Auth0 as IDP and Service Provider - SAML

alejandro · September 11, 2018, 3:29pm

Hi,

I have a .net website , i need to allow my clients to SSO with SAML.

I wanted to do this test using Salesforce.com with SAML

So basically
I should be able to log into my site, using salesforce.com account with SAML

If i am not wrong, then auth0 should act as an intermediary IDP

My site would call Auth0, and this would validate the user against salesforce.com IDP

This is what i need, but couldnt get it working.

Any idea/link? thanks

glenn.davies · September 12, 2018, 2:10pm

Yes, you can make Auth0 do this.

It’s probably easier to integrate using the Salesforce social connection, which requires you to set up a connected app in your Salesforce org. Your clients can then make authentication requests against Auth0 with either SAML or Open ID Connect and be redirected to the target Salesforce org for credential input. Setup instruction are here.
If you must federate your Salesforce org via SAML, you can set up an SSO Integration. I think this is at additional cost (in Auth0). Setup instructions are in the setup wizard.

Both ways work. However, if your Salesforce org is itself federated with something like Active Directory, the social connection approach will not work because, in order to get the federated identity provider as an option when the user signs in, the authentication request must be made to your tenant URL and not login.salesforce.com (which is the default for the social connection and cannot be changed).

There is a workaround, however - you can set up a custom social connection and make the call to the tenant URL. This involves:

Setting up a connected app in Salesforce as you do for a standard Auth0 social connection.
Using the Auth0 Custom Social Connection extension and creating a connection where:

Client ID = Your Salesforce connected app consumer key
Client Secret = Your Salesforce connected app consumer secret
Authorization URL = https://<salesforce_tenant_url>/services/oauth2/authorize
Token URL = https://<salesforce_tenant_url>/services/oauth2/token

and Fetch User Profile script =

function(accessToken, ctx, cb) {
  console.log(Date.now(), '[Salesforce CSC] Starting Fetch User Profile script');
  request.get({
    uri: 'https://<salesforce_tenant_url>/services/oauth2/userinfo?format=json',
    timeout: 10000,
    headers: {
      'Authorization': 'Bearer ' + accessToken
    }
  }, function(e, r, b) {
    if (e) return cb(e);
    if (r.statusCode !== 200) return cb(new Error('StatusCode: ' + r.statusCode));
    console.log(Date.now(), '[Salesforce CSC] User profile retrieved');
    var profile = JSON.parse(b);
    profile.user_id = profile.organization_id + profile.user_id;
    cb(null, profile);
  });
}

Remembering to change <salesforce_tenant_url> in the above script appropriately.

Topic		Replies	Views
Need to perform SSO with Salesforce Community using SAML Help saml , sso , salesforce	2	4231	August 12, 2021
Implement Auth0 as IDP and Salesforce as Service provider Help saml , salesforce	1	5015	June 19, 2019
SSO from one service using Auth0 to another Help sso , sso-integration	1	3348	December 11, 2019
Concerned with vendor's usage of Auth0 Help	7	2312	May 27, 2021
Extending Auth0 SAML IDP for social logins Help saml , social-connections , idp	3	3740	March 2, 2018

Auth0 as IDP and Service Provider - SAML

Related Topics