function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
Han SoloHan Solo 

Single Sign On Error

My company wanted to enable SalesForce single sign-on for our organization, accessible through our intranet home page.

We followed the .NET sample codes provided by SalesForce to test the solution out.

 
First, we created an AppExchange Developer Edition account and a system administrator user.

Then, we enabled Single Sign-On for the organization using the Developer Edition account.

Next, we specified the Single Sign-On Gateway URL for this organization as http://www.domain.com/SingleSignOnApp/AuthenticationService.wsdl

We then created a user with a standard profile and specified the permission to use Single Sign On permission for this profile.

In our .NET application, we obtain the Windows login user name from our Windows Network Domain.

Then, we added the domain suffix to match the SalesForce login (e.g. hansolo@abc.com).

Base on the sample code, we then provided an Authentication web service (as specified in the WSDL file above) that we allow the SalesForce server to call and pass back the encrypted token for us to do the verification on our end.

Because we do not want to send the user’s password over the Internet to the SalesForce server, we decided to use the options for creating an encrypted token from the user’s login name, as shown by the SalesForce sample.

We were able to retrieve the username and create the encrypted token successfully. We then posted the username and encrypted token to the SalesForce server at https://www.salesforce.com/login.jsp as specified by the .NET sample app and documentation.

The next screen that we received after the post is the SalesForce login page with the username field pre-populated and an error message requesting that we provide a password to login.

This should seamlessly as a result of the Single Sign On feature.

Is anybody else having problems with the Single Sign On feature or experiencing the same problem? If so, how did you fix it? Any suggestion or help is greatly appreciated.

Thanks,

Hanh


SuperfellSuperfell
It sounds like you might of gotten the password form field name wrong. Also have you setup a profile with SSO enabled ? also the gateway URL should not be to the wsdl, as you have it, but to the actual web service, the .asmx file.
Han SoloHan Solo
Simon,
 
Thanks for the quick reply.
 
I had previously set up a user with a standard profile and enable that profile with SSO permission. I have also changed the Gateway URL to use the sso.asmx service provided as http://domain/SingleSignOnApp/sso.asmx.
 
Here is the HTML for my aspx form file
<%@ Page language="c#" CodeBehind="gotosfdc.aspx.cs" AutoEventWireup="false" Inherits="SingleSignOn.gotosfdc" %>
<HTML>
 <HEAD>
 </HEAD>
 <body onLoad="document.sfdc.submit();">
  <form action="https://www.salesforce.com/login.jsp" METHOD="post" name="sfdc">
   <input type="hidden" name="un" runat="server" id="username">
   <input type="hidden" name="pw" runat="server" id="token">
   <input type="hidden" name="startURL" runat="server" id="startURL">
   <input type="hidden" name="logoutURL" runat="server" id="logoutURL">
   <input type="hidden" name="ssoStartPage" runat="server" id="ssoStartPage">
   <input type="hidden" name="jse" value="0">
   <input type="hidden" name="rememberUn" value="1">
   <script language="Javascript1.2">
    //document.aspPostForm.jse.value = 1;
    document.sfdc.jse.value = 1;
   </script>
  </form>
 </body>
</HTML>
 
The name for the password field is "pw". Its ID is "token." Is this correct?
 
Thanks,
 
Hanh
 
Han SoloHan Solo

Does anyone else have a suggestion as to why this is not working?

 

Thanks,

Hanh
benjasikbenjasik
can you try just posting a username/pass through the main login page?  Are you receiving it? 
Han SoloHan Solo

When the Single Sign On permission is disable for that particular profile, I can then login through the SalesForce main login page with a user with that profile. When Single Sign On permission is enabled for the user with that profile, then I cannot login through the main SalesForce page.

 

Hanh
SuperfellSuperfell
What does the SSO error history in setup show?
Han SoloHan Solo

There were many entries for 12/1/2006 stating

"org.xml.sax.SAXParseException: White spaces are required between publicId and systemId."

Does anyone know what this means? Could this be the error?

 

Thanks,

 

Hanh
SuperfellSuperfell
It means when we sent the SSO request to your authentication service, it didn't reply with well formed XML. Typically you get this when your service has an exception that's not handled and the web app returns a HTML error page. I would check whatever logging you have for your auth service.
Han SoloHan Solo

We are using the .NET sample app that SalesForce provided. There was not much modification on our end except specifying the SSO URL gateway to point to the sso.asmx file. Is there any detailed documentation or resources that we can use? Is there a specific developer specializing on SSO who can help us out? We are an enterprise customer and we would like to resolve this matter quicly.

Thanks,

Hanh
SuperfellSuperfell
Hmmm, the sample code is just that, a sample to show what's possible, its by no means a production ready solution.
The .NET infrastructure includes a built in web based tester, what happens if you exercice the endpoint from that (from a browser on the server where the code is deployed, point a browser at the .asmx URL, and click through to the authenticate method, and fill and out the form and give it a go).
If that works, then you might want to modify the code to write exception info to the event log and/or use a web services diagnostics tool (YATT, SOAPScope, tcpTrace) to monitor the request/response and see what's going on there.
VijayMoharleVijayMoharle
Hi,
   Did you able to integrate  Single Sign On ?  I  have been  trying  but  still facing the same issues  as  you  before..Please let me know if SSO  integration  is  done successfully as  your end ...
 
DS_WLIDS_WLI

Hello,

We are experiencing exactly the same problem as mentioned in the thread. Does anybody have an appropriate solution for this or can someone point to any other links which might provide further help?

 

 
DS_WLIDS_WLI

Hello,

We are experiencing exactly the same problem as mentioned in the thread. Does anybody have an appropriate solution for this or can someone point to any other links which might provide further help?

 
GoForceGoGoForceGo
We have a client application that currently relies on knowing the administrator username/password to log in and read/update data in salesforce

When admins change their password or reset the security tokens, this creates big problems.

Are there any recommended best practices to solve this problem ?

I am wondering if any of these can be used (in preferred order)

1. Salesforce acts as a the single-sign on authentication authority.

2. A "fake" single sign-on solution where we maintain the username/password for one user who has privileges similar to Admin (SFDC recommends that real admin not be put on Single Sign On). We would implement the Authenticate web service and return true.

3  A real single sign on solution where both our application and salesforce use a central username/password. I assume this is possible

4. Salesforce.com periodically polls our application to pull the data, instead of we callling it. How does one implement periodic polling?
DS_WLIDS_WLI
Here in the below code we found that the parameter passed in the function "VerifyAndDecryptToken" is "Password" while as per
the defintion of the function "VerifyAndDecryptToken" this function accepts serializedToken as parameter.


public bool Authenticate(string username,
string password,
string sourceIp,
[System.Xml.Serialization.XmlAnyElementAttribute()] System.Xml.XmlElement[] Any)
{
if (username.IndexOf("@") == -1)
return false;

AuthToken t = VerifyAndDecryptToken(password);
if ((t == null) || (t.Username != username))
return false;

return usedids.IsNewId(t.TokenNumber, t.Expires);
}


So when SFDC invokes the Authenticate function of the intranet webservice and when data like "password" is passed as argument to
the function "VerifyAndDecryptToken" instead of the actual token we get the following error in the function "VerifyAndDecryptToken"

Error: Server was unable to process request. ---> Invalid character in a Base-64 string.

So please let us know if there is issues withing this function where token should be passed to the function instead of the password?

Also is it possible to have determine the 'Token" data in this function so that it can be passed as an argument to the "VerifyAndDecryptToken" function?

As for testing when we used hardcoded Token value in the "VerifyAndDecryptToken" function we were able to login to the account for which SSo is enabled.

We were able to login only when we used a hardcoded token value as mentioned in the below modified function.

internal static AuthToken VerifyAndDecryptToken(string serializedToken)
{
serializedToken = "cAEAAH390j9AjEKZy+2U8Rd2CpaGxad9mYV2ZN1W83TWZYlphWvKgJaAa+4ju7wBJloBd3bZiQZ+1S9fnrwNBdSYJOopBA+TIDtckBbaDPwD/9nHUuvX3Pq7FEdULjReqY0I+T388d+STQQMXk4Douj/OXoQWv8mBZo73Da6xpsCLWwE3CuSxsXIhBD0lluY1NfjkQ2dL95L8G1eBM1ts3rW5pifJGjsPc2goce+NRzcA5ChBNntOXKAlNW7rFLGFOPPHETRpecflFyrY90GXFeh7dulXqyiKoRDvXe60IZDTaypnlEfiIue/x5MEMnJqK/fOviwUoUm/KBaxxyz4ah5oMXLaTOmT34FpZFChJkeOIXP2T2Wi8LxRtTsfgA+PKhTYUXwPypsjmyJdE5znPCH+OlazR/e2Lsgr1OksIwBgXldU8ua5q+akN4BWvS3Fzwnze6TiqS+XAzEQXDieFMgWsyPMkrhnaJ6EojWanSjqaVbANA0NnJF+A9yxDChpSGuUTqxiumKP0UK4GH3vIB8j5KtTs3l9cimTT10dGUla3JYBobAC6S1KpvWVA5xvTE88a/Fzzvcu8C3z2tREeE33tSWbG+zyUR148OutBob0GXpLeTTIaUz+i/I7v8YxOoHnuCMtaChOkbYIUqCK+Hu1P0=";
// unpack the string into the data & sig
byte[] data, sig;
if (!UnpackSerializedString(serializedToken, out data, out sig))
return null;
// verify the signature
if (!GetSigningRsa().VerifyData(data, new SHA1CryptoServiceProvider(), sig))
return null;
// decrypt the data
byte[] token = Decrypt(GetEncRsa(), data);
AuthToken t = DeserializeToken(token);

return t;
//if (!t.Expired)
// return t;
//return null;
}

Can anybody help us resolve this issue?
 
Also can anybody let us know whether the code provided by SFDC in  [Salesforce.com_Delegated_Authentication.zip] is a production ready solution or there is some additional coding required to be done in the code provided.
DS_WLIDS_WLI
Reference: sso.asmx
 
Here in the below code we found that the parameter passed in the function "VerifyAndDecryptToken" is "Password" while as per
the defintion of the function "VerifyAndDecryptToken" this function accepts serializedToken as parameter.

public bool Authenticate(string username,
string password,
string sourceIp,
[System.Xml.Serialization.XmlAnyElementAttribute()] System.Xml.XmlElement[] Any)
{
if (username.IndexOf("@") == -1)
return false;

AuthToken t = VerifyAndDecryptToken(password);
if ((t == null) || (t.Username != username))
return false;

return usedids.IsNewId(t.TokenNumber, t.Expires);
}


So when SFDC invokes the Authenticate function of the intranet webservice and when data like "password" is passed as argument to
the function "VerifyAndDecryptToken" instead of the actual token we get the following error in the function "VerifyAndDecryptToken"

Error: Server was unable to process request. ---> Invalid character in a Base-64 string.

So please let us know if there is issues withing this function where token should be passed to the function instead of the password?

Also is it possible to have determine the 'Token" data in this function so that it can be passed as an argument to the "VerifyAndDecryptToken" function?

As for testing when we used hardcoded Token value in the "VerifyAndDecryptToken" function we were able to login to the account for which SSo is enabled.

We were able to login only when we used a hardcoded token value as mentioned in the below modified function.

internal static AuthToken VerifyAndDecryptToken(string serializedToken)
{
serializedToken = "cAEAAH390j9AjEKZy+2U8Rd2CpaGxad9mYV2ZN1W83TWZYlphWvKgJaAa+4ju7wBJloBd3bZiQZ+1S9fnrwNBdSYJOopBA+TIDtckBbaDPwD/9nHUuvX3Pq7FEdULjReqY0I+T388d+STQQMXk4Douj/OXoQWv8mBZo73Da6xpsCLWwE3CuSxsXIhBD0lluY1NfjkQ2dL95L8G1eBM1ts3rW5pifJGjsPc2goce+NRzcA5ChBNntOXKAlNW7rFLGFOPPHETRpecflFyrY90GXFeh7dulXqyiKoRDvXe60IZDTaypnlEfiIue/x5MEMnJqK/fOviwUoUm/KBaxxyz4ah5oMXLaTOmT34FpZFChJkeOIXP2T2Wi8LxRtTsfgA+PKhTYUXwPypsjmyJdE5znPCH+OlazR/e2Lsgr1OksIwBgXldU8ua5q+akN4BWvS3Fzwnze6TiqS+XAzEQXDieFMgWsyPMkrhnaJ6EojWanSjqaVbANA0NnJF+A9yxDChpSGuUTqxiumKP0UK4GH3vIB8j5KtTs3l9cimTT10dGUla3JYBobAC6S1KpvWVA5xvTE88a/Fzzvcu8C3z2tREeE33tSWbG+zyUR148OutBob0GXpLeTTIaUz+i/I7v8YxOoHnuCMtaChOkbYIUqCK+Hu1P0=";
// unpack the string into the data & sig
byte[] data, sig;
if (!UnpackSerializedString(serializedToken, out data, out sig))
return null;
// verify the signature
if (!GetSigningRsa().VerifyData(data, new SHA1CryptoServiceProvider(), sig))
return null;
// decrypt the data
byte[] token = Decrypt(GetEncRsa(), data);
AuthToken t = DeserializeToken(token);

return t;
//if (!t.Expired)
// return t;
//return null;
}

Can anybody help us resolve this issue?
 
Also can anybody let us know whether the code provided by SFDC in  [Salesforce.com_Delegated_Authentication.zip] is a production ready solution or there is some additional coding required to be done in the code provided?
SuperfellSuperfell
The code provided is labeled as sample code, and is in fact sample code. somewhere in there is a second page that generates the token and passes it to saleforce, which then passes it back to the service which verifies the token, IIRC, the documentation that goes with the sample code explains this. The sample shows how to use tokens instead of password so that your corporate credetnials are not passed through salesforce.com
SuperfellSuperfell
http://wiki.apexdevnet.com/index.php/How_to_Implement_Single_Sign-On_with_Salesforce.com
GoForceGoGoForceGo
Back to my question...any thoughts Simon?
DS_WLIDS_WLI

We are having following issues while implementing Single Sign On

1. When gotosfdc.aspx page is executed we get following javascript error on the following line
 
document.aspPostForm.jse.value = 1;

Error:  document.aspPostForm is undefined

what could be possible reasons for that? We have used the exact code provided by SFDC and have made no amendments to it.

2. when gotosfdc.aspx page is executed and token has to posted to "https://www.salesforce.com/login.jsp" in that case should SFDC web service not call the "Authenticate" function of the sso.asmx intranet webservice and when token is verified direclty log me into my salesforce.com account?

At present i just redirected to "https://www.salesforce.com/login.jsp" and with the username prefilled. Then i have to enter the password and then i can see that SFDC web service calls the "Authenticate" function of the sso.asmx intranet webservice and then logs me into my account.

Can anybody let me know what could be the reason behind this behavior?

I have enabled SSO for the User's profile and also the webservice is also accessible by SFDC.

3. In one of the documenation it has been mentioned that

"You can configure the Salesforce delegated authentication authority to allow only tokens or to accept either tokens or passwords. If the authority only accepts tokens, a Salesforce user cannot log in to Salesforce directly, because they cannot create a valid token. However, many companies choose to allow both tokens and passwords. In this environment, a user could still log in to Salesforce through the login page."

So can anybody let me know from where i can configure this settings?

Any help in fixing this issue will be highly appreciated.

You can always contact me on my email-id: darshanps@projectdemo.biz or you can provide me your email-id so that we can contact you regarding this issue.

Thanks

Darshan
rdcprordcpro

I'm sure you have answers by now, but I thought I would answer #1 for others that may be experiencing this problem.  When a form does not have an ID, earlier versions of ASP.NET referred to it by aspPostForm which is it's class name.  Newer versions of .NET generate a unique ID by using the naming containers, I think.  Anyway, it seems like the sample application was written for .NET 1.1, and while the form has a name, there is no id.  Since you don't know what the final ID of the form will be anyway (without looking it up on the server using the ClientId property), and since there should only be one form on the page in the first place, you can refer to the form by:

document.forms[0]

rather than:

document.aspPostForm

So that line in the Sample could be:

document.forms[0].jse.value = 1;

 

Regards,

Mike Sharp
DS_WLIDS_WLI

Thanks for your reply Mark.

Can you please give replies for remaining questions also as i still have no answers for those questions.

Regards,

Darshan
SuperfellSuperfell
2. the redirect at https://www.salesforce.com/login.jsp is probably causing problems try changing it to https://login.salesforce.com instead.

3. the setting is in your DA listener its not a salesforce.com setting, its upto you to write/config your DA to either support tokens and password, or just tokens or just passwords. (or something else entirely).

Remember that the .NET code with the SSO docs is just sample code, its a starting point to demonstrate some of the things that are possible, its not even close to being a production quality implementation.
CTU007CTU007

normally, should IT do the coding, or a developer --- we dont have one.

 

my IT does not know how to code and we are try to implement SSO.