You need to sign in to do that
Don't have an account?
Single Sign On Error
My company wanted to enable SalesForce single sign-on for our organization, accessible through our intranet home page.
We followed the .NET sample codes provided by SalesForce to test the solution out.
First, we
created an AppExchange Developer Edition account and a system administrator
user.
Then, we enabled Single Sign-On for the organization using the Developer Edition account.
Next, we specified the Single Sign-On Gateway URL for this organization as http://www.domain.com/SingleSignOnApp/AuthenticationService.wsdl
We then created a user with a standard profile and specified the permission to use Single Sign On permission for this profile.
In our .NET application, we obtain the Windows login user name from our Windows Network Domain.
Then, we added the domain suffix to match the SalesForce login (e.g. hansolo@abc.com).
Base on the sample code, we then provided an Authentication web service (as specified in the WSDL file above) that we allow the SalesForce server to call and pass back the encrypted token for us to do the verification on our end.
Because we do not want to send the user’s password over the Internet to the SalesForce server, we decided to use the options for creating an encrypted token from the user’s login name, as shown by the SalesForce sample.
We were able to retrieve the username and create the encrypted token successfully. We then posted the username and encrypted token to the SalesForce server at https://www.salesforce.com/login.jsp as specified by the .NET sample app and documentation.
The next screen that we received after the post is the SalesForce login page with the username field pre-populated and an error message requesting that we provide a password to login.
This should seamlessly as a result of the Single Sign On feature.
Is anybody else having problems with the Single Sign On feature or experiencing the same problem? If so, how did you fix it? Any suggestion or help is greatly appreciated.
Thanks,Hanh
<HEAD>
</HEAD>
<body onLoad="document.sfdc.submit();">
<form action="https://www.salesforce.com/login.jsp" METHOD="post" name="sfdc">
<input type="hidden" name="un" runat="server" id="username">
<input type="hidden" name="pw" runat="server" id="token">
<input type="hidden" name="startURL" runat="server" id="startURL">
<input type="hidden" name="logoutURL" runat="server" id="logoutURL">
<input type="hidden" name="ssoStartPage" runat="server" id="ssoStartPage">
<input type="hidden" name="jse" value="0">
<input type="hidden" name="rememberUn" value="1">
<script language="Javascript1.2">
//document.aspPostForm.jse.value = 1;
document.sfdc.jse.value = 1;
</script>
</form>
</body>
</HTML>
Does anyone else have a suggestion as to why this is not working?
Thanks,
Hanh
When the Single Sign On permission is disable for that particular profile, I can then login through the SalesForce main login page with a user with that profile. When Single Sign On permission is enabled for the user with that profile, then I cannot login through the main SalesForce page.
Hanh
There were many entries for 12/1/2006 stating
"org.xml.sax.SAXParseException: White spaces are required between publicId and systemId."
Does anyone know what this means? Could this be the error?
Thanks,
Hanh
We are using the .NET sample app that SalesForce provided. There was not much modification on our end except specifying the SSO URL gateway to point to the sso.asmx file. Is there any detailed documentation or resources that we can use? Is there a specific developer specializing on SSO who can help us out? We are an enterprise customer and we would like to resolve this matter quicly.
Thanks,
Hanh
The .NET infrastructure includes a built in web based tester, what happens if you exercice the endpoint from that (from a browser on the server where the code is deployed, point a browser at the .asmx URL, and click through to the authenticate method, and fill and out the form and give it a go).
If that works, then you might want to modify the code to write exception info to the event log and/or use a web services diagnostics tool (YATT, SOAPScope, tcpTrace) to monitor the request/response and see what's going on there.
Hello,
We are experiencing exactly the same problem as mentioned in the thread. Does anybody have an appropriate solution for this or can someone point to any other links which might provide further help?
Hello,
We are experiencing exactly the same problem as mentioned in the thread. Does anybody have an appropriate solution for this or can someone point to any other links which might provide further help?
When admins change their password or reset the security tokens, this creates big problems.
Are there any recommended best practices to solve this problem ?
I am wondering if any of these can be used (in preferred order)
1. Salesforce acts as a the single-sign on authentication authority.
2. A "fake" single sign-on solution where we maintain the username/password for one user who has privileges similar to Admin (SFDC recommends that real admin not be put on Single Sign On). We would implement the Authenticate web service and return true.
3 A real single sign on solution where both our application and salesforce use a central username/password. I assume this is possible
4. Salesforce.com periodically polls our application to pull the data, instead of we callling it. How does one implement periodic polling?
the defintion of the function "VerifyAndDecryptToken" this function accepts serializedToken as parameter.
public bool Authenticate(string username,
string password,
string sourceIp,
[System.Xml.Serialization.XmlAnyElementAttribute()] System.Xml.XmlElement[] Any)
{
if (username.IndexOf("@") == -1)
return false;
AuthToken t = VerifyAndDecryptToken(password);
if ((t == null) || (t.Username != username))
return false;
return usedids.IsNewId(t.TokenNumber, t.Expires);
}
So when SFDC invokes the Authenticate function of the intranet webservice and when data like "password" is passed as argument to
the function "VerifyAndDecryptToken" instead of the actual token we get the following error in the function "VerifyAndDecryptToken"
Error: Server was unable to process request. ---> Invalid character in a Base-64 string.
So please let us know if there is issues withing this function where token should be passed to the function instead of the password?
Also is it possible to have determine the 'Token" data in this function so that it can be passed as an argument to the "VerifyAndDecryptToken" function?
As for testing when we used hardcoded Token value in the "VerifyAndDecryptToken" function we were able to login to the account for which SSo is enabled.
We were able to login only when we used a hardcoded token value as mentioned in the below modified function.
internal static AuthToken VerifyAndDecryptToken(string serializedToken)
{
serializedToken = "cAEAAH390j9AjEKZy+2U8Rd2CpaGxad9mYV2ZN1W83TWZYlphWvKgJaAa+4ju7wBJloBd3bZiQZ+1S9fnrwNBdSYJOopBA+TIDtckBbaDPwD/9nHUuvX3Pq7FEdULjReqY0I+T388d+STQQMXk4Douj/OXoQWv8mBZo73Da6xpsCLWwE3CuSxsXIhBD0lluY1NfjkQ2dL95L8G1eBM1ts3rW5pifJGjsPc2goce+NRzcA5ChBNntOXKAlNW7rFLGFOPPHETRpecflFyrY90GXFeh7dulXqyiKoRDvXe60IZDTaypnlEfiIue/x5MEMnJqK/fOviwUoUm/KBaxxyz4ah5oMXLaTOmT34FpZFChJkeOIXP2T2Wi8LxRtTsfgA+PKhTYUXwPypsjmyJdE5znPCH+OlazR/e2Lsgr1OksIwBgXldU8ua5q+akN4BWvS3Fzwnze6TiqS+XAzEQXDieFMgWsyPMkrhnaJ6EojWanSjqaVbANA0NnJF+A9yxDChpSGuUTqxiumKP0UK4GH3vIB8j5KtTs3l9cimTT10dGUla3JYBobAC6S1KpvWVA5xvTE88a/Fzzvcu8C3z2tREeE33tSWbG+zyUR148OutBob0GXpLeTTIaUz+i/I7v8YxOoHnuCMtaChOkbYIUqCK+Hu1P0=";
// unpack the string into the data & sig
byte[] data, sig;
if (!UnpackSerializedString(serializedToken, out data, out sig))
return null;
// verify the signature
if (!GetSigningRsa().VerifyData(data, new SHA1CryptoServiceProvider(), sig))
return null;
// decrypt the data
byte[] token = Decrypt(GetEncRsa(), data);
AuthToken t = DeserializeToken(token);
return t;
//if (!t.Expired)
// return t;
//return null;
}
Can anybody help us resolve this issue?
the defintion of the function "VerifyAndDecryptToken" this function accepts serializedToken as parameter.
public bool Authenticate(string username,
string password,
string sourceIp,
[System.Xml.Serialization.XmlAnyElementAttribute()] System.Xml.XmlElement[] Any)
{
if (username.IndexOf("@") == -1)
return false;
AuthToken t = VerifyAndDecryptToken(password);
if ((t == null) || (t.Username != username))
return false;
return usedids.IsNewId(t.TokenNumber, t.Expires);
}
So when SFDC invokes the Authenticate function of the intranet webservice and when data like "password" is passed as argument to
the function "VerifyAndDecryptToken" instead of the actual token we get the following error in the function "VerifyAndDecryptToken"
Error: Server was unable to process request. ---> Invalid character in a Base-64 string.
So please let us know if there is issues withing this function where token should be passed to the function instead of the password?
Also is it possible to have determine the 'Token" data in this function so that it can be passed as an argument to the "VerifyAndDecryptToken" function?
As for testing when we used hardcoded Token value in the "VerifyAndDecryptToken" function we were able to login to the account for which SSo is enabled.
We were able to login only when we used a hardcoded token value as mentioned in the below modified function.
internal static AuthToken VerifyAndDecryptToken(string serializedToken)
{
serializedToken = "cAEAAH390j9AjEKZy+2U8Rd2CpaGxad9mYV2ZN1W83TWZYlphWvKgJaAa+4ju7wBJloBd3bZiQZ+1S9fnrwNBdSYJOopBA+TIDtckBbaDPwD/9nHUuvX3Pq7FEdULjReqY0I+T388d+STQQMXk4Douj/OXoQWv8mBZo73Da6xpsCLWwE3CuSxsXIhBD0lluY1NfjkQ2dL95L8G1eBM1ts3rW5pifJGjsPc2goce+NRzcA5ChBNntOXKAlNW7rFLGFOPPHETRpecflFyrY90GXFeh7dulXqyiKoRDvXe60IZDTaypnlEfiIue/x5MEMnJqK/fOviwUoUm/KBaxxyz4ah5oMXLaTOmT34FpZFChJkeOIXP2T2Wi8LxRtTsfgA+PKhTYUXwPypsjmyJdE5znPCH+OlazR/e2Lsgr1OksIwBgXldU8ua5q+akN4BWvS3Fzwnze6TiqS+XAzEQXDieFMgWsyPMkrhnaJ6EojWanSjqaVbANA0NnJF+A9yxDChpSGuUTqxiumKP0UK4GH3vIB8j5KtTs3l9cimTT10dGUla3JYBobAC6S1KpvWVA5xvTE88a/Fzzvcu8C3z2tREeE33tSWbG+zyUR148OutBob0GXpLeTTIaUz+i/I7v8YxOoHnuCMtaChOkbYIUqCK+Hu1P0=";
// unpack the string into the data & sig
byte[] data, sig;
if (!UnpackSerializedString(serializedToken, out data, out sig))
return null;
// verify the signature
if (!GetSigningRsa().VerifyData(data, new SHA1CryptoServiceProvider(), sig))
return null;
// decrypt the data
byte[] token = Decrypt(GetEncRsa(), data);
AuthToken t = DeserializeToken(token);
return t;
//if (!t.Expired)
// return t;
//return null;
}
Can anybody help us resolve this issue?
We are having following issues while implementing Single Sign On
1. When gotosfdc.aspx page is executed we get following javascript error on the following line
document.aspPostForm.jse.value = 1;
Error: document.aspPostForm is undefined
what could be possible reasons for that? We have used the exact code provided by SFDC and have made no amendments to it.
2. when gotosfdc.aspx page is executed and token has to posted to "https://www.salesforce.com/login.jsp" in that case should SFDC web service not call the "Authenticate" function of the sso.asmx intranet webservice and when token is verified direclty log me into my salesforce.com account?
At present i just redirected to "https://www.salesforce.com/login.jsp" and with the username prefilled. Then i have to enter the password and then i can see that SFDC web service calls the "Authenticate" function of the sso.asmx intranet webservice and then logs me into my account.
Can anybody let me know what could be the reason behind this behavior?
I have enabled SSO for the User's profile and also the webservice is also accessible by SFDC.
3. In one of the documenation it has been mentioned that
"You can configure the Salesforce delegated authentication authority to allow only tokens or to accept either tokens or passwords. If the authority only accepts tokens, a Salesforce user cannot log in to Salesforce directly, because they cannot create a valid token. However, many companies choose to allow both tokens and passwords. In this environment, a user could still log in to Salesforce through the login page."
So can anybody let me know from where i can configure this settings?
Any help in fixing this issue will be highly appreciated.
You can always contact me on my email-id: darshanps@projectdemo.biz or you can provide me your email-id so that we can contact you regarding this issue.
Thanks
Darshan
I'm sure you have answers by now, but I thought I would answer #1 for others that may be experiencing this problem. When a form does not have an ID, earlier versions of ASP.NET referred to it by aspPostForm which is it's class name. Newer versions of .NET generate a unique ID by using the naming containers, I think. Anyway, it seems like the sample application was written for .NET 1.1, and while the form has a name, there is no id. Since you don't know what the final ID of the form will be anyway (without looking it up on the server using the ClientId property), and since there should only be one form on the page in the first place, you can refer to the form by:
document.forms[0]
rather than:
document.aspPostForm
So that line in the Sample could be:
document.forms[0].jse.value = 1;
Regards,
Mike Sharp
Thanks for your reply Mark.
Can you please give replies for remaining questions also as i still have no answers for those questions.
Regards,
Darshan
3. the setting is in your DA listener its not a salesforce.com setting, its upto you to write/config your DA to either support tokens and password, or just tokens or just passwords. (or something else entirely).
Remember that the .NET code with the SSO docs is just sample code, its a starting point to demonstrate some of the things that are possible, its not even close to being a production quality implementation.
normally, should IT do the coding, or a developer --- we dont have one.
my IT does not know how to code and we are try to implement SSO.