How can I set the SLO URL for Snowflake SAML integration? I want Snowflake to log out of the identity provider if the user logs out of Snowflake.
I've searched the documentation at https://docs.snowflake.com/en/sql-reference/sql/create-security-integration.html#saml2-required-parameters and I can't seem to find anything related to the SLO URL.
Am sure you have tried this already:
Okta documents say if SLO is not available then the main URL can be used -->https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Single_Logout.htm
Related
Completely new to B2C. Tried both of these walkthroughs, but I'm missing something still:
https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/blob/master/Walkthroughs/RP-SAML.md
http://blogs.quovantis.com/saml-based-sso-with-azure-ad-b2c-as-an-idp/
Both of these only describe the policies needed, but I'm pretty sure I need to register an app on B2C still? The problem I have with app registration is that SalesForce gives me a token endpoint URL with a query string:
https://mycompany.cs79.my.salesforce.com/services/oauth2/token?so=00D1h000000Cnli
And B2C won't allow query strings in the reply URL.
Is there any way around this? Salesforce also supports OpenID I think, if that would be better?
::::::::::::UPDATE 6/22::::::::::
SAML:
I found and realized I was missing a critical step on the SalesForce side: adding the authentication provider to my domain's login page. Clicking the new link redirects me to B2C, but I get an immediate error from B2C. Application Insights shows the following exception:
The SAML technical profile 'serviceProviderMetadata' specifies a PartnerEntity URL of 'REMOVED', but fetching the metadata fails with reason 'For security reasons DTD is prohibited in this XML document. To enable DTD processing set the DtdProcessing property on XmlReaderSettings to Parse and pass the settings into XmlReader.Create method.
OpenID:
Using this write-up as a guideline, I've registered the app in B2C and configured the SalesForce side.
Instead of using the Azure AD authorization endpoints, I pulled my B2C tenants endpoints from my meta data URL (login.microsoftonline.com/{tenant}/.well-known/openid-configuration).
This works for my B2C admin account, however, when I try try a test user that isn't a B2C admin I get the following error from the B2C sign-in page:
Sorry, but we’re having trouble signing you in.
AADSTS50020: User account 'REMOVED' from identity provider 'LINK REMOVED' does not exist in tenant 'MTB2CTest' and cannot access the application '5c8b9f4f-cf28-42fe-b629-b87251532970' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
::::::::::::UPDATE 6/23::::::::::
OpenID:
I’ve found that it works 100% only for my B2C admin account if I don’t use a policy, but doesn't work for other accounts. When I use a policy, only accounts that signed up through the policy can authenticate with B2C (which is great) – but the token doesn’t seem to be reaching SalesForce. I've created two PDFs showing the configuration details and the results from each method (policy and nopolicy) here.
Both of these only describe the policies needed, but I'm pretty sure I need to register an app on B2C still?
Not exactly, you no need to register an app at B2C side. All the configuration you do in Policies is enough.
Did you try Salesforce SAML SSO article https://help.salesforce.com/articleView?id=sso_saml.htm&type=5
Check the above article and try to do configurations at Salesforce side and grab the details required by SAML RP
I hope by following both SAML RP and Configure SAML Settings for Single Sign-On articles you can configure B2C as IDP for Salesforce.
I stumbled on this question while trying to implement Azure AD B2C as an IdP for Salesforce. We used Open ID Connect to enable SSO between the two. This involved setting up an Application in Azure AD B2C, enabling the read scope on that application, and configuring the connection in Salesforce using that application, a custom policy returning a JWT token, and a dummy User Info endpoint.
Check out this answer for exact steps on how we set up Open ID Connect: https://stackoverflow.com/a/61639332/13484109
Because of xyz reasons, we don't have Service Provider (SP) to place SAML login request. So, here my question is will it be possible to login into SAML through IDP directly? If it is possible, could you please explain steps? We are using Webservices, please remind this.
The IdP can read SAML tokens but only when they are grouped using a profile. A common profile is the browser based WBSSO. So in order to talk to the IdP you need an SP. The SP just groups the SAML tokens into a profile the IdP can understand. Most SAML profiles are browser based but have a look at the ECP profile for non browser access https://wiki.shibboleth.net/confluence/display/CONCEPT/ECP
My use case is, i need to open NetSuite within Salesforce using SSO. Both the platform supports SAML 2.0.
As a first step mentioned in SSO implementation guide in Salesforce, I am trying to create new Single Sign On Setting from 'New From Metadata Url' button. And here is NetSuite Service Provider metadata url:
https://system.na1.netsuite.com/saml2/sp.xml
However, Salesforce is throwing an error-
The XML file doesn't include your SAML 2.0 settings. Verify that the URL links to the SAML 2.0 settings you want.
I checked the NetSuite SSO metadata xml (provided in the url path) and that contains definition for SAML2.0. So not sure why this error is coming up. Can anyone suggest here what might be wrong? Or if I am missing something here.
thanks in advance!
I think the issue is that both Salesforce and Netsuite are Service Provider implementations. Neither is an Identity Provider so if you are importing Netsuite's metadata to Salesforce you'd get an error because you are importing the wrong sort of file.
I am trying to crawl a website, more specifically a Google Site using ManifoldCF that has SAML authentication and index the crawled data into Apache Solr. But as I crawl the URL, it gives me 302 redirection to login page and then says RESPONSECODENOTINDEXABLE.
I am not sure if have I authenticated correctly or not. In manifoldCF we have options for HTTP basic authentication, NTLM authentication and Session-based access credentials authentication method. I used Session based authentication method which more looks like a form based authentication rather than SAML authentication.
Has anybody crawled a website using manifoldCF which has SAML authentication? And if not manifoldCF, has anyone been able to accomplish this via Apache Nutch, because I am afraid, it also provides only HTTP basic , Digest and NTLM authentication.
Any insight would be helpful. Can provide more information regarding the issue, if anyone here thinks it can easily be accomplished. Basically when I crawl https://sites.google.com/a/my-sub-domain.com, it redirects to SSO login page and crawler refuses to crawl any more giving a 302 error. It's an intranet based website.
There is no support in Nutch forSSO authentication using SAML. You need to handle it by writing your custom plugin. We have extended proptocol selenium plugin to handle SAML flows.
Not sure whether this helps, just try it out.
In nutch, we can provide credentials to login to the page, we have httpclient-auth.xml file in conf directory.
There u can provide your host name along with the credentials.
<auth-configuration>
<credentials username="admin" password="admin123">
<authscope host="hostname" realm="login"/>
<default/>
</credentials>
</auth-configuration>
Similarly you can add any number of credentials to this configuration.
To crawl https site, change plugin.includes property from protocol-http to protocol-httpclient in nutch-conf.xml
We have modified logic in Nutch protocol-selenium plugin to handle SSO flows.
You need to wait for redirect to SSO page. Then using selenium you can handle SSO. Again wait for redirection to original page after SSO.
If 2 factor auth is required, then things become complex. In that case you can configure google authenticator (if allowed by your IdP). You can use that to get get TOTP.
For crawling files behind authentication there is no usual way. You can configure driver to always downlaod files and then use the docwnlaoded file.
You can handle the auth flow using another http clients. If you need dynamic page's content (after all JS and Ajax request completed) then selenium is the best choice and if you are using it, you can move auth part to selenium.
I need to integrate PingFederate with Salesforce using SP-initiated SSO.
My aim is that users in Active Directory will be automatically logged in when they access the Salesforce Application URL. I have created the SP connection to Salesforce in PingFederate and uploaded the PingFederate Certificate in Salesforce. In Salesforce I have set the IdP Issuer Entity ID to match the one in PingFederate.
For SP-initiated SSO, which URL do I need to give the browser to test if this setup is working correctly?
I believe SFDC requires you to establish who your IDP is via Unsolicited SSO (IDP-Init) before SP-Init is automatically triggered when you attempt to access a SFDC protected page. Once IDP-Init SSO is completed successfully, SFDC sets your last known IDP as a persistent cookie in your browser.
IDP-Init is pretty simple to do in PF. Just ensure that IDP-Init and SP-Init SSO is enabled in your SP Connection. After that, when you look at the SP Connection Summary page, you should then see a "Connection URL" that looks like -- "https://pingfederateserver.com/idp/startSSO.ping?PartnerSpId=
Give it a shot - if it doesn't work the Ping Support team can quickly help.
HTH -
Ian