This post is radically different from my previous posts – it’s going to be written in C#!!!
Salesforce allows users to use a delegated authentication mechanism for SSO. One option is SAML, which is nice – but it doesn’t work on mobile devices in disconnected mode. The other is delegated authentication. This way, Salesforce activates a web service that implements a predefined WSDL. The parameters the web service is getting are the username, password and IP address, and the service needs to return a true/false value.
So, let’s get down to business:
- Configure Delegated Authentication
- Open your Salesforce account for delegated authentication. For some reason, this is not enabled by default, and you need to ask your SF guys to enable this features.
- Login to Salesforce, and click the Setup link
- Click Security Controls→Single Sign-On Settings
- Click on Edit, and enter your Web Service URL
- Assign users to the Delegated Authentication
- Login to Salesforce, and click the Setup link
- Click Manage Users→Profiles
- Select the user profile
- Click the Edit button
- Make sure the “Is Single Sign-On Enabled” checkbox is enabled
- Click Save
And now the code
using System; using System.Collections.Generic; using System.Configuration; using System.DirectoryServices; using System.DirectoryServices.Protocols; using System.IO; using System.Linq; using System.Net; using System.Security.Cryptography.X509Certificates; using System.Threading; using System.Web; using System.Web.Services; namespace DelegatedAuthenticationService { /// <summary> /// This service is used for delegated security for force.com /// </summary> [WebService(Namespace = "urn:authentication.soap.sforce.com", Description="v1.1.3")] [WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)] [System.ComponentModel.ToolboxItem(false)] public class DelegatedSecurityService : System.Web.Services.WebService, IAuthenticationBinding { [WebMethod] public bool Authenticate(string username, string password, string sourceIp, System.Xml.XmlElement[] Any) { try { // Run the business logic return true; } catch (Exception e) { // Connection can not be created - password is incorrect log(ERROR,"Failed to get LDAP connection. Error message is : " + e.Message); audit(username, "FAIL",e.Message); return false; } } } }
It’s important to note that Salesforce is limiting the time it will waits for the service – the entire request/response (including network) must take less than ~5 seconds, otherwise users will get a failed to login message.
Good luck!