Security in delegated authentication
I am integrating salesforce.com site with my AD using delegated authentication. I have created the web service and deployed in DMZ. I have configured salesforce.com to use my web service for authentication. Everything works fine now. My concern is about the security for the web service itself. How can I restrict the web service to be accessed only by salesforce.com. What are the best practice to implement security for this web service?
Issue in implementing Delegated authentication
I am trying to implement delegated authentication for my salesforce account. I downloaded the sample code and started based on it. Below is what I have done so far.
1. I have contacted support and activated delegated authentication for my test site
2. I created email@example.com (not really the one that I created :-) ) and enabled delegated authentication for the profile.
3. I created a page gotosfdc.aspx (asp.net 2.0) that posts username and token to test.salesforce.com site. Please find the code below (hardcoded username and password for testing and removed all other logics)
<form name="sfdc" runat="server" id="sfdc" action="test.asp">
<input type="hidden" name="un" runat="server" id="un" firstname.lastname@example.org'/>
<input type="hidden" name="pw" runat="server" id="password" value='test'/>
<input type="hidden" name="startURL" runat="server" id="startURL"/>
<input type="hidden" name="logoutURL" runat="server" id="logoutURL"/>
<input type="hidden" name="ssoStartPage" runat="server" id="ssoStartPage"/>
<input type="hidden" name="jse" value="0"/>
<input type="hidden" name="rememberUn" value="1"/>
document.sfdc.jse.value = 1;
4. I created the web service (asp.net 2.0) that returns true when Authenticate method is called
/// This is about the simpliest implemention of the sforce authentication service you can write
/// It simply trys to connect to your Active Directory server using the passed in credentials
/// If there's a bad username/password combo it throws an exception and we return false
/// otherwise the credentials are ok and we return true.
/// Note that DirectoryEntry might not goto AD until we do something that actually requires it
/// that's why we read a property from the created DirectoryEntry object.
[System.Web.Services.WebService(Namespace = "http://microsoft.com/webservices/")]
public class Service : System.Web.Services.WebService
RequestNamespace = "urn:authentication.soap.sforce.com",
ResponseElementName = "AuthenticateResult",
ResponseNamespace = "urn:authentication.soap.sforce.com",
Use = System.Web.Services.Description.SoapBindingUse.Literal,
ParameterStyle = System.Web.Services.Protocols.SoapParameterStyle.Wrapped)]
public bool Authenticate(string username,
[System.Xml.Serialization.XmlAnyElementAttribute()] System.Xml.XmlElement Any)
5. I enabled delegated authentication in the site and provided proper URL of web service. Web service is in internet.
I confirmed that my account is integrated with my web service. When I open test.salesforce.com and login with email@example.com with any password, I am able to login to the site. So that part is fine
Now let me describe my issue.
When I open gotosfdc.aspx page it opens login page of test.salesforce.com site. It does not automatically login the user. No request is received by my web service.
Can any one let me know what could be the issue?
Thanks in advance