Apex Code Development You need to sign in to do that
Don't have an account?
Log into Salesforce Communities from External Application
I have a web application where users log in using their login an password.
I'm creating a Salesforce Community for those users, for them to ask questions, read articles, start discussions, etc.
I have a scheduled process now that synchronizes the users I have in my application to Salesforce. I'm extending that process to create contacts and community users, so my users won't have to manually register into the community.
In the next step, I'm going to add a link to my application where the users can click and be logged into the community, in a new window. As the users are already logged into my application, I don't whan them to provide their login again to communities. How can I achieve that?
I read a lot of Salesforce documentation on loggin in using SAML and OAuth and couldn't find anything that suits my needs. OAuth is all about authenticating the user and giving me an access token, so my application can perform actions in the community on the behalf of my user. I don't want that. I only want to login the user.
A solution could be use SAML to single sign on, but then I would need to manage my user in a SSO provider and I don't want to do that. Is there any way to log my user into the communities using only its email or Salesforce Id, without requiring them to provide credentials? Can I provide some secret or key from my application and log in any user I want?
I found something close to that with OAuth 2.0 JWT Bearer Token Flow, but even then I would need a user first authentication to get an authorization token.
Thank you
I'm creating a Salesforce Community for those users, for them to ask questions, read articles, start discussions, etc.
I have a scheduled process now that synchronizes the users I have in my application to Salesforce. I'm extending that process to create contacts and community users, so my users won't have to manually register into the community.
In the next step, I'm going to add a link to my application where the users can click and be logged into the community, in a new window. As the users are already logged into my application, I don't whan them to provide their login again to communities. How can I achieve that?
I read a lot of Salesforce documentation on loggin in using SAML and OAuth and couldn't find anything that suits my needs. OAuth is all about authenticating the user and giving me an access token, so my application can perform actions in the community on the behalf of my user. I don't want that. I only want to login the user.
A solution could be use SAML to single sign on, but then I would need to manage my user in a SSO provider and I don't want to do that. Is there any way to log my user into the communities using only its email or Salesforce Id, without requiring them to provide credentials? Can I provide some secret or key from my application and log in any user I want?
I found something close to that with OAuth 2.0 JWT Bearer Token Flow, but even then I would need a user first authentication to get an authorization token.
Thank you
So, you will need to implement SSO via either SAML or OpenID Connect (http://openid.net/connect/) (see also this article (https://developer.salesforce.com/page/Inside_OpenID_Connect_on_Force.com)). The latter is probably more straightforward if you're wanting to build something yourself or use an open source library (http://openid.net/developers/libraries/#connect). Once you have enabled your web application as an OpenID Connect identity provider (effectively the equivalent of Google), you would configure an Authentication Provider (https://help.salesforce.com/HTViewHelpDoc?id=sso_provider_openid_connect.htm&language=en_US%22) in your community with the OpenID Connect URLs.
An alternative would be to flip the whole system around and have users login to the Salesforce Community, making it the OpenID Connect provider and your web application the OpenID Connect consumer.
All Answers
So, you will need to implement SSO via either SAML or OpenID Connect (http://openid.net/connect/) (see also this article (https://developer.salesforce.com/page/Inside_OpenID_Connect_on_Force.com)). The latter is probably more straightforward if you're wanting to build something yourself or use an open source library (http://openid.net/developers/libraries/#connect). Once you have enabled your web application as an OpenID Connect identity provider (effectively the equivalent of Google), you would configure an Authentication Provider (https://help.salesforce.com/HTViewHelpDoc?id=sso_provider_openid_connect.htm&language=en_US%22) in your community with the OpenID Connect URLs.
An alternative would be to flip the whole system around and have users login to the Salesforce Community, making it the OpenID Connect provider and your web application the OpenID Connect consumer.
In case anyone have the same problem, the solution I adopted was to set my application as the Identity Provider.
I've created a SSO configuration in Salesforce with login and logout URLs pointing to my application and provide a SAML response to Salesforce with the user identity. The response is signed and the public key is informed in the SSO configuration.
I went through the related technical documents but still not clear how to implement this.
Could you give some detailed descriptions on how to send the SAML response to Salesforce? Define a text field with the content of SAML in a form or some other ways? And I also have no idea how to generate the content of the XML, by manual or use some utilities? How to sign the response and the public you used is the one generated in salesforce, right?
Thanks in advance.
I have the same scenario as Marcel's. I'm not clear how to enable our web application as an OpenID Connect identity provider.
Thanks.
I actually didn't use any framework to generate the SAML response to Salesforce. What I did was get the description from SAML 2.0 from Wikipedia and edit it with my company information.
Once you generate the XML, you can validate it in Salesforce on Security Controls > Single Sign-On Settings > SAML Assertion Validator.
I didn't used OpenId and used Java XML encryption to sign the XML assertion: https://docs.oracle.com/javase/7/docs/technotes/guides/security/xmldsig/XMLDigitalSignature.html.
Here is an example of a SAML Assertion I used to log into a community:
<?xml version="1.0" encoding="UTF-8" standalone="no"?> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_c4a8d4ac-d662-4a74-ae14-b017dec4658b" IssueInstant="2015-11-13T18:59:09.921Z" Version="2.0"> <saml:Issuer>http://www.mycompany.com</saml:Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <saml:Assertion ID="_506d56ef-2d93-4ac2-8567-4c3851504173" IssueInstant="2015-11-13T18:59:09.945Z" Version="2.0"> <saml:Issuer>http://www.mycompany.com</saml:Issuer> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">user@email.com</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2015-11-13T19:09:09.946Z" Recipient="https://sandbox-instance.force.com/community/login?so=00B18110000ADo6"/> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2015-11-13T18:58:09.946Z" NotOnOrAfter="2015-11-13T19:09:09.946Z"> <saml:AudienceRestriction> <saml:Audience>https://saml.salesforce.com</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2015-11-13T18:59:09.946Z" SessionIndex="_6d411898-6cb2-4cbb-b4ed-13e29628c137"> <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference Id="_c4a8d4ac-d662-4a74-ae14-b017dec4658b" URI=""> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>eJ2TFy9Y66slg+3sgege2Kkst1wc=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>FJeR+XMXlynFoRx2tdjhfhehm6QglMD1AOadQF9R3smCoSrTwTDTiizj+7NDOWt7k/st3d8LeH1as 89MGM/EB+qFqUYt5lnbHtj87wrrOpl4KmSXD4A6JFIqkSne4MuRNVwn+9jlsn3Vws0KtI2rS/X+T 6GvXdKepcJDM1i4YuTE=</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIDmTCCAwKgAwIBAgIJAOxJVCFThXIGMA0GCSqGSIb3DQEBBQUAMIGQMQswCQYDVQQGEwJVUzET MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZMBcGA1UEChMQVGhv dXNhbmRFeWVzIEluYzERMA8GA1UEAxMIRnJvbnRlbmQxJjAkBgkqhkiG9w0BCQEWF21hcmNlbEB0 aG91c2FuZGVfm5ZXMuY29tMB4XDTE1MDczMDE4NTfdfwwTE2MDcyOTE4NTUxN1owgZAxCzAJBgNV BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRkwFwYD VQQKExBUaG91c2FuZEV5ZXMgSW5jMREwDwYDVQQDEwhGcm9udGVuZDEmMCQGCSqGSIb3DQEJARYX bWFyY2VsQHRob3VzYW5kZXllcy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANK6h/f9 bbYsb0NsFcy3N2jaAezvcXMhRX29U2pH9tpuhIE1aEeZTTZPjbPrkVimhE1az2yBy7zhcNe+KrpC yvfZyLsuE4abfpMGtKvBsXnsHu2323+Im7iEY/y0mCwA8huiJhySDMHzY/gvkUmmET05S1LdVjTE uLz/zbw3g2SLAgMBAAGjgfgwgfUwHQYDVR0OBBYEFGNorH93c01uN65RufdR5ml7icBkMIHFBgNV HSMEgb0wgbqAFGNorH93c01uN65RufdR5ml7icBkoYGWpIGTMIGQMQswCQYDVQQGEwJVUzETMBEG A1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZMBcGA1UEChMQVGhvdXNh bmRFeWVzIEluYzERMA8GA1UEAxMIRnJvbnRlbmQxJjAkBgkqhkiG9w0BCQEWF21hcmNlbEB0aG91 c2FuZGV5ZXMuY29tggkA7ElUIVOFcgYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQA/ 5VVyUclSlUm8tu2cqoWFCkhPdsr8hDc4r69vrlJ/SPYesOJUZRiWI9pf+73BnRaE2PcC4BcrXs/b ZwuilqZBFSlGvCXFZcr2afFz+KZ4gspSrFt8lxCxvsLk3MjWyCGin4S4yB4BGw7wrB1x2sdkRaeq tpIOAxKsTYtbps2OTg==</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> </samlp:Response>If you need to test your SAML Assertions or view other examples, this site has very useful tools:
https://www.onelogin.com
Thanks for taking the time to respond. Much appreciated.
It helps me a lot. I do find some cool stuffs from onelogin.
Thank you so much, buddy!
You described exactly what I am trying to achieve. Another developer is taking care of the SAML response from the external application. I am trying to figure out what I need to do on the Salesforce end and where do I even start (I am a complete newbie for SSO). Would you be able to break down the steps required for the whole process? That would be incredibly helpful!
Thanks in advance!