Implementation of Single Sign On using SAML in Salesforce - Part 3

After knowing how does the SSO work in Part 1 and Part 2, let's gear up to know how we can set up Salesforce as an Identity Provider and define Service Provider with Salesforce. 

Enabling Salesforce as an Identity provider

1. Set up a My domain
2. From Setup, click Security Controls | Identity Provider, and then click Enable Identity Provider
3. Select the certificate: If you haven't created a self-signed certificate, one is automatically generated for you and assigned as the certificate for your identity provider.

Note:

1. Salesforce is automatically enabled as an identity provider for domains created in Winter ‘14 or later.
2.  After you enable Salesforce as an identity provider, you can define service providers.

Defining Service Providers as SAML-Enabled Connected Apps

Prerequisites

1. Enabling Salesforce as an Identity Provider
2. Give your service provider information about your configuration of Salesforce as an identity provider.
3. From Setup, click Security Controls | Identity Provider, then click Download Certificate or Download Metadata.
4. Get the following information from your service provider

• Assertion consumer service (ACS) URL: The ACS URL comes from the SAML service provider.
• Entity ID: This value comes from the service provider.
• Subject type: specifies if the subject for the SAML response from Salesforce (as an identity provider) is a Salesforce user name or a federation ID
• Issuer: your organization’s My Domain
• Start URL: Directs users to a specific location when they run the application

To authorize users for this SAML application

1. From Setup click Manage Apps | Connected Apps and then click the name of the application.
2. Select the profiles and/or permission sets that can access the application.

    

Implementation of Single Sign On using SAML in Salesforce - Part 2

Implementing a Single Sign-On (SSO) infrastructure enables users to sign in once and have access to all authorized resources.

On contrary to the previous post, when Salesforce doesn't work as Identity provider, this is how the Identity Provider Initiated Login and Service Provider Initiated Login works:

Identity Provider Initiated Login:

• where a user starts directly at their identity provider,
• logs in, and
• is then redirected to a landing page at the service provider;

Service Provider Initiated Login:

• where a user starts by clicking a link to the the service provider (e.g. a bookmark, mailed link, etc)
• and temporarily redirected to the identity provider for authentication,
• then returned to the link they initially requested.

To be continued... 

Implementation of Single Sign On using SAML in Salesforce - Part 1

As a part of the project, Single Sign-On through Federated Authentication using SAML (Security Assertion Markup Language) is being implemented. Working on the Order Capture has intrigued me to explore a little bit about implementation of Single Sign On (SSO) in Salesforce.

IDP: Identity Provider

The above 4 steps are transparent to the User. The User just clicks on the login button, the above 4 processes happens in the background, and the User logs into the application.

Salesforce supports the following:

• Identity-provider-initiated login: when Salesforce logs into a service provider at the initiation of the end-user

    

• User tries to access a service provider already defined in Salesforce.

• Salesforce sends a SAML response to the service provider.

• Service provider identifies the user and authenticates the certificate.

• If the user is identified, they are logged into the service provider.

• Service-provider-initiated login: when the service provider requests Salesforce to authenticate a user, at the initiation of the end-user

• The service provider sends a valid SAML request. The endpoint is automatically generated when the service provider is defined—the SP-Initiated POST Endpoint.

• Salesforce identifies the user included in the SAML request. If a certificate was included as part of the definition, Salesforce authenticates the certificate.

• If the user isn’t already logged into Salesforce, they are prompted to do so.

• Salesforce sends a SAML response to the service provider.

• The service provider authenticates the SAML response sent by Salesforce. If the user has been authenticated, they are logged into the service provider. The user is also logged into Salesforce.

To be continued.. stay tuned for the next blog. 

JavaScript Remoting for Apex Controllers

Following are some basic focus areas when trying to use JavaScript Remoting in Apex & Visualforce

• Differences between JavaScript Remoting and apex:actionFunction component
• Three implementation areas of JavaScript Remoting
• Handling the Remote Response in JavaScript Remoting
• Using JavaScript to Reference Components

Let's go through a basic example on JavaScript Remoting usage

• A basic example on JavaScript Remoting usage

Using JavaScript to Reference Components

To refer to a Visualforce component in JavaScript

• you must specify a value for the id attribute for that component.
• A DOM ID is constructed from a combination of the id attribute of the component and the id attributes of all components that contain the element.
• Use the $Component global variable to simplify referencing the DOM ID that is generated for a Visualforce component, and reduce some of the dependency on the overall page structure.

To reference a specific Visualforce component’s DOM ID

•   Add a component path specifier to $Component, using dot notation to separate each level in the component hierarchy of the page.
•   For example,
  • use {!$Component.itemId} to reference a component at the same level in the Visualforce component hierarchy,
  • Or use {!$Component.grandparentId.parentId.itemId} to specify a more complete component path.

A $Component path specifier is matched against the component hierarchy

• At the current level of the component hierarchy where $Component is used; and then
• At each successive higher level in the component hierarchy, until a match is found, or the top-level of the component hierarchy is reached.
• Backtracking is not allowed. so if the ID you’re trying to match requires a traversal up and then back down, it won’t match.

Handling the Remote Response in JavaScript Remoting

The Callback Function receives 2 parameters

• Event object: represents the status of the remote call

•   event.status : true on success, false on error.
•   event.type :  type of the response: rpc for a successful call, exception if the remote method threw an exception, and so on.
•   event.message : contains any error message that is returned.
•   event.where : contains the Apex stack trace, if one was generated by the remote method.

• Result object: represents result returned by the remote Apex method

• Apex primitive data types returned by result—such as strings or numbers—are converted to their JavaScript equivalents.
• Apex objects that are returned are converted to JavaScript objects,
• Collections are converted to a JavaScript array.
• Keep in mind that JavaScript is case-sensitive, so id, Id, and ID are considered different fields.

Points to remember

•   The remote method call executes synchronously, but it doesn’t wait for the response to return.
•   When the response returns, the callback function handles it asynchronously.
•   By default, the response of the remote call must return within 30 seconds, after which the call will time out. If your request needs longer to complete, configure a longer timeout, up to 120 seconds.
•   The response of the remote call has a maximum size of 15 MB.

Three implementation areas of JavaScript Remoting

JavaScript remoting can be used in Visualforce to call methods in Apex controllers from JavaScript.

Moreover, it helps in creating pages with complex, dynamic behaviour that isn’t possible with the standard Visualforce AJAX components.

3 things to be implemented while using JavaScript Remoting

• Remote Method Invocation you add to the Visualforce page, written in JavaScript

  Visualforce.remoting.Manager.invokeAction(

            '{!$RemoteAction.controllerName.methodName}',

            [parameters...,],

            callbackFunction,

           [configuration]        );  

  }

• Remote Method Definition in your Apex controller class

  @RemoteAction

    [public,global] static [ReturnType..] methodName([parameters...,]) {

        //...        return [ReturnType..];  

   }

• Response Handler Callback Function you add to or include in your Visualforce page, written in JavaScript

  callbackFunction(result, event){

  //...

  }