistance on the below questions. These are not satisfactorily answered in the Single sign-on guide document. This is regarding how to implement Single sign-on feature on Windows Server 2003 IIS 6.0. It will be greatly appreciated if someone can come up with solutions/ suggestions or share their experience.
Questions are presented step-wise:  
1. Contact Salesforce to enable Delegated Authentication
2. Download Delegated Authentication WSDL
Are there any changes require in Delegated Authentication WSDL? If yes, what are they?   
After making changes, where do we need to place this modified WSDL file?
What is automatically generated stub and how it is generated from Delegated Authentication WSDL? What and how to add specific implementation to this stub?
3. Add a link in custom Intranet app and make HTTP POST to the Salesforce login page   


            What is the meaning of each parameter used to make HTTP POST request to Salesforce login page?  
4. In Salesforce, specify Delegated Gateway URL
If I have a virtual directory created for Web service and say, following is the access URL for virtual directory:     
This virtual directory will have all web service files. The Web service which has implemented SSO request and response methods is “sso.asmx”. Can you provide any suggestion on how to deploy web service?   
In this case, what would be the Delegated Gateway URL?
5. Modify User profile to enable “Is Single sign-on enabled?” user permission.
Single sign-on is enabled for the user whose name is same in Salesforce and Active Directory. .That is, user Windows Server name is “Chandrakant.Machhi”.
There is a user in Salesforce with the user name as: “Chandrakant.Machhi@yahoo.co.in”.
Is the above understanding correct? What else changes require in Active Directory?
6. If everything is fine, does Salesforce automatically opens separate browser for the user logged into the system or does it opens in the same browser? 
Chandrakant M 


No, you don't need to make any changes to the WSDL.


to generate the server stub use the .NET wsdl.exe tool with the /serverInterface option. This generates a base class which you then extend with your specific implementation.


the parameters passed in the soap message are username, entered password and source IP address. the WSDL documents the exact structure for the request.


If you're using visual studio, it includes deployment tools, otherwise you would copy the relevant built binaries (the .dll files), and the asmx files to your webservices directory.

typically in the case you mention, the delegated Url would be


Its upto your and your particular implementation to decide how & what to map between active directory and the salesforce.com user.


it doesn't open any browsers, the user opens the browser. 


For Delegated Authentication
1) Contact Salesforce.com to turn on Single Sign-On for your organization. DONE

2) Download the Web Services Description Language (WSDL) file, AuthenticationService.wsdl, that describes
the Single Sign-On service. DONE

3) In Salesforce, specify your organization’s Single Sign-On Gateway URL by clicking
Setup Security Controls Single Sign On Settings. DONE

4) Modify your user profiles to contain the "Uses Single Sign-On" user permission. DONE

5) Build your SSO Web Service. NOT DONE

Please help me in creating PHP webservice using soap library for single sign on Delegated Authentication.
I had soap library uploaded in my folder. My script is given below please correct if there is anything


Soap Client
ini_set("soap.wsdl_cache_enabled", "0");
$client = new nusoap_client(SITE_URL."SFAuthenticationServer.php");
//$client = new nusoap_client(SITE_URL."AuthenticationService.wsdl.xml");
$param = array('username' =>"test@test.com",'password'=>"xxxxxx",'sourceIp'=>$_SERVER['REMOTE_ADDR']);
$ProcessSync = $client->call('Authenticate', $param,'http://www.test.com/');

echo '<pre>';
}catch (Exception $e) {
$Message = $e->getMessage();
throw new Exception($Message);


Soap Server

$server = new soap_server;

function Authenticate($username, $password, $sourceIp) {
return 'true';
} catch (Exception $e) {
$Message = $e->getMessage();
throw new Exception($Message);