Salesforce Delegated Authentication with Access Manager

Salesforce Delegated Authentication with Access Manager

Introduction



Salesforce supports different types of authentication methods, these include Salesforce local authentication, SAML, OpenID Connect and Delegated authentication. NAM 4.0 and above can be used for Salesforce delegated authentication. In the case of Delegated authentication, Salesforce invokes NAM webservice with SOAP payload which includes username and password, This type of authentication is popular for mobile API access of Salesforce. Delegated authentication can be enabled at the user profile or large group.

Solution



Deploy the webservice on NAM IDP and configure Salesforce for delegated authentication.

To enable Salesforce for delegated authentication, contact Saleforce or raise a support ticket to enable this feature. For additional information refer to this Salesforce documentation: https://help.salesforce.com/apex/HTViewHelpDoc?id=sso_delauthentication_configuring.htm&language=en

Ensure IDP is accessible from the Internet publicly, and the SSL certificate is issued from a well-known certificate authority.

This solution will give basic steps to setting up NAM custom X.509 authentication.

Configuration steps

  1. Download attached zip file and extract to temporary folder

  2. Copy the jar file to NAM IDP lib folder location /opt/novell/nam/idp/webapps/nidp/WEB-INF/lib

  3. If you want to specify which Authentication Method is to be used, the authentication method display name has to be added in web.xml. If this parameter not configured by default “Name/Password – Form” method will be executed to validate Salesforce provided credentials.


Add the following to web.xml of IDP /opt/novell/nam/idp/webapps/nidp/WEB-INF/web.xml

<servlet>

<servlet-name>sfdelegate</servlet-name>

<init-param>

<param-name>method_name</param-name>

<param-value>Name/Password – Form</param-value>

</init-param>

</servlet>



  1. Restart IDP /etc/init.d/novell-idp restart

  2. If Name/Password – Form method has to validate Email and password, configure Query parameter with this method. Refer to NAM documentation. This is optional step to be configured at NAM Admin Console.

  3. Login to Salesforce administration page for your organization

  4. Click Setup > Administration Setup > Security Controls > Single Sign-On Settings > Edit

  5. In the Delegated Gateway URL field, specify a value similar to the following: https://<NAM_IDP_public_dns_name>/nidp/sf/soap

  6. Under Setup > Administration Setup > Manage Users > Profiles, Open a User Profile you would like to enable delegated authentication.

  7. Click Edit on the user profile and scroll down to the General User Permissions section and check the Is Single Sign-On Enabled checkbox

  8. Click Save


Test Configuration

  1. Use “POST MAN” extension in Chrome browser

  2. Select POST as HTTP method and enter URL https://<NAM_IDP_public_dns_name>/nidp/sf/soap

  3. Set Header “Content-Type: text/xml”

  4. Body type as “raw” and copy paste the Salesforce request, modify username and password with testuser.


<?xml version="1.0" encoding="UTF-8" ?>

<soapenv:Envelope

xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">

<soapenv:Body>

<Authenticate xmlns="urn:authentication.soap.sforce.com">

<username>sampleuser@sample.org</username>

<password>myPassword99</password>

<sourceIp>1.2.3.4</sourceIp>

</Authenticate>

</soapenv:Body>

</soapenv:Envelope>



  1. Click on Send

  2. Check the result, SOAP response with value as true or false

  3. If IDP webservice is working fine with the above test, access your Salesforce url as https://<organization>.salesforce.com/ or https://login.salesforce.com

  4. Enter user credentials where delegated authentication is enabled for this user.


Note: Delegated authentication will be used with like outlook plugin and other APIs

References




Please share your comments!!

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Comments

I'm trying to setup Salesforce Delegated Authentication with NAM 4.4.1 following this guide. After follow all the needed steps, when I test it with Post Man I receive an "HTTP 500 Internal Server Error". At the NIDP log file I can see the following error:

java.lang.NoClassDefFoundError: com/novell/nidp/common/util/UniqueString
com.mf.soap.ep.NAMAuthenticationUtil: NAMAuthenticationUtil.java: authenticate: 38
com.mf.soap.ep.SalesForceDelegateAuthEP: SalesForceDelegateAuthEP.java: doPost: 70

Any idea of what can be wrong?

Top Contributors
Version history
Revision #:
1 of 1
Last update:
‎2016-05-03 19:55
Updated by:
Micro Focus Contributor
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.