SSO Login into Salesforce from Node via samlp SAML IdP

October 4, 2019 § Leave a comment

 

Documenting this in a blog post because it drove us crazy trying to figure out exactly what was involved, even though it was actually easy to implement once we understood all the terminology.

In order for our previously-authenticated users to automatically log into Salesforce, we needed to:

  1. Create a “/sso-url” on our node server for our web app to access
  2. When our web app GETs that URL, create and a return a SAML Identity Provider (IdP) using samlp
  3. That IdP is interpreted by the web browser a redirect to the Salesforce URL (returned by the function assigned to `getPostURL`)
  4. Salesforce just needs to have the IdP certificate and Entity ID in its SSO Settings

Below are additional details on why we needed this.

Our Use Case

  1. Our customers are already logged into a node-powered React application
    1. Using our personal authentication
    2. If using e.g., Okta, there’s better out-of-the-box options
  2. We want them to access a protected Knowledge Base located inside Salesforce
  3. This requires using the SAML 2.0 SSO Flow
  4. Do NOT use a “Connected App”
    1. That is the reverse-flow where YOUR app wants to use Salesforce to do the authentication
  5. We did this using the samlp node library for creating and hosting your own Identity Provider
    1. Beware of packages which are only intended for creating a Service Provider to work with other people’s Identity Providers
    2. Including one which had an “Identity Provider” constructor for *storing* the IdP credentials, but didn’t actually implement one

Shout Outs

Some incredibly helpful tools that helped us figure this out:

  1. ngrok which made it easy to  create a public callback URL for the node server running locally on our laptop
  2. Axiom SAML tester, the first thing we actually got running
    1. https://medium.com/@devendargona/salesforce-sso-just-in-time-provisioning-for-saml-with-axiom-27d3f07ce608
  3. Chrome dev tools, including a nifty features that replays a web request as a node ‘fetch’ API call (or curl)
  4. https://samltest.id/ for seeing what went in each direction

Useful Documentation

 

Tagged: , , ,

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

What’s this?

You are currently reading SSO Login into Salesforce from Node via samlp SAML IdP at iHack, therefore iBlog.

meta

%d bloggers like this: