+ Start a Discussion

Single Sign On to Salesforce.com with OAuth 2.0 Tokens

Currently we are not using OAuth with our apps but we are working on making the shift, we have direct login and capture the user/pass that was entered and store those. We then turn around and use this for a feature that allows the user to open a record within Salesforce.com, we pass the user/pass in to the login endpoint along with a starting URL to the specific record, this works great and is a well liked feature as it is a simple SSO from the App to Salesforce.com where the user can see all data that may not be visible within the app.


Moving to OAuth 2.0 and using the standard webflow, we no longer can capture the user/pass, which is actually a good thing as far as security is concerned. We would however like to keep this functionality, is there anyway of SSO'ing into Salesforce.com by passing along one of the OAuth tokens or some kind of sesson id?


I have just answered your StackOverflow question with the following answer. Keeping both channels up to date:


So I think you are saying your application uses the SFDC username and password to just authenticate to retrieve a record from SFDC to display in your app?

IF this is correct - which I think it is - then you could just use the standard Salesforce Single Sign On system to authenticate. There is a guide here which outlines the process of setting up a SAML SSO system with Pat Patterson writing an interesting feature on how the security system works here. He has also written a great blog post on DeveloperForce here about the nitty details of OAuth in general for Force.com and not just the SAML setup. I have used the OAuth system in an iPad app against SFDC and it works quickly and easily. I can't see why your system should be unable to use the protocol as you desire.


Paul, I have a question on SSO Implementation using SAML2.0 and OAuth 2.0.  We alreay have a web based client implementation using Ping Federate as IDP and Salesforce as SP.  All we are trying to do is to extend the salesforce functionality as an App onto IPad.  So from a mobile client persepective, we would like our app to do something like Chatter App on IPad/IPhone.  My question is, can the SAML handshake happen automatically once we call the same URL from our app that redirects to IDP, or do we need to implement any logic such as framing SAML assertions on the IPad App.  I do understand the flow of OAuth after the SAML assertion is done.  OAuth seems pretty straight forward using Mobile SDK REST Api.  I am just stuck with the SAML - SSO flow on the mobile app.




Have a look through this article and let me know if it solves your problem - I think it shows that you might not need to write your own app possibly - just specify your own connection.






Thank you for getting back to me Paul.  Yes I did try to understand this article before, but when I started visting the discussion boards to dig deeper just to understand the implementation challenges, I visited the below question posted in 2008, that has more than 200 conversations with a bunch of code to frame the SAML assertions.  Here is the link for your reference (page 2, post by shanuman on 12-19-08 at 4:39AM  to be specific).




So my question is, do I need to implement any such logic in Objective-C on the IPad App to redirect the SAML Response from IDP(Ping.Fed) to SP(Salesforce), OR, is this done automatically since we already implemented SSO (Salesforce->Setup->Security->SSO Settings->enable SAML) and configured IDP to do its job for web based desktop clients. 


Now, if we dont need to do any such implementation, what was the implementation in the 2008 post for.  My guess is that they are coding to create a SAML Response and an assertion that gets pushed to Salesforce.  In our case, since the client is providing us with Ping Federate (IDP), we don't have to worry about the implementation part.  Am I correct?


I am afraid the simple answer from my side is I don't know. My advice would be to either reach out to simon fell (@superfell) who might know the answer or to try it without and then see what failure you get (if any) to help you move towards a solution.


Let me know what solution you find, I would test it myself but don't have mac access at the moment so am unable to :-(