[mitreid-connect] Interoperability with Salesforce.com

Kari Hiitola kari.hiitola at vincit.fi
Thu Sep 4 16:04:47 EDT 2014 

Justin,

Thanks a lot for a quick response.

It is their client library. Don't know if they implemented it
themselves, though. The only indication that I was able to find was
the "Unknown Flow" error. I have tried two different hosts and SSL
certs. What they have in common is that they both are wildcard certs,
whereas accounts.google.com has a non-wildcard cert. But judging from
the fact that authentication hasn't failed every time (albeit almost)
I wouldn't think that the cert is to blame. I don't know the crypto
scheme well enough to know how picky it is about clock sync, but I got
a hunch that misaligned clocks could cause such problems. Looking at
the network traces they couldn't be off more that a couple of seconds.

I will open a ticket in Salesforce.com as soon as I can get a real SF
account. With a developer account that doesn't seem to work. I'll get
back to you if  they can find out something more about why it's
failing.

Thanks,
 - Kari


2014-09-04 14:17 GMT+03:00 Richer, Justin P. <jricher at mitre.org>:
>
> Kari,
>
> I've done a small bit of interoperability testing with the Salesforce.com IdP and the MITREid Connect Relying Party (client code). I have not done any testing in the other direction, with the MITREid Connect IdP and a Salesforce-driven client. Is this their own client library? Is there any indication what Salesforce doesn't like about the response? Is it a problem with the SSL certificates on your test server, perhaps? I've seen that break things many times. It's also possible that Salesforce is looking for something special that we don't return in the same way that their own IdP does. It seems like this would be a good issue to bring to the Salesforce help desk, if you haven't already. We'd be happy to work with their engineers to make this work if you can get us connected.
>
>  -- Justin
>
> On Sep 4, 2014, at 6:31 AM, Kari Hiitola <kari.hiitola at vincit.fi> wrote:
>
> Hello,
>
> Has anyone successfully used MITREid Connect Identity Provider for authenticating Salesforce.com users?
>
> I have created a simple webapp overlay (on top of MITREid Connect 1.1.9) that works perfectly with a test client https://demo.c2id.com/oidc-client/ . I configured a Salesforce (developer account) custom domain to use OpenID Connect authentication and created a custom registration handler. With the same registration handler and similar configuration I've been able to authenticate Salesforce.com against Google's Identity Provider.
>
> Out maybe a couple of hundred times that I have tried, authentication has succeeded twice. And without changing anything, it then has started to fail again. Normally Salesforce gives error: "ErrorCode=Unknown_Flow, ErrorDescription=The flow type was not recognized" which I couldn't find in Salesforce.com documentation. The logs don't show the SF registration handler being run at all in these failed cases. Network traces show that Salesforce.com backend issues the POST to /token but apparently doesn't like the response somehow.
>
> Any ideas? Am I alone with these problems, or even alone trying to get it to work?
>
> Best regards,
>
>  - Kari Hiitola
> _______________________________________________
> mitreid-connect mailing list
> mitreid-connect at mit.edu
> http://mailman.mit.edu/mailman/listinfo/mitreid-connect
>
>

More information about the mitreid-connect mailing list