OpenAM as Identity provider / Salesforce as Service Provider – Federated Single Sign On

Context

Working with Salesforce, you often need to integrate with an enterprise scale Identity Provider like OpenAM. In this post, I will show how you can configure OpenAM as Identity Provider (IdP) and use Salesforce as Service provider (either to access the Salesforce Org itself as an Administrator, or accessing a Salesforce Community as a partner user).  The way of how Salesforce build its product make the Single Sign On configuration done in a few click. We need more steps and configuration on the OpenAM side. Let’s describe those steps in the detail.

Required Steps

  1. Configure OpenAM as Identity Provider, define the Circle of Trust (cot) and create attributes mapping
  2. Configure Salesforce as Service Provider: activate My Domain, get the OpenAM public certificate, setup the Single Sign On setting, set the Federation ID
  3. Import the Salesforce Metadata into OpenAM and verify/configure the federation settings
  4. Test the Single Sign On – SP initiated login
  5. SP initiated login – Technical messages exchanges

Step1: Configure OpenAM as IdP

  • Login into your OpenAM instance as amAdmin, click Common Task and click on “Create Hosted Identity Provider”
  • Provide the following information:
    • Do you have metadata for this provider: No
    • Metadata Name: an accessible URL from internet and preferably secure with HTTPS for example https://cmok.kwaoo.me:8443/OpenAM-13.0.0
    • Metadata Signing Key: select test from the dropdown
    • Create a new Circle of Trust and provide a name e.g salesforce-cot
    • Create an attribute mapping between the attributes used in SAML assertion and attributes of your local data store
      • Name in Assertion: ssoid
      • Local Attribute Name: uid
    • Click Configure & Finished


Create a SAML v2 Identity Provider on this Server_2016-03-13_10-51-11

IDP / Assertion Content Tab


IDPAssertionContent_2016-03-13_10-55-22

IDP / Assertion Processing Tab


Assertion Processing - 2016-03-13_11-04-12

IDP / Service  Tab


Services Tab - 2016-03-13_11-05-42

IDP / Advanced  Tab


IDP Advanced - 2016-03-13_11-09-06

Step2: Configure Salesforce as SP

  • Setup My Domain : activate the 4 steps
    1. Choose Domain Name
    2. Domain Registration Pending
    3. Domain Ready for Testing
    4. Domain deployed to Users


Salesforce My Domain - 2016-03-13_11-16-58

  •  Export the public key from OpenAM
    • got to your $HOME/OpenAM-13.0.0/OpenAM-13.0.0 mine is C:\Users\Chenda\OpenAM-13.0.0\OpenAM-13.0.0
    • run the following command:  keytool -export -keystore keystore.jks -alias test -file openAM13_certificate.cer
  • Setting up Single Sign On Setting


SSO Setting - 2016-03-13_11-30-38

  • Configure the Federation Identifier for your test user – Connecting to your Salesforce as admin user
    • search for your admin user, edit it, assign the federation identifier to demo
    • demo is the OOTB user existing in the default realm (remember we specify SSOID=uid). As we are using uid’s value for the Federation ID between Salesforce and OpenSSO, the Federation ID of this Salesforce test user is assigned with value – demo


AdminUser_FederationIdentifier_2016-03-13_11-38-23

 

Step3: Import Salesforce SP Metadata into OpenAM IdP

  • Go back to your openAM instance as IdP and log with amAdmin
  • Click Federation tab, Entity Provider Section, Click on Import Entity
    • Select the metadata file downloaded from your Salesforce Org instance
    • your SP entry has been added
    • Add your SP into the Circle of Trust

SP / Assertion Content


SP Assertion Content - 2016-03-13_12-34-27

SP / Assertion Processing


SP Assertion Processing - 2016-03-13_12-36-03

SP / Services


SP Services - 2016-03-13_12-37-18

SP / Advanced


SP Advanced - 2016-03-13_12-38-29

IdP – Federation Tab

IDP Federation Tab - 2016-03-13_12-40-15

IdP – Circle of Trust


Circle of Trust - 2016-03-13_12-41-37

Step4: Testing the Single Sign On – SP initiated login

  1. Try to access a private page on Salesforce: https://chendademoidentity-dev-ed.my.salesforce.com/home/home.jsp


    SP Initiated Login - 2016-03-13_13-34-03

  2. If you have multiple IdP defined in Salesforce, select the one you want to test: mine is OpenAM13 IdP
  3. You will be redirect to the OpenAM login page
  4. Enter your credential ( I select user the ootb demo user defined in Your Realm/Subjects) OpenAM

    OpenAM Login Page - 2016-03-13_13-37-26
  5. After a successful login, OpenAM will redirect you to your Salesforce (SP) home page. Et voilà, all done.

    Salesfor Home Page - 2016-03-13_13-39-13

Step5: SP initiated login – Technical messages exchanges

Below the technical steps happening behind the scene

POST
RelayState: /home/home.jsp
SAMLRequest: PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbHA6QXV0aG5SZXF1ZXN0IHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIEFzc2VydGlvbkNvbnN1bWVyU2VydmljZVVSTD0iaHR0cHM6Ly9jaGVuZGFkZW1vaWRlbnRpdHktZGV2LWVkLm15LnNhbGVzZm9yY2UuY29tP3NvPTAwRDU4MDAwMDAwS0tHZSIgRGVzdGluYXRpb249Imh0dHBzOi8vY21vay5rd2Fvby5tZTo4NDQzL09wZW5BTS0xMy4wLjAvU1NPUE9TVC9tZXRhQWxpYXMvaWRwIiBJRD0iXzJDQUFBQVZRQUV1REtNRTh3TlRnd01EQXdNREEwUXprMkFBQUF5Tld4ZzRnOVVkeVFkYXd2SExRNmF2MHhhZVM5bGNkNk5YYmZseHdld0RRZGpIOE5jcVhEYU41SkpHdVVjblQxOUhMekxGZlJ4Z3FUQjA5UVVXdm1aLTE0VzRuY1lvRGNBdVlMRjE0ZWtFREQwbjBuTkJkSTF0bFU2TVhfanVZYmc4MHN5NG9Ib1FkMTFHZFVqR3NkdkViZ2l2RnVXLVdhbmRXOGQ3OWd6UDVkS1lnZzBLbzUzR0dXYVFHQjAtTjNkd3N6ZHBrRmY3RERZclktZDB3aUhSZW1UUE1QY0ZXQlc0VGt4cHpkNUFqX3pSNEpSMnBNUHFhVWJadWdyZmRjYWciIElzc3VlSW5zdGFudD0iMjAxNi0wMy0xM1QxMjowODo1My40NTlaIiBQcm90b2NvbEJpbmRpbmc9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpiaW5kaW5nczpIVFRQLVBPU1QiIFZlcnNpb249IjIuMCI+PHNhbWw6SXNzdWVyIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHBzOi8vY2hlbmRhZGVtb2lkZW50aXR5LWRldi1lZC5teS5zYWxlc2ZvcmNlLmNvbTwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+CjxkczpTaWduZWRJbmZvPgo8ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPgo8ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8+CjxkczpSZWZlcmVuY2UgVVJJPSIjXzJDQUFBQVZRQUV1REtNRTh3TlRnd01EQXdNREEwUXprMkFBQUF5Tld4ZzRnOVVkeVFkYXd2SExRNmF2MHhhZVM5bGNkNk5YYmZseHdld0RRZGpIOE5jcVhEYU41SkpHdVVjblQxOUhMekxGZlJ4Z3FUQjA5UVVXdm1aLTE0VzRuY1lvRGNBdVlMRjE0ZWtFREQwbjBuTkJkSTF0bFU2TVhfanVZYmc4MHN5NG9Ib1FkMTFHZFVqR3NkdkViZ2l2RnVXLVdhbmRXOGQ3OWd6UDVkS1lnZzBLbzUzR0dXYVFHQjAtTjNkd3N6ZHBrRmY3RERZclktZDB3aUhSZW1UUE1QY0ZXQlc0VGt4cHpkNUFqX3pSNEpSMnBNUHFhVWJadWdyZmRjYWciPgo8ZHM6VHJhbnNmb3Jtcz4KPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+CjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjxlYzpJbmNsdXNpdmVOYW1lc3BhY2VzIHhtbG5zOmVjPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiIFByZWZpeExpc3Q9ImRzIHNhbWwgc2FtbHAiLz48L2RzOlRyYW5zZm9ybT4KPC9kczpUcmFuc2Zvcm1zPgo8ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz4KPGRzOkRpZ2VzdFZhbHVlPkcxSHhza0wxZThxeVFyaWdpeGR1VnFxUVVyQT08L2RzOkRpZ2VzdFZhbHVlPgo8L2RzOlJlZmVyZW5jZT4KPC9kczpTaWduZWRJbmZvPgo8ZHM6U2lnbmF0dXJlVmFsdWU+Ck9PcnMrRHdBekRzbWFuSnh2Zkh4Kzl5c1NnSUYrZmZMR3RXSUwzVnFLNlZ5dEhRVW1LNDdhaUtBNFd0SjMvT1J1dXVNRXdYellTVUsKQm8rUVR4aVEyTytjcWxLQlpZQ3hwdDAvTytNN3hQYnJTVm91MDlRbHA2cWNUOGNBMFliVXZmZkVqZ2p1aytPcUlBd1FzMVl5S0czLwo0empZVXFCYjVYK2d0WC9tcS9EWmhhdTE1NjlwQnIzNHBkR1RQODhVRDhwQnVLNFY0SWpXRjhTbTJ0bzRzZjJGT0JWejlmSHU0ejNuCms5dFNYR2ZONnhxaVFveCtCdzlRM3lLVTlnR0UxNllOT2hya2hucnUrakFwOWtQNTZScVBNTGdHYmliTVpkN1R4MXBTaDRGMjY4ZTgKNWg2bkpIcG80RWRSWXZnNWNTYWxJQUozNGI4SXRkSkszVDZNY0E9PQo8L2RzOlNpZ25hdHVyZVZhbHVlPgo8ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlFckRDQ0E1U2dBd0lCQWdJT0FWTEhrZUZYQUFBQUFBUmk5NjR3RFFZSktvWklodmNOQVFFTEJRQXdnWkF4S0RBbUJnTlZCQU1NCkgxTmxiR1pUYVdkdVpXUkRaWEowWHpBNVJtVmlNakF4Tmw4eE9UUTJNVEl4R0RBV0JnTlZCQXNNRHpBd1JEVTRNREF3TURBd1MwdEgKWlRFWE1CVUdBMVVFQ2d3T1UyRnNaWE5tYjNKalpTNWpiMjB4RmpBVUJnTlZCQWNNRFZOaGJpQkdjbUZ1WTJselkyOHhDekFKQmdOVgpCQWdNQWtOQk1Rd3dDZ1lEVlFRR0V3TlZVMEV3SGhjTk1UWXdNakE1TVRrME5qRXlXaGNOTVRnd01qQTVNVEl3TURBd1dqQ0JrREVvCk1DWUdBMVVFQXd3ZlUyVnNabE5wWjI1bFpFTmxjblJmTURsR1pXSXlNREUyWHpFNU5EWXhNakVZTUJZR0ExVUVDd3dQTURCRU5UZ3cKTURBd01EQkxTMGRsTVJjd0ZRWURWUVFLREE1VFlXeGxjMlp2Y21ObExtTnZiVEVXTUJRR0ExVUVCd3dOVTJGdUlFWnlZVzVqYVhOagpiekVMTUFrR0ExVUVDQXdDUTBFeEREQUtCZ05WQkFZVEExVlRRVENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DCmdnRUJBS2NOT1B1UjVIWXRiV0RrLzU4T283bHdoQy9EMnZ3L3FpSSt5YmhLSm9vMTFLQ3liSjB3b2EwR3NRRktyODAvU3Q4R2ZXbEIKck9IVGNueDV3N09RdmpUaXQ2SVJuNklVTXI3dHA2azRrNUVxYStCUFFiNnNERlk2MFRNcno0ZlJBcnZBWGpqVFpLeng0bFVOU1dJcQpueVBVRkh3TXJpSEZ4em95bDBaWFZJVGw2MDlUSmczd2M0MW9Hb3pGTm5FQzNsRnp1WjVvZU5jRDgxNnk0M21uYlZHOUtsNmphdW8yCmJMblVZMXh2bWF6bEs3dnZVLzBIUUxrREdEaEVxejNraWc0RjVhRE1pbnhnN2JNVG0zeEZtUEdqcitlVHdycjBLd0NYL3BCeFR3TS8KVWQwSHJtS1FNMmxURXJoQTgzcnc4b1liUnpxQ205Z2xaYlFoWkgzcUtyOENBd0VBQWFPQ0FRQXdnZjB3SFFZRFZSME9CQllFRkd1ZQpzRld3dXlVOUlNYUhRSHJJRlhHZ2xnV0hNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdnY29HQTFVZEl3U0J3akNCdjRBVWE1NndWYkM3CkpUMGd4b2RBZXNnVmNhQ1dCWWVoZ1pha2daTXdnWkF4S0RBbUJnTlZCQU1NSDFObGJHWlRhV2R1WldSRFpYSjBYekE1Um1WaU1qQXgKTmw4eE9UUTJNVEl4R0RBV0JnTlZCQXNNRHpBd1JEVTRNREF3TURBd1MwdEhaVEVYTUJVR0ExVUVDZ3dPVTJGc1pYTm1iM0pqWlM1agpiMjB4RmpBVUJnTlZCQWNNRFZOaGJpQkdjbUZ1WTJselkyOHhDekFKQmdOVkJBZ01Ba05CTVF3d0NnWURWUVFHRXdOVlUwR0NEZ0ZTCng1SGhWd0FBQUFBRVl2ZXVNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFJTXNYK0YzUlgyMmR1WGtSc1VOTi9hRHFEaVFvcWN1ckQKaU15V2JmdTh5dE1vLzNDQy81YzBCYzR6ODBVSW1Mbm9xTUhYa0ljNFpnNVUvSk9QK0RUY0ZqZ1psVDZUMHFCY05NaGtXOE91WXJ0NApDWUkySzlaVVpGS2V5WTFUUFdxWmJLWldHb1lzTWVzQU1IZHdWVWREUWtTUnlzVXprbWtqZ1VlVjByc2MwQ21zM0U3WDNSdWVTOHlpCkxESlZSQmlaa1R4N2wzNzVDb2RVY0VHSlZOMkx5RjZJYzh4eTJjL0puR0JmZlVWVXN0SmNZOTd3dW1yTnJIN3NDQmFHZm1LSWxKWVMKQ3BJR2tpTm1FTm9YVTBQTEU1Q2ZaUkV2TlhmMEViZ0EvNDBXYll0S1BrbEJPTFNFdkFGVUFpeTlaL2M5L2JpdUI1ODh5aXdyQ3R1YQpOakNBPC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PC9zYW1scDpBdXRoblJlcXVlc3Q+

SAML Request

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://chendademoidentity-dev-ed.my.salesforce.com?so=00D58000000KKGe" Destination="https://cmok.kwaoo.me:8443/OpenAM-13.0.0/SSOPOST/metaAlias/idp" ID="_2CAAAAVQAEuDKME8wNTgwMDAwMDA0Qzk2AAAAyNWxg4g9UdyQdawvHLQ6av0xaeS9lcd6NXbflxwewDQdjH8NcqXDaN5JJGuUcnT19HLzLFfRxgqTB09QUWvmZ-14W4ncYoDcAuYLF14ekEDD0n0nNBdI1tlU6MX_juYbg80sy4oHoQd11GdUjGsdvEbgivFuW-WandW8d79gzP5dKYgg0Ko53GGWaQGB0-N3dwszdpkFf7DDYrY-d0wiHRemTPMPcFWBW4Tkxpzd5Aj_zR4JR2pMPqaUbZugrfdcag" IssueInstant="2016-03-13T12:08:53.459Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" >
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://chendademoidentity-dev-ed.my.salesforce.com</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference URI="#_2CAAAAVQAEuDKME8wNTgwMDAwMDA0Qzk2AAAAyNWxg4g9UdyQdawvHLQ6av0xaeS9lcd6NXbflxwewDQdjH8NcqXDaN5JJGuUcnT19HLzLFfRxgqTB09QUWvmZ-14W4ncYoDcAuYLF14ekEDD0n0nNBdI1tlU6MX_juYbg80sy4oHoQd11GdUjGsdvEbgivFuW-WandW8d79gzP5dKYgg0Ko53GGWaQGB0-N3dwszdpkFf7DDYrY-d0wiHRemTPMPcFWBW4Tkxpzd5Aj_zR4JR2pMPqaUbZugrfdcag">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml samlp" />
                    </ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>G1HxskL1e8qyQrigixduVqqQUrA=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>
OOrs+DwAzDsmanJxvfHx+9ysSgIF+ffLGtWIL3VqK6VytHQUmK47aiKA4WtJ3/ORuuuMEwXzYSUK
Bo+QTxiQ2O+cqlKBZYCxpt0/O+M7xPbrSVou09Qlp6qcT8cA0YbUvffEjgjuk+OqIAwQs1YyKG3/
4zjYUqBb5X+gtX/mq/DZhau1569pBr34pdGTP88UD8pBuK4V4IjWF8Sm2to4sf2FOBVz9fHu4z3n
k9tSXGfN6xqiQox+Bw9Q3yKU9gGE16YNOhrkhnru+jAp9kP56RqPMLgGbibMZd7Tx1pSh4F268e8
5h6nJHpo4EdRYvg5cSalIAJ34b8ItdJK3T6McA==
</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>MIIErDCCA5SgAwIBAgIOAVLHkeFXAAAAAARi964wDQYJKoZIhvcNAQELBQAwgZAxKDAmBgNVBAMM
H1NlbGZTaWduZWRDZXJ0XzA5RmViMjAxNl8xOTQ2MTIxGDAWBgNVBAsMDzAwRDU4MDAwMDAwS0tH
ZTEXMBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNV
BAgMAkNBMQwwCgYDVQQGEwNVU0EwHhcNMTYwMjA5MTk0NjEyWhcNMTgwMjA5MTIwMDAwWjCBkDEo
MCYGA1UEAwwfU2VsZlNpZ25lZENlcnRfMDlGZWIyMDE2XzE5NDYxMjEYMBYGA1UECwwPMDBENTgw
MDAwMDBLS0dlMRcwFQYDVQQKDA5TYWxlc2ZvcmNlLmNvbTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNj
bzELMAkGA1UECAwCQ0ExDDAKBgNVBAYTA1VTQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAKcNOPuR5HYtbWDk/58Oo7lwhC/D2vw/qiI+ybhKJoo11KCybJ0woa0GsQFKr80/St8GfWlB
rOHTcnx5w7OQvjTit6IRn6IUMr7tp6k4k5Eqa+BPQb6sDFY60TMrz4fRArvAXjjTZKzx4lUNSWIq
nyPUFHwMriHFxzoyl0ZXVITl609TJg3wc41oGozFNnEC3lFzuZ5oeNcD816y43mnbVG9Kl6jauo2
bLnUY1xvmazlK7vvU/0HQLkDGDhEqz3kig4F5aDMinxg7bMTm3xFmPGjr+eTwrr0KwCX/pBxTwM/
Ud0HrmKQM2lTErhA83rw8oYbRzqCm9glZbQhZH3qKr8CAwEAAaOCAQAwgf0wHQYDVR0OBBYEFGue
sFWwuyU9IMaHQHrIFXGglgWHMA8GA1UdEwEB/wQFMAMBAf8wgcoGA1UdIwSBwjCBv4AUa56wVbC7
JT0gxodAesgVcaCWBYehgZakgZMwgZAxKDAmBgNVBAMMH1NlbGZTaWduZWRDZXJ0XzA5RmViMjAx
Nl8xOTQ2MTIxGDAWBgNVBAsMDzAwRDU4MDAwMDAwS0tHZTEXMBUGA1UECgwOU2FsZXNmb3JjZS5j
b20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0GCDgFS
x5HhVwAAAAAEYveuMA0GCSqGSIb3DQEBCwUAA4IBAQAIMsX+F3RX22duXkRsUNN/aDqDiQoqcurD
iMyWbfu8ytMo/3CC/5c0Bc4z80UImLnoqMHXkIc4Zg5U/JOP+DTcFjgZlT6T0qBcNMhkW8OuYrt4
CYI2K9ZUZFKeyY1TPWqZbKZWGoYsMesAMHdwVUdDQkSRysUzkmkjgUeV0rsc0Cms3E7X3RueS8yi
LDJVRBiZkTx7l375CodUcEGJVN2LyF6Ic8xy2c/JnGBffUVUstJcY97wumrNrH7sCBaGfmKIlJYS
CpIGkiNmENoXU0PLE5CfZREvNXf0EbgA/40WbYtKPklBOLSEvAFUAiy9Z/c9/biuB588yiwrCtua
NjCA</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
</samlp:AuthnRequest>

 

GET https://cmok.kwaoo.me:8443/OpenAM-13.0.0/XUI/#login/&realm=/&forward=true&spEntityID=https%3A%2F%2Fchendademoidentity-dev-ed.my.salesforce.com&goto=%2FSSOPOST%2FmetaAlias%2Fidp%3FReqID%3D_2CAAAAVQAEuDKME8wNTgwMDAwMDA0Qzk2AAAAyNWxg4g9UdyQdawvHLQ6av0xaeS9lcd6NXbflxwewDQdjH8NcqXDaN5JJGuUcnT19HLzLFfRxgqTB09QUWvmZ-14W4ncYoDcAuYLF14ekEDD0n0nNBdI1tlU6MX_juYbg80sy4oHoQd11GdUjGsdvEbgivFuW-WandW8d79gzP5dKYgg0Ko53GGWaQGB0-N3dwszdpkFf7DDYrY-d0wiHRemTPMPcFWBW4Tkxpzd5Aj_zR4JR2pMPqaUbZugrfdcag%26index%3Dnull%26acsURL%3Dhttps%253A%252F%252Fchendademoidentity-dev-ed.my.salesforce.com%253Fso%253D00D58000000KKGe%26spEntityID%3Dhttps%253A%252F%252Fchendademoidentity-dev-ed.my.salesforce.com%26binding%3Durn%253Aoasis%253Anames%253Atc%253ASAML%253A2.0%253Abindings%253AHTTP-POST&AMAuthCookie= HTTP/1.1

POST https://chendademoidentity-dev-ed.my.salesforce.com/?so=00D58000000KKGe HTTP/1.1

SAML Response

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s2565096ea70e9276f3008cc3c74253315cacab273" InResponseTo="_2CAAAAVQAEuDKME8wNTgwMDAwMDA0Qzk2AAAAyNWxg4g9UdyQdawvHLQ6av0xaeS9lcd6NXbflxwewDQdjH8NcqXDaN5JJGuUcnT19HLzLFfRxgqTB09QUWvmZ-14W4ncYoDcAuYLF14ekEDD0n0nNBdI1tlU6MX_juYbg80sy4oHoQd11GdUjGsdvEbgivFuW-WandW8d79gzP5dKYgg0Ko53GGWaQGB0-N3dwszdpkFf7DDYrY-d0wiHRemTPMPcFWBW4Tkxpzd5Aj_zR4JR2pMPqaUbZugrfdcag" Version="2.0" IssueInstant="2016-03-13T12:10:11Z" Destination="https://chendademoidentity-dev-ed.my.salesforce.com?so=00D58000000KKGe" >
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://cmok.kwaoo.me:8443/OpenAM-13.0.0</saml:Issuer>
    <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
        <samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="s24de3385510bdeab7d9d8ff8cc3271ed4898d1f22" IssueInstant="2016-03-13T12:10:11Z" Version="2.0" >
        <saml:Issuer>https://cmok.kwaoo.me:8443/OpenAM-13.0.0</saml:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                <ds:Reference URI="#s24de3385510bdeab7d9d8ff8cc3271ed4898d1f22">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <ds:DigestValue>H0DEhp0G5td9ymHsg5YvXNKAWQ4=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>
Af+GBiJ2BSflbikYEZaCVEwCh/EI7vioqWdKKOuyEHPIA8D/RSr1VAW7drlX8L3yMmBXErsMPVDb
IIzZNgzYgRf0gxgJQQU9ESjXZN6P5rgHQxRIJ2jqXGfDZQvm3mVUwXmq5pqrR1RTyAX2zJPPI/nL
CE+0sejN8Nqvq+eo7AA=
</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>
MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+
RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
/FfwWigmrW0Y0Q==
</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://cmok.kwaoo.me:8443/OpenAM-13.0.0" >6dh3dC/pJbD47KYDd5R3W8HPBrXu</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData InResponseTo="_2CAAAAVQAEuDKME8wNTgwMDAwMDA0Qzk2AAAAyNWxg4g9UdyQdawvHLQ6av0xaeS9lcd6NXbflxwewDQdjH8NcqXDaN5JJGuUcnT19HLzLFfRxgqTB09QUWvmZ-14W4ncYoDcAuYLF14ekEDD0n0nNBdI1tlU6MX_juYbg80sy4oHoQd11GdUjGsdvEbgivFuW-WandW8d79gzP5dKYgg0Ko53GGWaQGB0-N3dwszdpkFf7DDYrY-d0wiHRemTPMPcFWBW4Tkxpzd5Aj_zR4JR2pMPqaUbZugrfdcag" NotOnOrAfter="2016-03-13T12:20:11Z" Recipient="https://chendademoidentity-dev-ed.my.salesforce.com?so=00D58000000KKGe" />
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2016-03-13T12:00:11Z" NotOnOrAfter="2016-03-13T12:20:11Z" >
            <saml:AudienceRestriction>
                <saml:Audience>https://chendademoidentity-dev-ed.my.salesforce.com</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2016-03-13T12:10:10Z" SessionIndex="s2fc96260ddd47755f8c5d8856b9ba93cb3e8fc801" >
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement>
            <saml:Attribute Name="SSOID">
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >demo</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>

Access to Salesforce

GET https://chendademoidentity-dev-ed.my.salesforce.com/secur/frontdoor.jsp?sid=00D58000000KKGe%21AQMAQJZt9bOXRXGJ6j7v2ulGJdKD8di4GmNUTnT_FutW.ktmU1vYp2Pj8ZwZn60TJW2jNsEh6Wrp5hE19oWDZoybO_Ma1khi&retURL=%2Fhome%2Fhome.jsp&loginURL=https%3A%2F%2Fsaml.salesforce.com%3Fssostartpage%3Dhttps%253A%252F%252Fcmok.kwaoo.me%253A8443%252FOpenAM-13.0.0%252FSSOPOST%252FmetaAlias%252Fidp%26saml_request_id%3D_2CAAAAVQAFFRJME8wNTgwMDAwMDA0Qzk2AAAAyJvKxj_hB_mTp8UAboi2jE6OZQKzHWf0KNTce0vtJ_LuvBDgqFXx5geppnPpwa-eqHHyOPh7-pW2YG2gm9iZBYmT3xOZSG_CCc4WaRm9TKNDVKtAwsc66oRVUrwllAnDDT7JLYMi7N74vL7kCqWJyRwyvgmKqi0AQpBAQO0ec2XOa9ML5ayJX6jFw9i-89zuSJ9vxfVvdjt7HMnPfte0NToXmXvMNDj7m44vPvgHp6BwqaOtFl5Bosf-iX11l3fKqQ%26logouturl%3Dhttps%253A%252F%252Fcmok.kwaoo.me%253A8443%252FOpenAM-13.0.0%252F&cshc=8000000TFw68000000KKGe HTTP/1.1

 
Thanks for reading.
 

Advertisements

About Chenda Mok

19 years of hands on experience in software design and development with emphasis on Enterprise Application Integration (EAI), Services Oriented Architecture (SOA) and Identity Management (IDM) solutions. I’m a software engineer, member of the professional service delivery team working for Salesforce. Prior to this, I worked for Oracle as Solution Architect, through SeeBeyond(06/2005), then SUN’s acquisition (04/2009). After my master’s degree in computer science in 1997; I always delivered consulting on architecture, design, implementation on integration’s field. I’m interested in architecture using EAI/SOA/IDM/BPM/Cloud technologies, software development and Java’s related technologies. I may blog about my work/activities at Salesforce, but I do not speak for my employer, past, present or future.
This entry was posted in Salesforce and tagged , , , . Bookmark the permalink.