Using salesforce as saml 2.0 idp provider - salesforce

I am trying to configure salesforce as idp for my saml2.0 based sp. I have enabled domain, sso, created connected app with appropriate profile. with all this I am able to login into sp using using idp initiated url. idp initiated salesforce url correctly, my sp gets correct saml response. but when I try to use sp initiated flow and post saml request to salesforce endpoint, it give error "Insufficient Privileges". Have anyone faced this issue or knows something about this?

I was able to solve this issue. Apparently salesforce doesn't give what is the error. Here I was using redirect request sending to post url.

Related

Is it possible to handle SAML response on react application?

I have to implement single sign-on in a ReactJs application where it's back-end is in python?
using pingFederation - checking user authentication.
then redirect to "React application" login page with SAML response.
By hitting a POST request on login page
Please help me to handle this SAML response at my application login page. I am stack here to handle/get SAML response.
how do I configure shibboleth as a service provider?
Please share your thoughts.
Thank you
Only React application cannot do that.
You need some backend.
If you are using SAML to connect then Shibboleth SP is a good choice.
Preferably Apache HTTPD server and java application.
Something like this

Missing InResponseTo SAML attribute in SP initiated Okta sign on

I am trying to add a new service to an existing Okta setup. The service relies on SAML for authentication and uses strict checking of SAML messages.
When Okta session state is already present in the browser, everything works fine. Okta SAML response contains all the necessary attributes to get verified and everything just works.
However, when using a "clean" browser to initiate a new session, my service can not properly validate the Okta SAML response. The response is valid and properly signed, but is missing the InResponseTo attribute which is required for strict verification.
I wonder if somebody may have encountered an issue like that before? May there be some hidden setting in Okta or some common setup mistake in the authentication provider?
Your service is complaining about the sequence of steps you use to initiate the SSO flow. In a so-called service provider-initiated SSO flow, you click on a link that goes to your service. Your service acting as a SAML service provider (SP) then sends a SAML authentication request to the identity provider (Okta) which then responds to this request with a SAML response. Since the identity provider is responding to the request from a service provider, the SAML response will contain an InResponseTo element.
How do you fix this? This is all about your service rather than Okta. You need to determine the correct URL and/or format of the request to your service that will cause it to fire a SAML authentication request to the identity provider.
See Okta docs for more info

Will be possible to call directly IDP in SAML?

Because of xyz reasons, we don't have Service Provider (SP) to place SAML login request. So, here my question is will it be possible to login into SAML through IDP directly? If it is possible, could you please explain steps? We are using Webservices, please remind this.
The IdP can read SAML tokens but only when they are grouped using a profile. A common profile is the browser based WBSSO. So in order to talk to the IdP you need an SP. The SP just groups the SAML tokens into a profile the IdP can understand. Most SAML profiles are browser based but have a look at the ECP profile for non browser access https://wiki.shibboleth.net/confluence/display/CONCEPT/ECP

SAML Response authentication

Scenario:
Browser(User) requests resource from Service Provider (SP).
SP Redirects (with SAML Request) to Identity Provider (IdP).
Since it is first login, User gives the (IdP) his/her valid credentials.
IdP then redirects Browser (with SAML Response which includes SAML token) to the SP page.
Application has a link to different application. The Second application needs to validate the user credentials with the same IdP.
User clicks on that link and browser opens the second application. Browser contains the same SAML response from SP.
In Step 5 how can I authenticate the user with SAML response and allow the user to be logged in automatically.
Do I need another SP?
I will not be able to use the SP from step 1 as it is external application.
Appreciate your help
If the second application is in a different administrative domain, it should be done through its own SAML SP starting another SAML request/response exchange with the IDP. If it is in the same domain you may be able to pass an intra-domain credential such as a cookie between the first application and the second (or rely on full SAML as well). You would never reuse the same SAML response because that is meant to be one-time use only.

Integrating PingFederate with Salesforce

I need to integrate PingFederate with Salesforce using SP-initiated SSO.
My aim is that users in Active Directory will be automatically logged in when they access the Salesforce Application URL. I have created the SP connection to Salesforce in PingFederate and uploaded the PingFederate Certificate in Salesforce. In Salesforce I have set the IdP Issuer Entity ID to match the one in PingFederate.
For SP-initiated SSO, which URL do I need to give the browser to test if this setup is working correctly?
I believe SFDC requires you to establish who your IDP is via Unsolicited SSO (IDP-Init) before SP-Init is automatically triggered when you attempt to access a SFDC protected page. Once IDP-Init SSO is completed successfully, SFDC sets your last known IDP as a persistent cookie in your browser.
IDP-Init is pretty simple to do in PF. Just ensure that IDP-Init and SP-Init SSO is enabled in your SP Connection. After that, when you look at the SP Connection Summary page, you should then see a "Connection URL" that looks like -- "https://pingfederateserver.com/idp/startSSO.ping?PartnerSpId=
Give it a shot - if it doesn't work the Ping Support team can quickly help.
HTH -
Ian

Resources