This post is radically different from my previous posts – it’s going to be written in C#!!!
Salesforce allows users to use a delegated authentication mechanism for SSO. One option is SAML, which is nice – but it doesn’t work on mobile devices in disconnected mode. The other is delegated authentication. This way, Salesforce activates a web service that implements a predefined WSDL. The parameters the web service is getting are the username, password and IP address, and the service needs to return a true/false value.
So, let’s get down to business:
- Configure Delegated Authentication
- Open your Salesforce account for delegated authentication. For some reason, this is not enabled by default, and you need to ask your SF guys to enable this features.
- Login to Salesforce, and click the Setup link
- Click Security Controls→Single Sign-On Settings
- Click on Edit, and enter your Web Service URL
- Assign users to the Delegated Authentication
- Login to Salesforce, and click the Setup link
- Click Manage Users→Profiles
- Select the user profile
- Click the Edit button
- Make sure the “Is Single Sign-On Enabled” checkbox is enabled
- Click Save
And now the code
using System; using System.Collections.Generic; using System.Configuration; using System.DirectoryServices; using System.DirectoryServices.Protocols; using System.IO; using System.Linq; using System.Net; using System.Security.Cryptography.X509Certificates; using System.Threading; using System.Web; using System.Web.Services; namespace DelegatedAuthenticationService { /// <summary> /// This service is used for delegated security for force.com /// </summary> [WebService(Namespace = "urn:authentication.soap.sforce.com", Description="v1.1.3")] [WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)] [System.ComponentModel.ToolboxItem(false)] public class DelegatedSecurityService : System.Web.Services.WebService, IAuthenticationBinding { [WebMethod] public bool Authenticate(string username, string password, string sourceIp, System.Xml.XmlElement[] Any) { try { // Run the business logic return true; } catch (Exception e) { // Connection can not be created - password is incorrect log(ERROR,"Failed to get LDAP connection. Error message is : " + e.Message); audit(username, "FAIL",e.Message); return false; } } } }
It’s important to note that Salesforce is limiting the time it will waits for the service – the entire request/response (including network) must take less than ~5 seconds, otherwise users will get a failed to login message.
Good luck!
Hi, i just starting to coding delegated authentication in sales force, now i’m facing a problem. Any help will be apreciated, following the steps:
1- ask sales force for enable delegated authentication : done
2- coding a webservice based on instructions https://help.salesforce.com/apex/HTViewHelpDoc?id=sso_delauthentication_configuring.htm&language=nl : done
3- configure sales force to support delegated authentication and single sign-on
3.1- configure profile to enabled single sign on : done
3.2- configure sign-on gateway URL with my service (http://service.xzy.mysalesforce.asmx) : done
4- run tests posting data to sales force based on instructions (sample implementations) https://developer.salesforce.com/page/How_to_Implement_Single_Sign-On_with_Force.com : done
** Results
1- Default login page from sales force still working this seems good, show´s that asmx its fine;
2- Problem, sample aplication posts data to https://www.salesforce.com/login.jsp (just like the sample) with all fields, token, user etc and here nothings happen i´m stuck in loggin page without any errors or messages or redirects
I miss something in the process? A don´t configured a ssl asmx id there a problem?
thanks in advance
LikeLike
1. Not sure it means asmx is fine.
2. Do you see any calls to the asmx (log file?)
3. Inside salesforce, you have a log that shows the errors in the ” Setup | Manage Users | Single Sign-On Error History” page of Sales Force
4. You must have a signed SSL certificate for your server.
LikeLike
Thank´s for the reply
🙂
I assume that my asmx is fine because i can log in sf using the default login page, and if i turn off my asmx the default login page stops working so, i think the asmx is not the problem.
About the logs, yes i see the logs but only if i use the default login page in sf. Again i trust in the asmx if i mess the asmx and use the login page i can se the erros there.
But when i use the sampe redirect code provided from here https://developer.salesforce.com/page/How_to_Implement_Single_Sign-On_with_Force.com (ok pointing to my login page) this is where i´m stuck – nothing happens, no login, no log erros inside sf nothing.
LikeLike
Hi again, forgot to add
When i use the sample and i don´t see any logs to me it´s like, sf is not calling my asmx.
Forgot another thing, about ssl, this is required? Maybe here is where my problem is.
LikeLike
Salesforce won’t call your service without SSL…
Doesn’t it give you anything in the Salesforce logs?
LikeLike
Hi,
thank you for your help,
No i don´t have any log when i try by posting data to the login page, i only have logs when i use the default Salesforce login page and something goes wrong.. but this is for sure im not using ssl, since this is mandatory i will put my asmx on it
LikeLike
The confusing here is,
why when i try to log from “https://mycompany.force.com/store/501/o/” it works even with my amsx not under the ssl and when i try to post to https://www.salesforce.com/login.jsp doesn´t work..
Whatever i will try the ssl
🙂
LikeLike
Hi,
let me ask this, (the ssl is not my problem :-()
in the sample i found at sales force the form post data to “https://www.salesforce.com/login.jsp” and in my application my form post data to https://mycompany.force.com/folder2/login
This may be the cause of my issues?
regards
LikeLike
I don’t understand. Why does your web service has a web ui? The only thing you need to do is provide a web service, not an actual login page.
LikeLike
Hi,
this is my intranet link to the login page.
Here i found a sample
“https://developer.salesforce.com/page/How_to_Implement_Single_Sign-On_with_Force.com” – there is a sample implementations area – if you look on it you will find a page “gotosfdc.aspx” that demonstrates a intranet link as a sample to the SSO and in the sample the form post to https://www.salesforce.com/login.jsp and in my case i need to post to https://mycompany.force.com/folder2/login, from there sales force will make the call back to asmx.
The asmx is fine, my goal here is my intranet link to the login page.
LikeLike
Sorry – but I’m not familiar with the token method. Do you really need it?
LikeLike
Yep,
because i need to authenticate from my intranet – i nedd a link just like the sample.
🙂
But it´s ok, thank´s for your time and patience
LikeLike