Apex Code Development You need to sign in to do that
Don't have an account?
ram_iyer Automatic Salesforce User Login through a .Net application
I have a business case, where there is a .Net web application that opens up Salesforce within the app. How do I ensure that the user is automatically logged in without being asked for a username and password.
Note:
1. The login needs to be seamless - so that even when a new user is setup, he/she does not have to go through the process of password reset. The user should not have to know what his / her username and password is
2. This Salesforce org already has SSO enabled. However, the users that use the web app are not on the same network. Hence SSO will not work. I would need a parallel authentication mechanism. Is it possible to have 2 parallel external authentication mechanisms. Is yes, how? Is there some documentation that I can refer?
3. I dont want to maintain Salesforce usernames and passwords in the .Net app, since it will be an overhead to sync the passwords everytime
4. I cannot use a single API user that will impersonate all users, because, I need to keep a history of which user did what.
What options do I have? And if I am willing to store the paswords in the .Net app, are there easy options to automatically store the user credentials and have the user login into Salesforce.
Ram
Hi Ram,
I think what this boils down to is trust.
How much can you trust the credentials for current logged in user.
You mention that you plan to embed Salesforce in to another app, so if possible why not create a small authentication web service that checks credentials based on users on the trusted network in some way.
The user would then provide their domain login credentials for that trusted network to the app which would result in some form of token passing and a result that binds directly to a salesforce credential.
Without being presented with the complete scenario it's difficult to suggest a clear cut solution but I guess you main problem is "How can identify the Salesforce login details for a user without asking them on a non trusted network".
As far as i can see it's got to be a simple matter of identifying that user some other way then handing them their auth token that they can then use to carry out their work, either way you need to ask for something in terms of login details unless the domain / computer they are using is trusted.
All Answers
Sounds like you already have a solution.
Using SSO, you just need to deploy a second SSO authentication provider on the other network.
Out of curiosity what stops you "hooking on to" the other SSO system on the other network?
You could use either something like biztalk server with a secure endpoint that authenticates the remote networks windows user ID or plug straight in through a custom web service to your SSO data store.
As soon as you start down either route though are you not building more security vulnerabilities by increasing your attack surface?
Have you considered something like a citrix gateway to ensure all users of your CRM solution are using the same internal systems and are authenticated through the same authentication services on a single network?
This approach would require no more development at all as you would effectively reuse what you already have.
Thanks for your suggestions, Paul. I like the idea of my SSO network authenticating users on the other network. But as you've said, I am not sure how feasible that would be, given the security risks with delegatig authentication to the other network.
Salesforce is currently used extensively by a bunch of internal users and we now need to extend it to some external users. Using the same internal system may not be doable since, we are trying to provide Salesforce access to external users that are not employees, and would not be within the intranet
- Ram
Hi Ram,
I think what this boils down to is trust.
How much can you trust the credentials for current logged in user.
You mention that you plan to embed Salesforce in to another app, so if possible why not create a small authentication web service that checks credentials based on users on the trusted network in some way.
The user would then provide their domain login credentials for that trusted network to the app which would result in some form of token passing and a result that binds directly to a salesforce credential.
Without being presented with the complete scenario it's difficult to suggest a clear cut solution but I guess you main problem is "How can identify the Salesforce login details for a user without asking them on a non trusted network".
As far as i can see it's got to be a simple matter of identifying that user some other way then handing them their auth token that they can then use to carry out their work, either way you need to ask for something in terms of login details unless the domain / computer they are using is trusted.
Have you looked at SAML? You can configure the SAML support to work side by side with the other authentication options.
Assuming that I am able to have the app authenticate the user, pass a token back, and I get the Salesforce credentials... whats next?
The only option I can think of is to have a web tab within the .Net app, that passes the username and password in the URL to log the user in. Is there a cleaner option, where I dont have to expose the username and password in the url?
Regards,
Ram
Once you have the details why not just find the fields on the actual login page then programmatically execute the login button click event.
It won't exactly be an easy task but at least you wont be giving any information to the user.
Thanks Paul. I think I've got a lead on what I need to research on.
- Ram
Hello Ram,
Here is a SAML resource.
Best Regards,
See what Ping Identity Customers are saying about PingFederate!
Kyle Meinhold | Sales Associate
PingIdentity | www.pingidentity.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
O: 720.317.2083
Email: kmeinhold@pingidentity.com
i want to user impersonate in salesforce. can it's sucess via SAML? how to i (admin) login in salesforce and get other user credential.