Re: Assist a newbie to set up simpleSAMLphp and Salesforce
819 views
Skip to first unread message
Olav Morken
Jul 5, 2012, 4:00:13 AM7/5/12
to simple...@googlegroups.com
On Wed, Jul 04, 2012 at 06:45:08 -0700, Mark Berry wrote:
> Hi All,
>
> First of all, thanks for what I think will be the perfect opes source
> solution for my problems.
> However second, I've been battling away at this for a few days now and am
> completely lost in terminology and files, and havent got a clue how to
> achieve what I want any more.
>
> The problem:
> I need to link my salesforce to my mysql db of users.
>
> I have downloaded simplesamlphp 1.8.2 (ubuntu package) and installed,
> configured apache and can do the admin login on the pages provided.
> I have also edited the authsources.php config file, setting up own slq
> authentication source and linking in my tables. I have alos been able to
> verify this works by logging in via the simplesamlphp web pages.
>
> What I am absolutely flummoxed about though is where to get the necessary
> fields for the salesforce side of things, or how to set up the necessary
> attributes that they appear to require.
> The fields they are asking for are:
I would hope that they have documented what the purpose of the fields
are somewhere. I can only guess...
> Issuer
Either the entityID that salesforce uses when contacting your IdP, or
the entityID of your IdP. The latter can be found in your IdP metadata.
> Identity Provider Certificate
The certificate you created when configuring your IdP:
http://simplesamlphp.org/docs/1.9/simplesamlphp-idp#section_7
> Identity Provider Login URL
Probably the SingleSignOnService endpoint for your IdP. You can find it
in your IdP metadata.
> Identity Provider Logout URL
Probably the SingleLogoutService endpoint for your IdP. Also in your
IdP metadata.
> Custom Error URL
No idea.
> SAML User ID Type
> - Assertion contains User's salesforce.com username
> - Assertion contains the Federation ID from the User object
My guess is that this determines how you are going to link the user
account the user logs in with on the IdP with the user account in
salesforce.
> SAML User ID Location
> - User ID is in the NameIdentifier element of the Subject statement
> - User ID is in an Attribute element
You will probably use an attribute. (Where can you configure which
attribute?)
> Can anyone assist in helping me determine how I get these values.
> The Issuer I guess is the value I enter for idp in the authsources.php file?
The 'idp'-field in authsources.php is only for when you configure
simpleSAMLphp as an SP, but in this case you need to configure it as an
IdP.
> The urls I think come from saml20-sp-remote.php - something like
> http://www.test.org/saml/module.php/saml2/sp/metadata.php/XXX - but its
> beyond me what they should actually be and every combination I've tried
> hasnt worked.
saml20-sp-remote is where you configure service providers connecting to
your IdP. This means that you register salesforce metadata in this
file. I would hope that salesforce has some documentation about what
the values should be somewhere...
> Then finally theres the additional metadata which I havent even tried to
> consider yet.
>
> Anyone who could help me out I would very much appreciate it.
> Equally I'd be more than happy to contribute back my learning for a
> salesforce integration tutorial if anyone thingks that might help?
I think at least a summary on the mailing list would be nice -- there
have been several people configuring salesforce with simpleSAMLphp, but
I haven't seen a clear summary of all that needs to be done.
Best regards,
Olav Morken
UNINETT / Feide
> Hi All,
>
> First of all, thanks for what I think will be the perfect opes source
> solution for my problems.
> However second, I've been battling away at this for a few days now and am
> completely lost in terminology and files, and havent got a clue how to
> achieve what I want any more.
>
> The problem:
> I need to link my salesforce to my mysql db of users.
>
> I have downloaded simplesamlphp 1.8.2 (ubuntu package) and installed,
> configured apache and can do the admin login on the pages provided.
> I have also edited the authsources.php config file, setting up own slq
> authentication source and linking in my tables. I have alos been able to
> verify this works by logging in via the simplesamlphp web pages.
>
> What I am absolutely flummoxed about though is where to get the necessary
> fields for the salesforce side of things, or how to set up the necessary
> attributes that they appear to require.
> The fields they are asking for are:
I would hope that they have documented what the purpose of the fields
are somewhere. I can only guess...
> Issuer
Either the entityID that salesforce uses when contacting your IdP, or
the entityID of your IdP. The latter can be found in your IdP metadata.
> Identity Provider Certificate
The certificate you created when configuring your IdP:
http://simplesamlphp.org/docs/1.9/simplesamlphp-idp#section_7
> Identity Provider Login URL
Probably the SingleSignOnService endpoint for your IdP. You can find it
in your IdP metadata.
> Identity Provider Logout URL
Probably the SingleLogoutService endpoint for your IdP. Also in your
IdP metadata.
> Custom Error URL
No idea.
> SAML User ID Type
> - Assertion contains User's salesforce.com username
> - Assertion contains the Federation ID from the User object
My guess is that this determines how you are going to link the user
account the user logs in with on the IdP with the user account in
salesforce.
> SAML User ID Location
> - User ID is in the NameIdentifier element of the Subject statement
> - User ID is in an Attribute element
You will probably use an attribute. (Where can you configure which
attribute?)
> Can anyone assist in helping me determine how I get these values.
> The Issuer I guess is the value I enter for idp in the authsources.php file?
The 'idp'-field in authsources.php is only for when you configure
simpleSAMLphp as an SP, but in this case you need to configure it as an
IdP.
> The urls I think come from saml20-sp-remote.php - something like
> http://www.test.org/saml/module.php/saml2/sp/metadata.php/XXX - but its
> beyond me what they should actually be and every combination I've tried
> hasnt worked.
saml20-sp-remote is where you configure service providers connecting to
your IdP. This means that you register salesforce metadata in this
file. I would hope that salesforce has some documentation about what
the values should be somewhere...
> Then finally theres the additional metadata which I havent even tried to
> consider yet.
>
> Anyone who could help me out I would very much appreciate it.
> Equally I'd be more than happy to contribute back my learning for a
> salesforce integration tutorial if anyone thingks that might help?
I think at least a summary on the mailing list would be nice -- there
have been several people configuring salesforce with simpleSAMLphp, but
I haven't seen a clear summary of all that needs to be done.
Best regards,
Olav Morken
UNINETT / Feide
Tom Scavo
Jul 5, 2012, 8:38:38 AM7/5/12
to simple...@googlegroups.com
On Thu, Jul 5, 2012 at 4:00 AM, Olav Morken <olav....@uninett.no> wrote:
> On Wed, Jul 04, 2012 at 06:45:08 -0700, Mark Berry wrote:
>>
>> Custom Error URL
>
> No idea.
There is an errorURL XML attribute on the IDPSSODescriptor element in metadata.
> On Wed, Jul 04, 2012 at 06:45:08 -0700, Mark Berry wrote:
>>
>> Custom Error URL
>
> No idea.
Tom
Mark Berry
Jul 5, 2012, 10:30:09 AM7/5/12
to simple...@googlegroups.com
Many Thanks for your assistance Olav - it sent me on the right path - heres what I have done so far, however I am sad to say this isnt a working solution just progress so far:
From a straight install of simplesamlphp I edited the authsources.php.
Here I added my source X and configured as necessary - I verified this worked by going to
- http://my.domain.com/simplesamlphp
- > Authentication Tab
- >Test configured authenitcation sources
- > X
- here I entered a username and password that I know to work and was duly authenticated and presented with my metadata[ref#1] - alls good
I then went to the modules sub folder and created the file saml20-idp-hosted.php and entered the following:
$metadata['salesforce'] = array(
'host' => 'my.domain.com',
'privatekey' => 'saml.pem',
'certificate' => 'saml.crt',
'auth' => 'X',
);
[Aside - on reflection not sure salesforce is the correct name as I'm the idp?? but thats what I entered anywho]
saml.pem and saml.crt I created as per instructions (http://simplesamlphp.org/docs/1.9/simplesamlphp-sp#section_1_1)
I verified this worked by going to
- http://my.domain.com/simplesamlphp
- > Federation Tab
Here I saw :
As always I am humbly grateful for any assitance from the community.
Equally I hope my description above proves useful to someone
Cheers
Mark
From a straight install of simplesamlphp I edited the authsources.php.
Here I added my source X and configured as necessary - I verified this worked by going to
- http://my.domain.com/simplesamlphp
- > Authentication Tab
- >Test configured authenitcation sources
- > X
- here I entered a username and password that I know to work and was duly authenticated and presented with my metadata[ref#1] - alls good
I then went to the modules sub folder and created the file saml20-idp-hosted.php and entered the following:
$metadata['salesforce'] = array(
'host' => 'my.domain.com',
'privatekey' => 'saml.pem',
'certificate' => 'saml.crt',
'auth' => 'X',
);
[Aside - on reflection not sure salesforce is the correct name as I'm the idp?? but thats what I entered anywho]
saml.pem and saml.crt I created as per instructions (http://simplesamlphp.org/docs/1.9/simplesamlphp-sp#section_1_1)
I verified this worked by going to
- http://my.domain.com/simplesamlphp
- > Federation Tab
Here I saw :
- SAML 2.0 IdP Metadata
Entity ID: salesforce
[show metadata]
Clicking on [show metadata] gave me the fields I think I am interested in for salesforce.
The second section "simpleSAMLphp flat file format" was easiest to read and is where I obtained $metadata value referenced below
So off to salesforce go to Setup > Security Controls > Single Sign On Settings.
Tick the box to 'Enable SAML'
This gave me the following fields which I completed as follows
Issuer: X
Identity Provider Certificate: uploaded file I had previously created
Identity Provider Login URL: $metadata['salesforce']['SingleSignOnService']
Identity Provider Logout URL: $metadata['salesforce']['SingleLogoutService']
Custom Error URL: [cheers Tom Scavo but I couldnt find this]
SAML User ID Type: chose: "Assertion contains the Federation ID from the User object"
SAML User ID Location: chose: "User ID is in an Attribute element"
This last option gave me 2 more fields:
Attribute Name: Here I entered the necessary lable taken from the page I mentioned above at [ref#1]
Name ID Format: $metadata['salesforce']['NameIDFormat']
Click save et viola.
Salesforce then give you a bunch of urls and some metadata.xml file you can access.
Download the xml file then go to: http://my.domain.com/simplesamlphp/admin/metadata-converter.php.
I copied the results from this page into saml20-sp-remote.php, as I believe I need to tell my idp about sp's that will be using it.
Bakc on my salesforce page I have a url for "Salesforce.com Login URL".
I've been to the provided url and entered my username and password but with no success.
And sadly now I am stumped again - I dont know whats failing as I cannot see any logs anywhere on salesforce.
One thing it does provide is a "SAML Assertion validator". with the following description:
"Enter your SAML response in base64-encoded, deflated and base64-encoded, or plain xml format into the field below, and click Validate.
The response will be validated against the values configured in the Single Sign-On Settings page.
The validator will try to continue validation even if it finds an error. However, the validator cannot recover from some errors. More errors may be revealed after you fix the initial problem. Additionally, errors not related to the assertion itself will not be detected by this validator. Please refer to the login history for more information on such failures.
Your organization is configured to use SAML Version 2.0"
There is then a "SAML Response" header and a textarea input.
As always I am humbly grateful for any assitance from the community.
Equally I hope my description above proves useful to someone
Cheers
Mark
Olav Morken
Jul 6, 2012, 2:46:43 AM7/6/12
to simple...@googlegroups.com
On Thu, Jul 05, 2012 at 07:30:09 -0700, Mark Berry wrote:
> Many Thanks for your assistance Olav - it sent me on the right path - heres
> what I have done so far, however I am sad to say this isnt a working
> solution just progress so far:
>
> From a straight install of simplesamlphp I edited the authsources.php.
> Here I added my source X and configured as necessary - I verified this
> worked by going to
> - http://my.domain.com/simplesamlphp
> - > Authentication Tab
> - >Test configured authenitcation sources
> - > X
> - here I entered a username and password that I know to work and was duly
> authenticated and presented with my metadata[ref#1] - alls good
>
> I then went to the modules sub folder and created the file
> saml20-idp-hosted.php and entered the following:
(I assume you meant metadata sub folder, and not modules sub folder.)
> Many Thanks for your assistance Olav - it sent me on the right path - heres
> what I have done so far, however I am sad to say this isnt a working
> solution just progress so far:
>
> From a straight install of simplesamlphp I edited the authsources.php.
> Here I added my source X and configured as necessary - I verified this
> worked by going to
> - http://my.domain.com/simplesamlphp
> - > Authentication Tab
> - >Test configured authenitcation sources
> - > X
> - here I entered a username and password that I know to work and was duly
> authenticated and presented with my metadata[ref#1] - alls good
>
> I then went to the modules sub folder and created the file
> saml20-idp-hosted.php and entered the following:
> $metadata['salesforce'] = array(
> 'host' => 'my.domain.com',
> 'privatekey' => 'saml.pem',
> 'certificate' => 'saml.crt',
> 'auth' => 'X',
> );
>
> [Aside - on reflection not sure salesforce is the correct name as I'm the
> idp?? but thats what I entered anywho]
URI), but most software doesn't care, and just treats it as an opaque
string. I'd suggest using a more unique entityID though. (I do not know
what the salesforce SP does if two IdPs are using the same entityID?)
> saml.pem and saml.crt I created as per instructions
> (http://simplesamlphp.org/docs/1.9/simplesamlphp-sp#section_1_1)
>
> I verified this worked by going to
> - http://my.domain.com/simplesamlphp
> - > Federation Tab
> Here I saw :
>
> SAML 2.0 IdP Metadata
>
> Entity ID: salesforce
> [show metadata]
>
> Clicking on [show metadata] gave me the fields I think I am interested in
> for salesforce.
> The second section "simpleSAMLphp flat file format" was easiest to read and
> is where I obtained $metadata value referenced below
>
> So off to salesforce go to Setup > Security Controls > Single Sign On
> Settings.
>
> Tick the box to 'Enable SAML'
>
> This gave me the following fields which I completed as follows
>
> Issuer: X
> Identity Provider Certificate: uploaded file I had previously created
> Identity Provider Login URL: $metadata['salesforce']['SingleSignOnService']
> Identity Provider Logout URL: $metadata['salesforce']['SingleLogoutService']
> Custom Error URL: [cheers Tom Scavo but I couldnt find this]
Optional URI attribute that specifies a location to direct a user
for problem resolution and additional support related to this role.
If you have a suitable URL, you could add it here.
https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/
It will show you both the decoded response, and the base64-encoded
response.
> As always I am humbly grateful for any assitance from the community.
> Equally I hope my description above proves useful to someone
simpleSAMLphp for salesforce.
ashrestha
Apr 3, 2013, 10:59:55 AM4/3/13
to simple...@googlegroups.com
Hi Mark,
On Wednesday, July 4, 2012 8:45:08 AM UTC-5, Mark Berry wrote:
I am trying to implement the same scenario and wondering if you were able to complete the implementation. Thank you in advance.
AS
On Wednesday, July 4, 2012 8:45:08 AM UTC-5, Mark Berry wrote:
Hi All,
First of all, thanks for what I think will be the perfect opes source solution for my problems.
However second, I've been battling away at this for a few days now and am completely lost in terminology and files, and havent got a clue how to achieve what I want any more.
The problem:
I need to link my salesforce to my mysql db of users.
I have downloaded simplesamlphp 1.8.2 (ubuntu package) and installed, configured apache and can do the admin login on the pages provided.
I have also edited the authsources.php config file, setting up own slq authentication source and linking in my tables. I have alos been able to verify this works by logging in via the simplesamlphp web pages.
What I am absolutely flummoxed about though is where to get the necessary fields for the salesforce side of things, or how to set up the necessary attributes that they appear to require.
The fields they are asking for are:
Issuer
Identity Provider Certificate
Identity Provider Login URL
Identity Provider Logout URL
Custom Error URL
SAML User ID Type
- Assertion contains User's salesforce.com username
- Assertion contains the Federation ID from the User object
SAML User ID Location
- User ID is in the NameIdentifier element of the Subject statement
- User ID is in an Attribute element
Can anyone assist in helping me determine how I get these values.
The Issuer I guess is the value I enter for idp in the authsources.php file?
The urls I think come from saml20-sp-remote.php - something like http://www.test.org/saml/module.php/saml2/sp/metadata.php/XXX - but its beyond me what they should actually be and every combination I've tried hasnt worked.
Then finally theres the additional metadata which I havent even tried to consider yet.
Anyone who could help me out I would very much appreciate it.
Equally I'd be more than happy to contribute back my learning for a salesforce integration tutorial if anyone thingks that might help?
Cheers
Mark
Reply all
Reply to author
Forward
0 new messages