iHack, therefore iBlog

Documenting this in a blog post because it drove us crazy trying to figure out exactly what was involved, even though it was actually easy to implement once we understood all the terminology.

In order for our previously-authenticated users to automatically log into Salesforce, we needed to:

1. Create a “/sso-url” on our node server for our web app to access
2. When our web app GETs that URL, create and a return a SAML Identity Provider (IdP) using samlp
3. That IdP is interpreted by the web browser a redirect to the Salesforce URL (returned by the function assigned to `getPostURL`)
4. Salesforce just needs to have the IdP certificate and Entity ID in its SSO Settings

Below are additional details on why we needed this.

Our Use Case

1. Our customers are already logged into a node-powered React application
   1. Using our personal authentication
   2. If using e.g., Okta, there’s better out-of-the-box options
2. We want them to access a protected Knowledge Base located inside Salesforce
3. This requires using the SAML 2.0 SSO Flow
4. Do NOT use a “Connected App”
   1. That is the reverse-flow where YOUR app wants to use Salesforce to do the authentication
5. We did this using the samlp node library for creating and hosting your own Identity Provider
   1. Beware of packages which are only intended for creating a Service Provider to work with other people’s Identity Providers
   2. Including one which had an “Identity Provider” constructor for *storing* the IdP credentials, but didn’t actually implement one

Shout Outs

Some incredibly helpful tools that helped us figure this out:

1. ngrok which made it easy to  create a public callback URL for the node server running locally on our laptop
2. Axiom SAML tester, the first thing we actually got running
   1. https://medium.com/@devendargona/salesforce-sso-just-in-time-provisioning-for-saml-with-axiom-27d3f07ce608
3. Chrome dev tools, including a nifty features that replays a web request as a node ‘fetch’ API call (or curl)
4. https://samltest.id/ for seeing what went in each direction

Useful Documentation

• https://developer.salesforce.com/index.php?title=Single_Sign-On_for_Desktop_and_Mobile_Applications_using_SAML_and_OAuth&oldid=38890
• SP vs. IdP Initiated SSO | Damien Carru’s Blog: It’s a Federated World
• https://trailhead.salesforce.com/en/content/learn/modules/identity_login/identity_login_sso
• https://stackoverflow.com/questions/12779532/differences-between-sp-initiated-sso-and-idp-initiated-sso
• https://medium.com/@Ratnaparkhi/testing-saml-flow-in-your-node-js-application-1ab82f95b69d
• https://developer.salesforce.com/docs/atlas.en-us.sso.meta/sso/sso_jit_community_requirements.htm

Tagged: identity, salesforce, saml, sso

Leave a Reply Cancel reply

Enter your comment here...

Please log in using one of these methods to post your comment:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out /  Change )

You are commenting using your Facebook account. ( Log Out /  Change )

Cancel

Connecting to %s

Notify me of new comments via email.

Notify me of new posts via email.

Δ