Salesforce Delegated Authentication with Access Manager
Salesforce supports different types of authentication methods, these include Salesforce local authentication, SAML, OpenID Connect and Delegated authentication. NAM 4.0 and above can be used for Salesforce delegated authentication. In the case of Delegated authentication, Salesforce invokes NAM webservice with SOAP payload which includes username and password, This type of authentication is popular for mobile API access of Salesforce. Delegated authentication can be enabled at the user profile or large group.
Deploy the webservice on NAM IDP and configure Salesforce for delegated authentication.
To enable Salesforce for delegated authentication, contact Saleforce or raise a support ticket to enable this feature. For additional information refer to this Salesforce documentation: https://help.salesforce.com/apex/HTViewHelpDoc?id=sso_delauthentication_configuring.htm&language=en
Ensure IDP is accessible from the Internet publicly, and the SSL certificate is issued from a well-known certificate authority.
This solution will give basic steps to setting up NAM custom X.509 authentication.
- Download attached zip file and extract to temporary folder
- Copy the jar file to NAM IDP lib folder location /opt/novell/nam/idp/webapps/nidp/WEB-INF/lib
- If you want to specify which Authentication Method is to be used, the authentication method display name has to be added in web.xml. If this parameter not configured by default “Name/Password – Form” method will be executed to validate Salesforce provided credentials.
Add the following to web.xml of IDP /opt/novell/nam/idp/webapps/nidp/WEB-INF/web.xml
<param-value>Name/Password – Form</param-value>
- Restart IDP /etc/init.d/novell-idp restart
- If Name/Password – Form method has to validate Email and password, configure Query parameter with this method. Refer to NAM documentation. This is optional step to be configured at NAM Admin Console.
- Login to Salesforce administration page for your organization
- Click Setup > Administration Setup > Security Controls > Single Sign-On Settings > Edit
- In the Delegated Gateway URL field, specify a value similar to the following: https://<NAM_IDP_public_dns_name>/nidp/sf/soap
- Under Setup > Administration Setup > Manage Users > Profiles, Open a User Profile you would like to enable delegated authentication.
- Click Edit on the user profile and scroll down to the General User Permissions section and check the Is Single Sign-On Enabled checkbox
- Click Save
- Use “POST MAN” extension in Chrome browser
- Select POST as HTTP method and enter URL https://<NAM_IDP_public_dns_name>/nidp/sf/soap
- Set Header “Content-Type: text/xml”
- Body type as “raw” and copy paste the Salesforce request, modify username and password with testuser.
<?xml version="1.0" encoding="UTF-8" ?>
- Click on Send
- Check the result, SOAP response with value as true or false
- If IDP webservice is working fine with the above test, access your Salesforce url as https://<organization>.salesforce.com/ or https://login.salesforce.com
- Enter user credentials where delegated authentication is enabled for this user.
Note: Delegated authentication will be used with like outlook plugin and other APIs
Please share your comments!!