[teiid-issues] [JBoss JIRA] (TEIID-3618) Salesforce SSO

Thu Sep 3 14:13:00 EDT 2015

    [ https://issues.jboss.org/browse/TEIID-3618?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13105339#comment-13105339 ] 

Ramesh Reddy commented on TEIID-3618:
-------------------------------------

More helpful links

https://developer.salesforce.com/blogs/developer-relations/2011/03/oauth-and-the-soap-api.html
https://help.salesforce.com/apex/HTViewHelpDoc?id=remoteaccess_oauth_jwt_flow.htm&language=en_US#create_token
http://salesforce.stackexchange.com/questions/31904/how-and-when-does-a-salesforce-saml-oauth2-user-give-permission-to-use-a-conne
http://salesforce.stackexchange.com/questions/30596/oauth-2-0-jwt-bearer-token-flow
http://salesforce.stackexchange.com/questions/88396/invalid-assertion-error-in-jwt-bearer-token-flow

*OAuth Refresh Token Steps*
1) create connected app (may need to setup custom domain)
2) add profile and/or permissions set to the connected app
3) grab the "callback url" ( one need to set as https://localhost:443/_callback"
4) Run through the teiid-oauth-util.sh in "<eap>/bin" directory, use client_id, client_pass, and call back from connected app
5) use "https://login.salesforce.com/services/oauth2/authorize" authorize link
6) use "https://login.salesforce.com/services/oauth2/token" for access token url
7) the you get a refresh token from it 
8) create a security-domain like

{code}
<security-domain name="oauth2-security">  
    <authentication>  
        <login-module code="org.teiid.jboss.oauth.OAuth20LoginModule" flag="required" module="org.jboss.teiid.security">  
            <module-option name="client-id" value="xxxx"/>  
            <module-option name="client-secret" value="xxxx"/>  
            <module-option name="refresh-token" value="xxxx"/>  
            <module-option name="access-token-uri" value="https://login.salesforce.com/services/oauth2/token"/>  
        </login-module>  
    </authentication>  
</security-domain>
{code}
 

*JWT based Steps* 
1) Create a Self-Signed certificate locally or on Sales Force. (user->setup->security-controls->Certificate and Key Management)
2) Download the certificate and also put in keystore and download keystore. Keystore is needed for Teiid, certificate for the salesforce setup
3) Create connected app and select OAuth, and select all the scopes (some posts say refresh-token offline is must)
4) create a profile and/or permission set assign to the connected app. I believe before you can create a connected app you need to set up custom domain
5) When you creating connected app make sure you add the certificate in "Digital Certificate"
6) Now in Teiid create security-domain like
{code}
                <security-domain name="oauth2-jwt-security">
                    <authentication>
                        <login-module code="org.teiid.jboss.oauth.JWTBearerTokenLoginModule" flag="required" module="org.jboss.teiid.security">
                            <module-option name="client-id" value="xxxxx"/>
                            <module-option name="client-secret" value="xxxx"/>
                            <module-option name="access-token-uri" value="https://login.salesforce.com/services/oauth2/token"/>
                            <module-option name="jwt-audience" value="https://login.salesforce.com"/>                            
                            <module-option name="jwt-subject" value="your at sf-login.com"/>                            
                            
                            <module-option name="keystore-type" value="JKS"/>
                            <module-option name="keystore-password" value="changeme"/>
                            <module-option name="keystore-url" value="${jboss.server.config.dir}/salesforce.jks"/>
                            <module-option name="certificate-alias" value="teiidtest"/>                                                                                    
                            <module-option name="signature-algorithm-name" value="SHA256withRSA"/>                            
                        </login-module>
                    </authentication>
                </security-domain> 
{code}

> Salesforce SSO
> --------------
>
>                 Key: TEIID-3618
>                 URL: https://issues.jboss.org/browse/TEIID-3618
>             Project: Teiid
>          Issue Type: Feature Request
>          Components: Salesforce Connector
>            Reporter: Kenneth Peeples
>            Assignee: Ramesh Reddy
>
> The current Salesforce Connector is using password+token for credentials.  We should have the ability to use Salesforce SSO.
> Implementation the same as described here (we could use Keycloak or Picketlink for IDP) - https://login.salesforce.com/help/pdfs/en/salesforce_single_sign_on.pdf?


--
This message was sent by Atlassian JIRA
(v6.4.11#64026)