I had the opportunity to integrate with OpenAM (/OpenSSO) using Salesforce. In order to do some SAML federation with Salesforce Identity, I would like to have my own hands-on labs to work with. Working in a cloud with Salesforce, we can have a demo org in few click. Things are different when you have to install/configure a new software. Hopefully, in my past life with Sun Microsystem, I have installed and configured the OpenSSO Security Token Service module for a large customer in energy.
OpenAM and Salesforce support both federated authentication and can act as IdP and/or SP. The credentials (username & password) are validated on the IdP and the SP receives a SAML assertion in an HTTP POST request.
The SAML assertion is a
- digitally signed XML document which has a valid signature from a trusted identity provider
- has a limited validity period (token lifetime)
- and contains a unique federation identifier.
If everything goes well, the user is granted access to the application (SP)
There are two important use cases for SAML Federation :
- Identity Provider Initiated Login : the user open the login page of their identity provider, enter his/her credentials, and then redirected to a landing/home page at the service provider
- Service Provider Initiated Login : the user starts by clicking a link to the the service provider (e.g. a bookmark, mailed link, …) and temporarily redirected to the identity provider login page for authentication, then returned to the link they initially requested (also know as deep linking scenario).
The most widely used is the Service Provider Initiated Login, and I will concentrate on this use case
I have already describe how to expose your openAM instance on the internet. This is a pre-requisite before doing any configuration in OpenAM.
Below the post I have configured and tested :
- OpenAM and Salesforce Hands On series
- Part1: OpenAM as Identity Provider / Salesforce as Service Provider – Federated Single Sign On
- Part2: OpenAM as Identity Provider / Fedlet as Service Provider – Federated Single Sign On
- Part3: Salesforce Identity as Idp / Heroku Web App as SP (easy to setup)
- Part4: Salesforce as Identity Provider / Fedlet as Service Provider – Federated Single Sign On
- Part5: Configuring Salesforce & OpenAM as IdPs & SPs (to docuement )
I will complete theses scenarios based on tests I have successfully run on my labs.
Thanks for reading.