View RSS Feed

Simonds - Discussion on Almost Anything

Salesforce PHP Single Sign On Integration Turorial

Rate this Entry
0 Trackbacks 4 Comments
by
mike
, 06-29-2010 at 09:45 AM (4880 Views)
Over the next two weeks I will be working on configuring Salesforce single sign on with our active directory servers. This initiative will allow our users of Salesforce to be able to log in to our organization using their active directory. During this development I will provide step by step instructions on how my organization was able to get this single sign on working and deployed. This blog entry will contain PHP code snippets, the Soap server code, and instructions on how we will be able to develop this. We will be using Salesforce.com's Delegated Authentication to accomplish this. Please stay tuned for more entries over the next few days and couple of weeks.

Thanks!!

~Mike

Submit "Salesforce PHP Single Sign On Integration Turorial" to Digg Submit "Salesforce PHP Single Sign On Integration Turorial" to del.icio.us Submit "Salesforce PHP Single Sign On Integration Turorial" to StumbleUpon Submit "Salesforce PHP Single Sign On Integration Turorial" to Google

Categories
Salesforce

Comments

  1. mike's Avatar
    I have actually finished the single sign on for my company and will share the code here and explain how it works!!
  2. mike's Avatar
    So here is how I was able to integrate Single Sign On using PHP with Salesforce.com. It was actually pretty easy and works without any issues.

    First, you have to contact salesforce and have them enable delegated authentication on your Salesforce Instance/Organization.

    What this accomplishes and allows you to do is use the password from active directory from your company and log in to your Salesforce instance.

    Once it is enabled, Salesforce does not store passwords for users, it sends out a SOAP message with the username, password, and IP address:

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <soapenv:Body>
  <Authenticate xmlns="urn:authentication.soap.sforce.com">
   <username>insite.test@maxim-ic.com</username>
   <password>yourpass</password>
   <sourceIp>205.153.101.8</sourceIp>
  </Authenticate>
 </soapenv:Body>
</soapenv:Envelope>
    Once that is sent, you have to be able to parse that XML message and pass it through to your AD server. There is a great Ldap PHP class that I was told about and use:

    You can use find it here > adLDAP - LDAP Authentication with PHP for Active Directory


    You can use what you want to parse the XML, but I use a script called MagicParser.php, which is a paid script, but outstanding for parsing almost all types of files or data. You can purchase that here > Magic Parser | PHP XML, RSS & CSV Parser. It is really cheap and works great, totally worth the money

    Here is the code:

    PHP Code:
    <?php


    $salesforce     = array();
    error_reporting(E_ALL & ~ E_NOTICE);
    ini_set("soap.wsdl_cache_enabled""0");
    require_once (    '/users/msimonds/public_html/maps_sso/MagicParser.php');

    $data fopen('php://input''rb');

    $content stream_get_contents($data);

    mail('mike.simonds@maxim-ic.com''Sso'$content);
    MagicParser_parse("string://" $content"myRecordHandler""xml|SOAPENV:ENVELOPE/");

    $check_user_data = array();

    //for dev purposes
    $check_user_data['mail'] = substr($salesforce['mail'],0, -5);


    $results _LdapUserSearch($check_user_data);
    $validate_user = array();
    foreach (    $results as $r)
    {
            $test '<pre>' print_r($rtrue) . '</pre>';    
            $validate_user['username'] = $r['username'];     
    }
    $validate_user['password'] = $salesforce['password'];



    $username $validate_user['username'];
    $password $validate_user['password'];
     
    $verify verify_salesforce_user($username$password);


    if (    $verify)
    {
            respond('true');
    }
    else
    {
            respond('false');
    }


    /*
    * Functions
    */


    function respond($tf)
    {

        print     '<?xml version="1.0" encoding="UTF-8"?> 
       <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> 
            <soapenv:Body> 
                   <AuthenticateResponse xmlns="urn:authentication.soap.sforce.com"> 
                      <Authenticated>'     $tf '</Authenticated> 
                 </AuthenticateResponse> 
               </soapenv:Body> 
       </soapenv:Envelope>
    '    ;
    }

    //function that takes in Salesforce username and password
    //verifies it against AD then resturns True or False
    function verify_salesforce_user($username$password)
    {

        require_once (    '/users/msimonds/public_html/maps_sso/adLDAP.php');
            $options = array(
                            'base_dn' => 'DC=domain,DC=domain'
                            'domain_controllers' => array("yourdomain.domain.controller")
                        );
            $ldap = new adLDAP($options);
            $authusername "DOMAIN\\" $username;
        
            $result $ldap->authenticate($authusername$password);
        
        
        if (    $result)
        {
            return     true;
        }
        else
        {
            return     false;
        }
    }

    //function to verify username and password from verify_salesforce_user
    function _LdapUserSearch($search)
    {
        if (!    $search || !is_array($search))
        {
            return     false;
        }

        foreach (    $search as $key => $value)
        {
                $ldapsearch .= "($key=$value)";
        }
            $ldapsearch "(|$ldapsearch)";
            $user = array();

        require_once (    '/users/msimonds/public_html/maps_sso/adLDAP.php');

           $options = array(
                            'base_dn' => 'DC=domain,DC=domain'
                            'domain_controllers' => array("yourdomain.domain.controller")
                        );
            $ldap = new adLDAP($options);
        
            //make sure you have a dedicated account that can search AD 
        //Also make sure that the password never expires or you will
        //run into sign on issues with users
            $authusername "DOMAIN\user.name";
            $authpassword "password";
            $result $ldap->authenticate($authusername$authpassword);
        

        if (    $result)
        {
                $result_maximic $ldap->user_info_lookup($ldapsearch);
            return     $result_maximic;
        }
    }
    function     myRecordHandler($record)
    {
        global     $salesforce;
            $salesforce['mail'] = $record["SOAPENV:BODY/AUTHENTICATE/USERNAME"];
            $salesforce['password'] = $record["SOAPENV:BODY/AUTHENTICATE/PASSWORD"];
    }

    ?>
    This is pretty self explanitory!!

    Let me know if this helps anyone!

    ~Mike
  3. Unregistered's Avatar
    Dear Mike,

    Yes , this article is very useful for us because we are going to implement this in our organization.
    Thank you very much again for your kindness.

    Best Regards
    Anong
  4. Unregistered's Avatar
    Hi Mike,

    Instead of using the LDAP authenticating againts Active Directory, could you point me at a direction on how do I implement this on a php website which has a User table in mySQL?

    Thanks
Leave Comment Leave Comment

Trackbacks

Total Trackbacks 0
No other blogs currently reference this blog entry
Trackback URL:

SEO by vBSEO 3.5.2