• vshyam121
  • NEWBIE
  • 0 Points
  • Member since 2008

  • Chatter
    Feed
  • 0
    Best Answers
  • 0
    Likes Received
  • 0
    Likes Given
  • 9
    Questions
  • 16
    Replies
Hi,
currently I'm using the web services API to provision Salesforce users. I'm setting the email header to send the new user the temporary password in the following way:


EmailHeader emailHeader = new EmailHeader();
emailHeader.setTriggerUserEmail(true);
binding.setHeader("urn:partner.soap.sforce.com", "EmailHeader", emailHeader);
sr = binding.create(user);

For some reason, the first time the new user logs in to salesforce with my SAML-based SSO feature, it says the password is expired and asks the user to set a new password for security reasons with no fields for entering the old password or the security question. What the new user should really be seeing is a prompt to change his password, with fields for the old password, new password, and the security question. Why is this not happening?

I noticed that when I reset the password for the new user using the API, salesforce said that the password is expired and showed the first case that I talked about. So I'm guessing maybe, when I set the email header, salesforce also resets the password? But that doesn't make any sense...Anyway, when I take out that chunk of code about the email header, I get the correct prompt to change the password from old to new with the security question. Only problem is now I won't get the email with the temporary password that I can enter. So it's kind of a circular problem. Any ideas?

Thanks,
Shyam
Hi,
currently I'm working on provisioning salesforce users using the Web Services API. I can create the User object just fine, but the email message with the temporary password is not being sent to the new user's email. So when I single sign on with the new user into Salesforce, it's expecting the user to type in the old password which didn't get emailed.

Also, is there any way to get around this temporary password emailing system that is set up now.

Thanks for any help,
Shyam


Hi,
 
I'm really new to the api and i've been trying my best to go through it to get a better understanding of it. But there's nothing like the opinion of seasoned salesforce developers...so here goes.
 
Is there any way to access the SSO settings for an organization through the web services api? Whenever an organization wants enable Saml-based SSO, the administrator has to go to the SSO settings and set the fields like who the issuer is going to be, whether a username or federation id will be in the SAML assertion, and also upload a certificate. I want to eliminate this for the administrator if possible through any capabilities in the api. I've been through some of the api and I don't really see any standard objects that help with this. Does this mean I have to create a custom object myself?
 
 
This next part is more of a verification than an actual question. I want to have the ability to click on a link in an external application, which would result in the creation of salesforce user automatically using the whatever email that is associated with that user in the external app. This looks possible with the api through the use of calls like create() to make a new User object. Am I on the right track here? Are there any tutorials out there that can maybe help with this part of what i'm trying to do?
 
Thanks in advance.
Hi,
 
how do you post the saml assertion and the relaystate url to the recipient url? I've tried a bunch of methods but none of them seem to work because I don't even see error messages in the login history. So this means that it's not even getting my assertion properly never mind check the validity of it. Right now i'm just trying this:
 
<form name = "acsForm" action ="(recipient url that salesforce gives)" method = "post">
<input type = "hidden" name = "TARGET" value = https://na2.salesforce.com/home/home.jsp />
<input type = "hidden" name = "SAMLResponse" value = "(assertion that I came up with)" />
<input type = "submit" value = "Submit" />
</form>
 
I also tried replacing TARGET with RelayState and replacing SAMLResponse with SAMLart. None of them seem to work. When I use SAMLResponse, I actually get a general error message initially in the screen. When I use SAMLart, I just go to the page where it prompts me for my salesforce username and password. Both however, don't show any error messages in the login history. PLEASE HELP ME.
 
 
Thanks in advance.
Hi,
I'm sending some assertions to the recipient url that salesforce told me but it doesn't let me sign on. When I go to the login history, I don't even see any failed attempts. Anything right off the bat that I'm not doing?
 
Also, are these messages I send to salesforce supposed to be a saml response or a saml assertion. Both ways don't work for me but I'd just like to know. Is Salesforce expecting the x509 certificate in the assertion? In the response I know where to put in the signature tag and so on, but with a normal assertion, I don't know where to put in the certificate.
 
Thanks in advance.
Hi,
Is there any way for the service provider to require a certain
authentication policy? The identity provider can send the authentication
policy that was used as part of the SAML assertions, then
Salesforce will look at this and if the authentication used by the
identity provider was strong enough, then it will let the user sign on.
 
For example, let's say that a certain account requires 2 factor
authentication. This can be set in the SSO configuration settings (I don't
see this setting anywhere but for this example's sake, go along with it).
The identity provider will do the 2 factor authentication and it will let
Salesforce know in the assertion that 2 factor authentication happened. Now
Salesforce can check for 2 factor authentication and let the user sign on.
The details about SAML supported SSO didn't have anything like this,
so I was wondering if this is even possible right now. If something like this is
possible or mentioned anywhere else, please let me know.

Thanks in advance.

Hi,
I want to clarify some things about the SAML supported SSO that
Salesforce has. Usually with SAML, the service provider will send
an authentication request and then the identity provider will send a
response back. With Salesforce, it seems like there are no
assertions sent by the service provider. All that happens is the
identity provider sends assertions to Salesforce, then it checks the
information sent with the configuration settings and decides whether
or not to let the user sign on. Is this understanding correct?
 
Also, is the SSO for users to sign on to their salesforce accounts alone?
Can it be used to sign on to individual applications as well?
 
Thanks in advance.  
 
 
Hi all,
  could someone explain better how SAML assertions fit in with the delegated authentication scheme that Salesforce has? The article I found here (http://wiki.apexdevnet.com/index.php/How_to_Implement_Single_Sign-On_with_Salesforce.com) talks about tokens and how SAML tokens can be used. That is where I get confused. Is the token generator something that we have to implement? How do I know what to put in the SAML assertions? 
 
And also, complete SAML support for SSO is available for the summer 08 release and I was wondering if there any articles like the one above for that.
 
Thanks in advance. 
Does anybody know how the new saml support for single sign on works for salesforce apps? I've seen how SSO can be done with salesforce's delegated authentication protocol but I couldn't find anything on the new saml support that is mentioned as part of the summer 08 upgrades.

Thanks in advance.
Hi,
currently I'm working on provisioning salesforce users using the Web Services API. I can create the User object just fine, but the email message with the temporary password is not being sent to the new user's email. So when I single sign on with the new user into Salesforce, it's expecting the user to type in the old password which didn't get emailed.

Also, is there any way to get around this temporary password emailing system that is set up now.

Thanks for any help,
Shyam


Hi,
 
how do you post the saml assertion and the relaystate url to the recipient url? I've tried a bunch of methods but none of them seem to work because I don't even see error messages in the login history. So this means that it's not even getting my assertion properly never mind check the validity of it. Right now i'm just trying this:
 
<form name = "acsForm" action ="(recipient url that salesforce gives)" method = "post">
<input type = "hidden" name = "TARGET" value = https://na2.salesforce.com/home/home.jsp />
<input type = "hidden" name = "SAMLResponse" value = "(assertion that I came up with)" />
<input type = "submit" value = "Submit" />
</form>
 
I also tried replacing TARGET with RelayState and replacing SAMLResponse with SAMLart. None of them seem to work. When I use SAMLResponse, I actually get a general error message initially in the screen. When I use SAMLart, I just go to the page where it prompts me for my salesforce username and password. Both however, don't show any error messages in the login history. PLEASE HELP ME.
 
 
Thanks in advance.
Hi all,
  could someone explain better how SAML assertions fit in with the delegated authentication scheme that Salesforce has? The article I found here (http://wiki.apexdevnet.com/index.php/How_to_Implement_Single_Sign-On_with_Salesforce.com) talks about tokens and how SAML tokens can be used. That is where I get confused. Is the token generator something that we have to implement? How do I know what to put in the SAML assertions? 
 
And also, complete SAML support for SSO is available for the summer 08 release and I was wondering if there any articles like the one above for that.
 
Thanks in advance.