This article explains the process of data flow between a native/web app and a Federated SSO enabled salesforce and the configuration required for app.
Setting up the Federated Single Sign-on on salesforce is beyond the scope of this article.It assumes that your Salesforce is already SSO enabled.
Salesforce provides Mobile SDK to develop native apps and many Mobiles Packs to develop web apps that interact with salesforce. These SDKs use oAuth protocol for authentication against salesforce. When an oAuth token request is received by Salesforce, it takes all the headache to take the user to IDP(Identity Provider) login page, get the authentication done then authorize the request and finally take the user back to native/web app.
So from the app developer’s point of view, there is nothing much they can do. It’s only a single change that needs to be done to make the MobilePacks work for you.
Let us understand the flow among native/web app, salesforce and an IDP provider
- Client sends an oAuth token request to salesforce. The call should go to your custom salesforce url(abc-company.my.salesforce.com) rather than to generic salesforce URL (login.salesforce.com). Based on this URL only the salesforce detects the IDP and forward the request to IDP for authentication. This is the only change the app developer has to do in their code.
- Salesforce now checks whether the user is logged in or not. If not, then it forwards the user to IDP with SAMLRequest.This process happens through client’s inbuilt browser component. If the user is already logged in, then it jumps to step #5
- IdentityProvider reads the SAMLRequest and asks the user to authenticate. The user now enters his/her credentials on client.
- Now on successful authentication, IdentityProvider makes a POST request to salesforce with SAMLResponse. This process happens through client’s inbuilt browser component.
- After validating the SAMLResponse, salesforce asks the user to authorize(connected app) to issue a token.
- Process the authorization request.
- Salesforce now redirect the user back to client’s callback url with a access token.
Once the client (native/web app) receives the oAuth token, all subsequent requests made to salesforce will contains this key which is used by salesforce to process the API calls. As long as the token is valid salesforce respond to API call without asking to authorize. If the Salesforce finds expired token then the above flow will be followed.