Monday, May 04, 2015

SSO : Using Salesforce as an IDP

Had a number of questions around this lately and thought I would write this up.

The use case is that you have an existing Salesforce account and you want to use this to authenticate against an application.

Note that Salesforce federates using SAML.

Points to do this:
  • Hook up ADFS as the RP (SP in SAML speak) and Salesforce as the IDP using SAML
  • I don't believe you can do this with Azure AD. That's because AAD is always the IDP and everything else is the SP. That's how Salesforce out the SaaS back-end of AAD works i.e. access via the Access Panel / myapps.
  • Use Auth0 as in SAML : ASP.NET MVC application talking to SAML IDP . In this scenario, you are using the Auth0 Enterprise connection and configuring the SAML parameters similar to the ADFS example.
  • Use Auth0 but in this case use Salesforce as in the "Third Party App". Here Auth0 does some of the heavy lifting for you but the end result is the same.
Note: Auth0 does have a neat "Salesforce Configuration Instructions" tutorial available when you configure Salesforce as a "Third Party App" but it doesn't seem to be publicly available. The document doesn't tell you what to do on the client side. You need to add Salesforce to the Lock widget under "Connections / Social".

Enjoy!

No comments: