Tuesday, June 11, 2013

salesforce.com and Shibboleth SSO

It's an odd subject for me to blog about. My knowledge level of salesforce.com is practically 0; my knowledge level with Shibboleth: 0. I learned this word and the product a few days ago when I had to help diagnose an SSO issue between force.com and a client site.

There are tons of posts sharing their experience on how to make SSO work between force.com and Shibboleth. Everyone shared their success and failure stories. I mostly chewed on these posts and with trial and errors and made it work in our case. I thought I'd share what I learned.

Shibboleth version: 2.3.5.

On force.com site:
Part I
1. check SAML enabled (leave "User Provding Enabled" unchecked), chose SAML version 2.0
2. set issuer as provided by IDP: https://sso.example.edu/idp/shibboleth
3.import the certificate from the client Shibboleth IDP provided
4. select Federation ID
5. select Use ID is attribute, fill in attribute name and format (I collected these from a sample IDP response assertion sample, see the sample assertion below, towards the bottom of the payload)
6. Entity ID: https://saml.salesforce.com
7. HTTP Redirect
save changes

Edit screen dump:

view screen dump:

8. On SSO settings page, click "Download Metadata", save the file and send it to IDP, and tell IDP to update relying-part.xml to point to this file (MetadataProvider/@metadataFile)

Part II
Select Setup menu, search for "my domain", then select "Use the following Authentication Service My SAML IDP"

Part III

IDP side:

  • update relying-part.xml (as in step 8 above)
  • set encryption to OFF
  • set sign signature to ON

That did the trick.

Here is the sample meta data dump:
<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://saml.salesforce.com" validUntil="2023-06-11T21:25:53.105Z">
   <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
      <md:KeyDescriptor use="signing">
         <ds:KeyInfo>
            <ds:X509Data>
               <ds:X509Certificate>MIIFBzCCA++gAwIBAgIQDJ4ihF+4VYzLxb+qASp7IzANBgkqhkiG9w0BAQUFADCBvDELMAk
GA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbi
...
xcHB+08lZiJzKwN/yg==</ds:X509Certificate>
            </ds:X509Data>
         </ds:KeyInfo>
      </md:KeyDescriptor>
      <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
      <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://test.salesforce.com/?saml=MgoTx78aEPqYOjf4wsNP4y2cWzUwlVn8UjYAqjjrKUbZUNj9Y1hnr9fJpa" index="0" isDefault="true"/>
      <md:AttributeConsumingService index="0" isDefault="true">
         <md:ServiceName xml:lang="en">Salesforce.com</md:ServiceName>
         <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true"/>
      </md:AttributeConsumingService>
   </md:SPSSODescriptor>
</md:EntityDescriptor>

here is a sample response assertion:

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://test.salesforce.com" ID="_70d94b9224a1f64d1bc1d08a7e0f82a8" InResponseTo="_2QbMVwlP6T4mfIKpaguiKDq1rvofuyOI2ueT5fZIQgZ9m6lSZGRWjkDAEd5sEc12NjwotQcMb_XPhwTjcxWcMxobH3fduZo8KoINe.8L0XGshPftH8XN1x907ZyfA4VWJ_3.LlbBtovzGixXRAOzLv8i6srSME.ujlR2g6KpU3x6auSu9Dv7kx5f3r_u32dPF0PEZKODHMtxlVXaycGYuMgC2w0s8.g" IssueInstant="2013-06-11T16:03:15.201Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
   <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://sso.examle.edu/idp/shibboleth</saml2:Issuer>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
         <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
         <ds:Reference URI="#_70d94b9224a1f64d1bc1d08a7e0f82a8">
            <ds:Transforms>
               <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
               <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                  <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
               </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>papIEukge3hRwbglEkofGy/ybdI=</ds:DigestValue>
         </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>q7Sdhz8UC46qUE+yycOoQQ2bLorgZ6HJvONokm9aa1bv+bF4MAljS8p7M7aYeyDZnGk+rDyrQzO+ctL0IfjNZimE8dhW1dt1HDS/6cjyK7zKWZMueEHRWbZPs6GYOYHSYWr2DFplngJYbwZQ4CfNp4yCHjOuGoo0I9Tr0P24/V8b3RMNnN5XAK5GPR/nW+nYsCS8UWeMOcRLg+NvjMfVGczL2Z4XfUHT6Odj6ckiEPCQkzRwg26bl//Lz0zMgDN7QtX0BflMLuS09trDHKfblLCtXAakSjBfaythCxpKCvSIUgMk1FlwCRS+15/YYBF+dTGf8mWCCgFJ6ZF+Euz/Kw==</ds:SignatureValue>
      <ds:KeyInfo>
         <ds:X509Data>
            <ds:X509Certificate>MIIDHzCCAgegAwIBAgIUHPSdb4ae0QA3fyeEIe7wKXi2oT0wDQYJKoZIhvcNAQEFBQAwGDEWMBQG
...
ztgLcVw=</ds:X509Certificate>
         </ds:X509Data>
      </ds:KeyInfo>
   </ds:Signature>
   <saml2p:Status>
      <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
   </saml2p:Status>
   <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_09daf40a77318b7f391fa99c5d2829de" IssueInstant="2013-06-11T16:03:15.201Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
      <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://sso.examle.edu/idp/shibboleth</saml2:Issuer>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
         <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <ds:Reference URI="#_09daf40a77318b7f391fa99c5d2829de">
               <ds:Transforms>
                  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                     <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
                  </ds:Transform>
               </ds:Transforms>
               <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
               <ds:DigestValue>cJ6IIEUMHXI6f4qAhgnLl5RPqTA=</ds:DigestValue>
            </ds:Reference>
         </ds:SignedInfo>
         <ds:SignatureValue>a1HCaukY6f6WfB65rSt5zDug+GoAiBohujqt5DSnjYBIg5X9VSCoLIop+sqG790h/v1fTuQyeOXCQpuC745sWn8lFNFPqR8SjZqMR2G6JDHjDtOWpgB4zjWcES3i6SAwSlnEL63WUj0vzCuqt6JYyUmg+xKr8kBVUz4MZEch08pKj4qbeao58WD1YXWBUeT6yHPe44YG9FoPHiP+SicQ/Ea4qwOtnogh6oF8aM4tpAcpyNw924uOPcDe5d20suBZ1DgTLM+B6nLWhxH5FDvmsU9TmGOWAQ63fGY+ZYKN+GFsieiYIPbT6XKOYcOwaxtYdZ7hoebhdv5f4sLvHxRjGQ==</ds:SignatureValue>
         <ds:KeyInfo>
            <ds:X509Data>
               <ds:X509Certificate>MIIDHzCCAgegAwIBAgIUHPSdb4ae0QA3fyeEIe7wKXi2oT0wDQYJKoZIhvcNAQEFBQAwGDEWMBQG
...
ztgLcVw=</ds:X509Certificate>
            </ds:X509Data>
         </ds:KeyInfo>
      </ds:Signature>
      <saml2:Subject>
         <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://sso.examle.edu/idp/shibboleth">4nKARGsfororZJ89y5wDMkZJuE4=</saml2:NameID>
         <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml2:SubjectConfirmationData Address="10.25.181.45" InResponseTo="_2QbMVwlP6T4mfIKpaguiKDq1rvofuyOI2ueT5fZIQgZ9m6lSZGRWjkDAEd5sEc12NjwotQcMb_XPhwTjcxWcMxobH3fduZo8KoINe.8L0XGshPftH8XN1x907ZyfA4VWJ_3.LlbBtovzGixXRAOzLv8i6srSME.ujlR2g6KpU3x6auSu9Dv7kx5f3r_u32dPF0PEZKODHMtxlVXaycGYuMgC2w0s8.g" NotOnOrAfter="2013-06-11T16:08:15.201Z" Recipient="https://test.salesforce.com"/>
         </saml2:SubjectConfirmation>
      </saml2:Subject>
      <saml2:Conditions NotBefore="2013-06-11T16:03:15.201Z" NotOnOrAfter="2013-06-11T16:08:15.201Z">
         <saml2:AudienceRestriction>
            <saml2:Audience>https://saml.salesforce.com</saml2:Audience>
         </saml2:AudienceRestriction>
      </saml2:Conditions>
      <saml2:AuthnStatement AuthnInstant="2013-06-11T16:03:14.850Z" SessionIndex="7143fd8ba813f44fa9fb11512f50175b00ab09b21b7ca7d442164ebbda6b8281">
         <saml2:SubjectLocality Address="10.25.181.45"/>
         <saml2:AuthnContext>
            <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
         </saml2:AuthnContext>
      </saml2:AuthnStatement>
      <saml2:AttributeStatement>
         <saml2:Attribute FriendlyName="eduPersonPrincipalName" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml2:AttributeValue>john.doe@examle.edu</saml2:AttributeValue>
         </saml2:Attribute>
      </saml2:AttributeStatement>
   </saml2:Assertion>
</saml2p:Response>
Posted by at
Labels: , , ,

3 comments:

  1. smartinJune 21, 2013 at 2:39 PM

    Hi, have you tried to enable the provisioning?

    I did and the SSO of new users always is failing.
    I created a ticket on salesforce: https://success.salesforce.com/questionDetail?qId=a1X30000000fjP6EAI

    ReplyDelete
  2. UnknownSeptember 28, 2013 at 9:12 PM

    This comment has been removed by the author.

    ReplyDelete
  3. UnknownSeptember 28, 2013 at 9:14 PM

    hats nice that you used both salesforce.com and Shibboleth IDP. You could have contacted the troubleshooting team to check for the seamless functioning.

    ReplyDelete

Subscribe to: Post Comments (Atom)