Integrating SSO in Salesforce’s native/web app

This article explains the process of data flow between a native/web app and a Federated SSO enabled salesforce and the configuration required for app.

Setting up the Federated Single Sign-on on salesforce is beyond the scope of this article.It assumes that your Salesforce is already SSO enabled.

Salesforce provides Mobile SDK to develop native apps and many Mobiles Packs to develop web apps that interact with salesforce. These SDKs use oAuth protocol for authentication against salesforce. When an oAuth token request is received by Salesforce, it takes all the headache to take the user to IDP(Identity Provider) login page, get the authentication done then authorize the request and finally take the user back to native/web app.

So from the app developer’s point of view, there is nothing much they can do. It’s only a single change that needs to be done to make the MobilePacks work for you.

Let us understand the flow among native/web app, salesforce and an IDP provider

sso-flow

 

  1. Client sends an oAuth token request to salesforce. The call should go to your custom salesforce url(abc-company.my.salesforce.com) rather than to generic salesforce URL (login.salesforce.com). Based on this URL only the salesforce detects the IDP and forward the request to IDP for authentication.  This is the only change the app developer has to do in their code.
  2. Salesforce now checks whether the user is logged in or not. If not, then it forwards the user to IDP with SAMLRequest.This process happens through client’s inbuilt browser component. If the user is already logged in, then it jumps to step #5
  3. IdentityProvider reads the SAMLRequest and asks the user to authenticate. The user now enters his/her credentials on client.
  4. Now on successful authentication, IdentityProvider makes a POST request to salesforce with SAMLResponse. This process happens through client’s inbuilt browser component.
  5. After validating the SAMLResponse, salesforce asks the user to authorize(connected app) to issue a token.
  6. Process the authorization request.
  7. Salesforce now redirect the user back to client’s callback url with a access token.

Once the client (native/web app) receives the oAuth token, all subsequent requests made to salesforce will contains this key which is used by salesforce to process the API calls. As long as the token is valid salesforce respond to API call without asking to authorize. If the Salesforce finds expired token then the above flow will be followed.

Read More

How to create a custom domain in salesforce?

The ‘My Domain’ feature in salesforce allows you to customize salesforce URL. Using this feature you can create a custom domain that represents your company’s brand.  This is a one time process which can not be reversed. So make sure you create a proper and meaningful custom domain for your organization.

Custom Domain Format:

  • Production Org: http://<brand-name>.my.salesforce.com/
  • Developer Org: https://<brand-name>-dev-ed.my.salesforce.com/

Follow the below steps to setup custom domain.

Step1 (Choose Domain Name ):

  • Login into salesforce as administrator and navigate to Setup => Domain Management => My Domain
  • Now enter the custom domain name and check for availability. If its already registered by someone else then you have to try other custom domain that is available to register.
  • Now agree the Terms and Conditions and click register

step1-sf-custom-domain

 

Step2 (Domain Registration Pending):

  • After the above steps salesforce will process your domain registration request and send an email when the custom domain is registered and ready to use

Step3 (Domain Ready for Testing):

  • After you receive the email, navigate to Setup => Domain Management => My Domain. You will see something like below.

step1-sf-custom-domain

  • At this stage, the custom domain is invisible to users but it is available for testing.

Step4 (Domain Deployed to Users):

  • Deploy the domain to users from ‘My Domain’ page.  Once you deploy the domain all users will be redirected to your custom domain and you can not reverse this change.
  • If you look at the below image, it shows 2 different sections. ‘My Domain Settings’ section allows you to set login policy while ‘Login Page Settings’ will allow you to customize Login page and also allows to add more Authentication services.  Currently ‘Authentication Services’ shows only one value ‘Login Page’. When you setup Single Sing-on on salesforce you come to know the exact use of this feature.

step4-sf-custom-domain

Read More