7

I have no Access Control Service (ACS) installed, but I've seen on some online video demo that Salesforce is not in the list of available pre-installed identity providers. Salesforce can be configured as IdP (standard SAML 2.0 is used). Can I setup ACS so that I can use Salesforce as identity provider? Thanks

YMC
  • 4,925
  • 7
  • 53
  • 83

1 Answers1

3

I haven't personally used a SAML 2.0 token provider, but it's official description says that ACS supports SAML 2.0 tokens. A list of supported protocols are OAuth 2.0, WS-Trust, and WS-Federation (as by official statement).

Also, there is no currently automated (with user interface) way to add identity providers that are out of predefined in the ACS. You can however use the ACS cmdLets to manually add IPs that have a supported protocol. Here is a Vittorio's blog that shows how to add an openID provider.

If you can configure the SalesFores as IdP with the use of SAML 2.0 tokens, you just to identify the protocol - is it OAuth, is it WS-Trust of WS-Federation, and execute a PowerShell command which would look something like this:

PS:\>Add-IdentityProvider –Namespace "myacsnamespace" –ManagementKey "XXXXXXXX" -Type "Manual" -Name "SalesForce" -Protocol OAuth –SignInAddress "http://www.your_salesforce_site.com/sign-in-url"

The list of supported protocols for this command is: WsFederation, OAuth, OpenId, WsTrust. So the SalesForce IdP configuration must use some of those protocols with SAML 2.0 tokens and it must work. I think it's the OAuth as by this wiki.

Hope this helps!

astaykov
  • 30,768
  • 3
  • 70
  • 86
  • Note that, in general, all these protocols have different purposes. They are not interchangeable. e.g.: WS-Trust is for SOAP web services, WS-Federation is for Web sites. Even if they reuse the token format. – Eugenio Pace Jan 11 '12 at 16:45
  • I'm confused. As I know SAML 2.0 standard is not only about token format, it's a protocol too, it describes communication rules the same way WS-Federation, OAuth and OpenId do, so that it's self-sufficient. I think Salesforce as IdP uses SAML 2.0 only, at least there is nothing about this protocols on Salesforce.com: https://login.salesforce.com/help/doc/en/identity_provider_about.htm. It just says it supports SAML 2.0. Does it mean I can not use Salesforce in ACS? – YMC Jan 12 '12 at 00:03
  • I really want to see the input from someone from Microsoft's Identity team here. @YMC, did you check this wiki: http://wiki.developerforce.com/page/Single_Sign-On_for_Desktop_and_Mobile_Applications_using_SAML_and_OAuth which describes that they are layering SAML AND OAuth, which might be the oslution for ACS. – astaykov Jan 12 '12 at 10:09
  • I've took a look at it, it's interesting article, but it does not guarantee me I can reach the desirable result spending couple of days or so on exploring ACS features. I hoped there was a straightforward way to add any arbitrary saml 2.0 IdP in ACS, looks like there is not. Ok, anyway it is a result and helpful to know. Thanks for info, +1 – YMC Jan 12 '12 at 19:15
  • @YMC did you ever get this working? I have to integrate a SAML2.0 IdP with ACS as well and looking to find a way. In my case, it's an OpenAM IdP. – Roy Oct 19 '12 at 11:02
  • I tried this, not through the cmdlets but through the ManagementServiceWrapper classes defined in the code accompanying this guide from Microsoft http://msdn.microsoft.com/en-us/library/ff423674.aspx. I got the error message ' The value specified for the field 'IdentityProvider_ProtocolType' is not valid.' for OAuth. Seems like you can only really use ACS with ADFS or Facebook etc for the IdP and bespoke applications for the RPs. – Polly Shaw Jan 30 '13 at 15:17
  • For all the down voters: **If you think anything is wrong, you can post a new answer or a comment! And pay attention the time and date the question has been answered!** – astaykov May 23 '13 at 18:53
  • Its 2016... and i still have the same question... Did someone tried and was successful? – Wali Jun 13 '16 at 18:22
  • @Wali, as you noted, its 2016 and thus ACS is on "stand by", there is Azure AD, which has direct and full integration with SalesForce and more than 2000 other cloud SaaS applications. On the other hand there is Azure AD B2C Preview, which handles the roles ACS was playing. For both the services you can your favorite search engine to find out more. – astaykov Jun 15 '16 at 05:42