Salesforce Delegated Authentication

This post is radically different from my previous posts – it’s going to be written in C#!!!
Salesforce allows users to use a delegated authentication mechanism for SSO. One option is SAML, which is nice – but it doesn’t work on mobile devices in disconnected mode. The other is delegated authentication. This way, Salesforce activates a web service that implements a predefined WSDL. The parameters the web service is getting are the username, password and IP address, and the service needs to return a true/false value.
So, let’s get down to business:

  1. Configure Delegated Authentication
    1. Open your Salesforce account for delegated authentication. For some reason, this is not enabled by default, and you need to ask your SF guys to enable this features.
    2. Login to Salesforce, and click the Setup link
    3. Click Security Controls→Single Sign-On Settings
    4. Click on Edit, and enter your Web Service URL
  2. Assign users to the Delegated Authentication
    1. Login to Salesforce, and click the Setup link
    2. Click Manage Users→Profiles
    3. Select the user profile
    4. Click the Edit button
    5. Make sure the “Is Single Sign-On Enabled” checkbox is enabled
    6. Click Save

    And now the code

    using System;
    using System.Collections.Generic;
    using System.Configuration;
    using System.DirectoryServices;
    using System.DirectoryServices.Protocols;
    using System.IO;
    using System.Linq;
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    using System.Threading;
    using System.Web;
    using System.Web.Services;
    
    namespace DelegatedAuthenticationService
    {
        /// <summary>
        /// This service is used for delegated security for force.com
        /// </summary>
        [WebService(Namespace = "urn:authentication.soap.sforce.com", Description="v1.1.3")]
        [WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
        [System.ComponentModel.ToolboxItem(false)]
        public class DelegatedSecurityService : System.Web.Services.WebService, IAuthenticationBinding
        {
            [WebMethod]
            public bool Authenticate(string username, string password, string sourceIp, System.Xml.XmlElement[] Any)
            {
                    try
                    {
                        // Run the business logic
    	                return true;
                    }
                    catch (Exception e)
                    {
                        // Connection can not be created - password is incorrect
                        log(ERROR,"Failed to get LDAP connection. Error message is : " + e.Message);
                        audit(username, "FAIL",e.Message);
                        return false;
                    }
            }
        }
    }
    

    It’s important to note that Salesforce is limiting the time it will waits for the service – the entire request/response (including network) must take less than ~5 seconds, otherwise users will get a failed to login message.

    Good luck!

12 thoughts on “Salesforce Delegated Authentication

  1. Hi, i just starting to coding delegated authentication in sales force, now i’m facing a problem. Any help will be apreciated, following the steps:

    1- ask sales force for enable delegated authentication : done

    2- coding a webservice based on instructions https://help.salesforce.com/apex/HTViewHelpDoc?id=sso_delauthentication_configuring.htm&language=nl : done

    3- configure sales force to support delegated authentication and single sign-on
    3.1- configure profile to enabled single sign on : done
    3.2- configure sign-on gateway URL with my service (http://service.xzy.mysalesforce.asmx) : done

    4- run tests posting data to sales force based on instructions (sample implementations) https://developer.salesforce.com/page/How_to_Implement_Single_Sign-On_with_Force.com : done

    ** Results
    1- Default login page from sales force still working this seems good, show´s that asmx its fine;

    2- Problem, sample aplication posts data to https://www.salesforce.com/login.jsp (just like the sample) with all fields, token, user etc and here nothings happen i´m stuck in loggin page without any errors or messages or redirects

    I miss something in the process? A don´t configured a ssl asmx id there a problem?

    thanks in advance

    • 1. Not sure it means asmx is fine.
      2. Do you see any calls to the asmx (log file?)
      3. Inside salesforce, you have a log that shows the errors in the ” Setup | Manage Users | Single Sign-On Error History” page of Sales Force
      4. You must have a signed SSL certificate for your server.

      • Thank´s for the reply
        🙂

        I assume that my asmx is fine because i can log in sf using the default login page, and if i turn off my asmx the default login page stops working so, i think the asmx is not the problem.

        About the logs, yes i see the logs but only if i use the default login page in sf. Again i trust in the asmx if i mess the asmx and use the login page i can se the erros there.

        But when i use the sampe redirect code provided from here https://developer.salesforce.com/page/How_to_Implement_Single_Sign-On_with_Force.com (ok pointing to my login page) this is where i´m stuck – nothing happens, no login, no log erros inside sf nothing.

        • Hi again, forgot to add

          When i use the sample and i don´t see any logs to me it´s like, sf is not calling my asmx.

          Forgot another thing, about ssl, this is required? Maybe here is where my problem is.

    • Hi,

      thank you for your help,

      No i don´t have any log when i try by posting data to the login page, i only have logs when i use the default Salesforce login page and something goes wrong.. but this is for sure im not using ssl, since this is mandatory i will put my asmx on it

  2. I don’t understand. Why does your web service has a web ui? The only thing you need to do is provide a web service, not an actual login page.

  3. Hi,

    this is my intranet link to the login page.

    Here i found a sample
    “https://developer.salesforce.com/page/How_to_Implement_Single_Sign-On_with_Force.com” – there is a sample implementations area – if you look on it you will find a page “gotosfdc.aspx” that demonstrates a intranet link as a sample to the SSO and in the sample the form post to https://www.salesforce.com/login.jsp and in my case i need to post to https://mycompany.force.com/folder2/login, from there sales force will make the call back to asmx.

    The asmx is fine, my goal here is my intranet link to the login page.

Leave a Reply

Your email address will not be published. Required fields are marked *