Auth0 Home Blog Docs

Auth0 as IDP and Service Provider - SAML

saml2
idp
service-provider

#1

Hi,

I have a .net website , i need to allow my clients to SSO with SAML.

I wanted to do this test using Salesforce.com with SAML

So basically
I should be able to log into my site, using salesforce.com account with SAML

If i am not wrong, then auth0 should act as an intermediary IDP

My site would call Auth0, and this would validate the user against salesforce.com IDP

This is what i need, but couldnt get it working.

Any idea/link? thanks


#2

Yes, you can make Auth0 do this.

  • It’s probably easier to integrate using the Salesforce social connection, which requires you to set up a connected app in your Salesforce org. Your clients can then make authentication requests against Auth0 with either SAML or Open ID Connect and be redirected to the target Salesforce org for credential input. Setup instruction are here.

  • If you must federate your Salesforce org via SAML, you can set up an SSO Integration. I think this is at additional cost (in Auth0). Setup instructions are in the setup wizard.

Both ways work. However, if your Salesforce org is itself federated with something like Active Directory, the social connection approach will not work because, in order to get the federated identity provider as an option when the user signs in, the authentication request must be made to your tenant URL and not login.salesforce.com (which is the default for the social connection and cannot be changed).

There is a workaround, however - you can set up a custom social connection and make the call to the tenant URL. This involves:

  • Setting up a connected app in Salesforce as you do for a standard Auth0 social connection.

  • Using the Auth0 Custom Social Connection extension and creating a connection where:

Client ID = Your Salesforce connected app consumer key
Client Secret = Your Salesforce connected app consumer secret
Authorization URL = https://<salesforce_tenant_url>/services/oauth2/authorize
Token URL = https://<salesforce_tenant_url>/services/oauth2/token

and Fetch User Profile script =

function(accessToken, ctx, cb) {
  console.log(Date.now(), '[Salesforce CSC] Starting Fetch User Profile script');
  request.get({
    uri: 'https://<salesforce_tenant_url>/services/oauth2/userinfo?format=json',
    timeout: 10000,
    headers: {
      'Authorization': 'Bearer ' + accessToken
    }
  }, function(e, r, b) {
    if (e) return cb(e);
    if (r.statusCode !== 200) return cb(new Error('StatusCode: ' + r.statusCode));
    console.log(Date.now(), '[Salesforce CSC] User profile retrieved');
    var profile = JSON.parse(b);
    profile.user_id = profile.organization_id + profile.user_id;
    cb(null, profile);
  });
}

Remembering to change <salesforce_tenant_url> in the above script appropriately.