SalesForce SSO implementation for PHP web application using SAML

Jan 20 2015By Sanket Khare

SalesForce SSO implementation for PHP web application using SAMLSingle Sign-On is a process that allows network users to access all authorized network resources without having to separately log in to each resource. Single Sign-On also enables your organization to integrate with an external identity management system or perform web-based single sign-on to Force.com. Single Sign-On enables multiple types of authentication integration, but the most common are:
Single Sign-On produces benefits in three main areas – reduction in administrative costs, increased ease of use and better implementation of security schemes.

  • Reduced Administrative Costs: With Single Sign-On, all user authentication information resides in a central directory, which reduces the need to maintain, monitor and potentially synchronized multiple stores, as well as reducing user support requests around passwords.
  • Increased ease of use: Each user only has a single username and password which grants them access to corporate resources and Salesforce. Reduced complexity means an easier to use environment that provides seamless access to all resources. Single Sign-On also saves users time, since each individual sign-on process can take 5 to 20 seconds to complete. And removing the extra step of logging into Salesforce can increase user adoption of your Salesforce applications by lowering the barrier to use.
  • Increased Security: Any password policies that you have established for your corporate network will also be in effect for Salesforce. In addition, sending an authentication credential that is only valid for a single use can increase security for users who have access to sensitive data.

Salesforce offers two ways to use single sign-on:

1)  Federated authentication using Security Assertion Markup Language (SAML) allows you to send authentication and authorization data between affiliated but unrelated Web services. This enables you to sign on to Salesforce from a client application. Federated authentication using SAML is enabled by default for organization.

2)  Delegated authentication single sign-on enables you to integrate Salesforce with an authentication method that you choose. This enables you to integrate authentication with your LDAP (Lightweight Directory Access Protocol) server, or perform single sign-on by authenticating using a token instead of a password.

The SSO connects two systems viz. salesforce and the web app in which one acts as an identity provider and the other as service provider. An identity provider is a trusted provider that enables you to use single sign-on to access other websites. A service provider is a website that hosts applications. The web application will be used as service provider and Salesforce as identity provider.

This can be a great help to users in a way that instead of having to remember many passwords, they will only have to remember one. Plus, the applications can be added as tabs to your Salesforce organization, which means users won’t have to switch between programs. Salesforce supports Service-provider-initiated login where the service provider requests Salesforce to authenticate a user, at the initiation of the end-user.

The SAML has to be installed into our web application. Prerequisites for installing simpleSAMLphp are as follows:
  • Some webserver capable of executing PHP scripts.
  • PHP version >= 5.3.0.
  • Support for the following PHP extensions:(date, dom, hash, libxml, openssl, pcre, SPL, zlib, mcrypt).
  • Go to the directory where you want to install simpleSAMLphp, and extract the archive file you downloaded.
  • Copy files from “config-templates” folder to “config” folder.
  • Copy files from “metadata-templates” folder to “metadata” folder.
  • Find the Apache configuration file for the virtual hosts where you want to run simpleSAMLphp.
    <VirtualHost *>
        ServerName service.example.com
        DocumentRoot /var/www/service.example.com
        Alias /simplesaml /var/simplesamlphp/www
    </VirtualHost>
    You can name the alias whatever you want, but the name must be specified in the config.php file of simpleSAML.
  • Now, for configuring simpleSAMLphp, we have to edit the file config/config.php.
    Set a administrator password. This is needed to access some of the pages in your simpleSAMLphp installation web interface.
    ‘auth.adminpassword’ => ‘setnewpasswordhere’,
    Set a secret salt. This should be a random string. Some parts of the simpleSAMLphp needs this salt to generate cryptographically secure hashes. SimpleSAMLphp will give an error if the salt is not changed from the default value. The command below can help you to generated a random string on (some) unix systems:
    tr -c -d ‘0123456789abcdefghijklmnopqrstuvwxyz’ </dev/urandom | dd bs=32 count=1 2>/dev/null;echo’secretsalt’ => ‘randombytesinsertedhere’,
    Set technical contact information. This information will be available in the generated metadata. The e-mail address will also be used for receiving error reports sent automatically by simpleSAMLphp. Here is an example:
    ‘technicalcontact_name’ => ‘Some name’,’technicalcontact_email’ => some email address’,
    If you want to enable some of the modules that are installed with simpleSAMLphp, but are disabled by default, you should create an empty file in the module directory named enable.
Salesforce needs to be set up as Identity Provider which involves following steps,
  • Generate a domain name for your organization.
  • From Setup, click Domain Management | My Domain, enter a new subdomain name, and click Check Availability.
  • If the name is available, click the Terms and Conditions check box, then click Register Domain.
Enabling Salesforce as an identity provider:
  • From Setup, click Security Controls | Identity Provider.
  • Click Enable.
  • Click Download Certificate. Remember where you save the certificate, as you will upload it later.
Setting up SimpleSAMLphp installed in the web application as Service Provider(SP)
  • The SP is configured by an entry in config/authsources.php.
    <!–?php
    $config = array(
    /* This is the name of this authentication source, and will be used to access it later. */
    ‘default-sp’ => array(
    ‘saml:SP’,
    ‘privatekey’ => ‘somename.pem’,
    ‘certificate’ => ‘somename.crt’,
    ‘idp’ => ‘custom domain url’,
    ‘entityID’ => ‘url of the web application’,
    ‘acs.Bindings’ => array(
    ‘urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST’,
    ‘urn:oasis:names:tc:SAML:1.0:profiles:browser-post’,
    ),
    ),
    );
    ?>
  • Some Identity Providers / Federations may require that your Service Providers holds a certificate. If you enable a certificate for your Service Provider, it may be able to sign requests and response sent to the Identity Provider, as well as receiving encrypted responses. Create a self-signed certificate in the cert/ directory.
    openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem
  • Then edit your authsources.php entry, and add references to your certificate:
  • The service provider you are configuring needs to know about the identity providers you are going to connect to it. This is configured by metadata stored in metadata/saml20-idp-remote.php
  • Download the metadata file from Setup, click Security Controls | Identity Provider
  • Parse the above downloaded metadata file from the tool available under Federation tab in simpleSAMLphp installation.
  • The parsed metadata is in the form of an array format. Paste this array into the file metadata/saml20-idp-remote.php
  • Note that the idp-remote file lists all IdPs you trust. You should remove all IdPs that you don’t use.
As we are using Salesforce as identity provider we need to define a Service Provider in Identity Provider.
  • Log into Salesforce.
  • From Setup, click Create | Apps.
  • Click New in the Connected Apps section and for Connected App Name, enter a name.
  • In the Web App Settings area, select Enable SAML and then enter the following information:
    ACS URL => The URL for your App (the web application url/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp)here default-sp is the name of the authentication source
    Entity ID => the url for the web application
    Subject Type => Federation ID
  • Click Save.
  • To authorize access to this app, click Manage Apps | Connected Apps and then click the name of the application. Select the current user’s profile.
  • To map the Salesforce user to the Apps user:
    At the top of any Salesforce page, click the down arrow next to your name. From the menu under your name, select Setup or My Settings—whichever one appears.
    If you clicked Setup, select My Personal Information | Personal Information.
    If you clicked My Settings, select Personal | Advanced User Detail.
    Click Edit.
    For Federation ID, enter the value.
  • Click Save.

For more information on Salesforce SSO, please contact us.


Get the Blog Newsletter

Follow Us


TechnoMile on Twitter