I'm trying to integrate sales force with my application,I'm using oauth2.0 authorization for getting refresh token.I'm redirecting to salesforce login page.I dnt want to show this page in my app.Is there any way for that.
The key concept behind using the OAuth 2.0 Web Server Authentication Flow or the OAuth 2.0 User-Agent Flow is that the users authentication details only go to Salesforce. Your application doesn't need to handle their username or password. This, combined with the authorization of your app in Salesforce gives the user a greater level of security.
You can't store the username/password details and they can revoke authorization access for the app.
If you don't want to redirect via the Salesforce login page you can use the OAuth 2.0 Username-Password Flow. Here you will handle the username and password (plus potentially the security token). This is less secure from the users perspective, but bypasses the redirect to the Salesforce login page.
Incidentally, there is a dedicated StackExchange site for Salesforce that is a great place to ask these sort of questions.
Related
i've a desktop site based on wordpress.
Mobile version is on a subdomain and is developed using angularJs (ionic).
I'm trying to figure out what the best solution to authenticate mobile version users using wordpress wp_users credentials.
Thanks in advance for any advice.
1 - Basic Auth: The easiest, This one is not recommended for production since your users will be sending their credentials with each request, only use it over https.
2 - OAuth: This one is secured but might not be interesting because users will be redirected to WP to login then redirected back after login success, here is a decent tutorial for it.
3 - JWT Auth: This one is interesting because it only sends user credentials once, when login succeed you will get a jwt token which will be used instead of user's password in each request.
For your app purpose I recommend implementing your own authentication method, make a plugin for that, it should generate a secret token and save it in user session, it should also block any request that doesn't include that secret token.
I want to access Salesforce Organization data from my Application (Python) through API. I want to access data from multiple organizations in Salesforce in this case should I have to ask an user (one user) from each organization to register their user name and password with my application?
What is the right way of achieving this?
Generally speaking you should avoid having users enter their credentials directly into your application. If possible, allow them to use one of the oauth flows where they only provide the credentials to Salesforce and then a token is issued to the application for API access.
For a long running process you can get a refresh token that will allow you to re-establish the session as required.
See
OAuth 2.0 User-Agent Flow
OAuth 2.0 Web Server Authentication Flow
OAuth 2.0 Refresh Token Flow
Incidentally, the Salesforce Stackexchange is a great place to ask Salesforce specific questions.
I am trying to get the user who is logged in via. SAML Single Sign On.
I have already implemented SAML Single Sign On and it works.
The code I use for programmatic login is :
apps = gdata.apps.service.AppsService(email=username, domain=domain, password=password)
apps.ProgrammaticLogin()
logging.info("current user %s", users.get_current_user())
//Redirect to a Google mail page.
But users.get_current_user() returns None always even though correct username and password is provided. I have crosschecked it by redirecting the page to Google Mail page and it successfully redirects.
I have googled this issue for hours now nothing goes the right way.
Can anyone please guide me what I am doing wrong ?
There are three different things going on here, I just want to make sure are clear for my suggested answer to make sense:
Google App Engine users service: You, as the developer, delegate authentication and authorization responsibility to Google Accounts (or the selected OpenID provider). Google will act as the Identity Provider and you'll act as the Service Provider.
SAML single sign on: Google delegates to you the authentication and authorization responsibility, you'll act as the Identity Provider and Google will act as the Service Provider. You'll be using SAML SSO every time you try to login any Google service using you Google Apps account, that includes Google App Engine applications using the users service.
ClientLogin: It is one of the methods for authenticating to use a Google API by giving username and password. It's deprecated, it's hard to maintain and insecure since you are hard coding the credentials and the app could have access to everything. I'd recommend switching to OAuth instead. In the first two lines of code You are initializing the Google Apps provisioning API with gdata.apps.service.AppsService, if you are not going to retrieve or create users/groups/alias is useless to do that. If you are I'd also recommend switching to the Directory API part of the new AdminSDK
For your particular case I'd suggest checking if there is a current user logged in, if not redirect to the login URL using the GAE users service.
user = users.get_current_user()
if user:
logging.info("current user %s", user.email())
else:
return redirect(users.create_login_url(request.url))
In case you always require that the user is logged in you better set the handler as login: required
The user will be redirected to the SAML SSO page to log in to his Google Account in order to access the GAE app.
Here is what we want at high level.
My Requirements,
Clients should be able to access my application using their existing username/password.
My clients should be able to provide me their user-roles, and based upon that I will manage the resource authorization in the server.
Client will share the database. (Multitenancy).
The OAuth 2.0 examples I went across are, utilizing Authentication Servers such as Facebook/Google, where in users can login thru their google or facebook account.
I wan't my clients to be able to login with their own accounts.
As far as CAS Authentication server is concerned it directs the user to its own login page.
I am looking for a standard way, where in I can use spring security and allow my clients to single sign on user their own credentials. Any references will be of great help. Thank you.
As already mentioned CAS is a web SSO, so you need to pass through it's own authentication page in order to get the SSO working. There are many ways to get CAS working with your authentication persistent system (in my projects I usually use JPA as my customers have many old applications based only on relational db persistence).
In your project I suppose you can setup CAS to use your application authentication method, while your application can point directly to CAS for authentication itself. What I mean is that your application as well should use CAS for single sign on, so the users can enter their credentials just once. Finally you can customize CAS theme in order to get login and error pages with the same layout as your application (you can even load CAS login page in an iframe and then reload your application page on success if you want to integrate it inside your webapp).
If I understood what you wrote you want it to behave this way:
you login in your application
your application tells CAS you logged in
you access another application
the other application asks CAS if the user is logged in and CAS answers yes
But the "easy" explanation of the workflow is:
you try to access a secured part of any application secured with CAS (your or another)
the application asks CAS if the user is logged
CAS answers no, so the user is redirected to CAS login
the user authenticates with CAS
CAS redirects the user to the calling application
the application asks CAS if the user is logged in and CAS answers yes
the user can access secured parts of the application
the user try to access another application
the "another" application asks CAS if the user is logged in and CAS answers yes
the user can access secured parts of the "another" application
CAS is a web SSO so you will be able to share the user identity accross multiple web applications and Spring Security is a good CAS client.
You can also enable the CAS server to delegate authentication to Facebook or Google.
The idea is to have your CAS server authenticate your users and get their profile and then push them to the web applications.
I thought CAS provided a REST API.
If that could be used for login then the various apps could present their own login interface and send the username / password to CAS.
We need to support the following Authentication flows
User 1 logs into Salesforce using Salesforce Credentials
User 2 logs into Salesforce using Arcot +Ping + Siteminder credentials
User 2 logs into Custom App using Arcot + Ping + Siteminder credentials
Since all the authentication methods above are SAML, I need to find a way to address home realm discovery that is a unusual "mesh" of authentication flows.
Question
How should I set up the IDP and RPs to handle this scenario?
How would home realm discovery work?
I'm going to assume that you have My Domains setup and SAML 2.0 setup in your org, and you're trying to route an unauthenticated page request to its appropriate authentication source.
Since you can't distinguish between users 1 and 2 in the original unauthenticated request, you'll need an interstitial page that asks for user input, i.e. "Let me login with username/password" or "I login with single sign on". Point to this page in the "Identity Provider Login URL" section of your SAML settings. If the user chooses username/password, redirect the user to the My Domains login page where they'll login with un/pw. If they choose SSO, then send them to your IDP and propagate the SAML Request & RelayState to initiate the SAML protocol.
Similarly, unauthenticated requests to the custom app need to redirect to the IDP, so that they will initiate SAML. Is the custom app inside of salesforce (as a different tabset), or hosted outside of salesforce? If the custom app is separate from salesforce, you'll need to setup the identity provider so that it has 2 RPs: one for salesforce and one for this custom app. If the custom app is in salesforce, how is the user going to express intent to access salesforce vs the custom app?