Data Source Example: Access Salesforce Data through SSO

While Salesforce documentation covers some aspects of this authentication flow, Skuid requires a few more options be configured to authenticate to a Salesforce org as a data source using the SAML 2.0 OAuth flow. Whether you’re using Skuid on Salesforce or Skuid Platform, you will be following the same basic format covered in the SAML OAuth Flow for Skuid data sources.

Note

This tutorial does not show how to use Salesforce as an IDP. Instead, it shows to connect Skuid, Salesforce as a data source, and a separate IDP, meaning end users will not see an OAuth popup when accessing Salesforce data.

1. Generate a certificate used for identity certification

In Skuid Platform

  1. Navigate to Configure > Site > Certificates.
  2. From here you may download Skuid Platform’s default certificate, or generate a unique self-signed or CA-signed certificate.
    • To download the default certificate:
      • Click the drop down arrow beside Create Self-Signed Certificate.
      • Click Download Default Certificate.
    • To generate your own certificate:
      • Click Create Self-Signed Certificate.
      • Fill out the Certificate Name field with an appropriate name for your needs.
        • Choose whether the certificate’s Key Size should be 2048 or 4096 bits.
      • Click Save.
      • Click View Certificate Details.
      • Click Download.

If you choose to generate and use a self-signed certificate for your data source’s OAuth app connection, you must select this certificate within your IdP SSO configuration:

  1. Navigate to Configure > Site > Single Sign On.
  2. Click Edit SSO Config.
  3. Select the appropriate certificate in the Request Signing Certificate field.

In Skuid on Salesforce

  1. Navigate to Administer > Security Controls > Certificate and Key Management in the Salesforce sidebar.
  2. Click Create Self-Signed Certificate.
    • You may alternatively Create a CA-Signed Certificate. In this case, you will need to subsequently click Download Certificate Signing Request. You must send this downloaded Certificate Signing Request (it will be a .csr file) to a Certificate Authority (Verisign, Comodo, etc.). The CA will then sign your certificate using their root certificates, and provide you with the Certificate (.crt file). You must then return to the original certificate record in Skuid or Salesforce and click Upload CA-Signed Certificate. Select the fully-signed certificate provided to you by your CA.
  3. Fill out the Label field with an appropriate name for your needs.
  4. The auto-generated values and defaults for your other fields will be fine, so click Save.

Click Download Certificate.

2. Configure your data source and your IdP for SSO authentication

To access a Salesforce org’s data using this flow, ensure that the Salesforce org you are accessing is configured to accept SSO logins from your IdP. To do so, you’ll need to:

  1. Configure an SSO configuration for your IdP within the Salesforce org you are connecting to.
  2. Set up an correlating SSO connection within your IdP.

The examples below use Okta as the IdP in question (with the same configuration outlined in this tutorial). To properly configure these SSO settings in Salesforce and Okta, see the Okta document, How to Configure SAML 2.0 for Salesforce.

Note: If you have your Okta metadata file, you may also use that to streamline the Salesforce configuration process using the New from Metadata File button.

After saving your Salesforce SSO configuration, you’ll see its details. There is an important field to note here:

  • Issuer: Use this field as the issuer within your Salesforce connected app, even if you’re on Skuid Platform. This field essentially verifies to Salesforce that this org allows access to its data using SAML.

After noting the issuer field, follow the steps listed How to Configure SAML 2.0 for Salesforce to create your Salesforce application within Okta as well.

After you’ve properly configured both Salesforce and Okta for single sign-on to your org—and with your certificate at the ready—you’ll have all you’ll need to properly configure a connected app that brings all these services together.

3. Creating an OAuth app connection within your data source

Similar to the process for accessing multiple Salesforce orgs using the Salesforce data source type, you must create a connected app to obtain OAuth credentials for your data source. But in addition to those settings, you’ll configure some SAML-specific options.

The values entered in during this process are very important. You’ll need to enter the Issuer field from the Salesforce single sign-on configuration from the previous step. Additionally, you’ll need to set the appropriate service provider entity ID and ACS URL, which will vary depending on whether you are working in Skuid Platform or Skuid on Salesforce.

By placing all of these values in the appropriate fields within the Salesforce connected app, you’ll connect all of the links to authenticate and facilitate data transfer.

  1. If you haven’t done so, create a Salesforce connected app for Skuid as outlined in Setting up a Salesforce connected app for Skuid.

  2. Return to your list of connected apps (Build > Create > Apps in the Salesforce sidebar).

  3. Click Edit beside your connected app.

  4. Configure your settings as follows:

    • API (Enable OAuth Settings)

    • Web App Settings

      • Check Enable SAML.

      • Entity ID: The value of this field depends on how you are using Skuid.

        • Skuid Platform:
          • Navigate to Configure > Site > Single Sign On.
          • Click IDP Configuration Details for your IdP configuration.
          • Use the value from the Audience URI / Service Provider Entity ID / Metadata URL field.
        • Skuid on Salesforce:
      • ACS URL: The value of this field depends on how you are using Skuid.

        • Skuid Platform:

          • Navigate to Configure > Site > Single Sign On.
          • Click IDP Configuration Details for your IdP configuration.
          • Use the value from the Assertion Consumer Service (ACS) URL field.
        • Skuid on Salesforce:

          • Append /services/oauth2/token to your My Domain URL

          e.g. https://acme-dev-ed.my.salesforce.com/ would use https://acme-dev-ed.my.salesforce.com /services/oauth2/token

  • Subject Type: Username
  • Issuer: Enter the Issuer field from the Salesforce SSO configuration you created above.
    • Navigate to Configure > Site > Single Sign On.
    • Use the value from Issuer field for the IdP your end users will be logging in from.
  • IdP Certificate: Default IdP Certificate
  • Verify Request Signatures and Encrypt SAML Response are advanced, optional fields. For more information about their configuration, see Salesforce’s Create a Connected App documentation.
  1. Click Save.
  2. Click Continue on the confirmation page to return to your connected app’s page.
  3. Click Manage.
  4. Click Edit Policies.
  5. Configure your settings as follows:
    • OAuth policies
      • Permitted Users: Admin approved users are pre-authorized
        • Define who has authorization through profiles and permission sets within Salesforce.
      • IP Relaxation (optional): Relax IP restrictions
        • Use if you are having issues with authentication.
      • Refresh Token Policy: Refresh token is valid until revoked
        • Enables end users to employ the token they receive without expiration.
    • Check Enable User Provisioning if you wish to provision users, which will require some additional configuration outside the scope of this topic.
  6. Click Save.

Assign the connected app to users

Use permissions sets to assign the connected app to any end users that will be accessing data within this Salesforce org. Even if a user can access Salesforce via your IdP, they will not be able to access data if they are not assigned the connected app.

With all data source and IdP configurations complete, the final steps of this process take place entirely within Skuid.

4. Configure a Skuid authentication provider and data source

In this final section, you’ll be configuring two key things:

  1. An authentication provider that uses the consumer key and consumer secret provided by your Salesforce connected app.
  2. A data source that points to the configured authentication provider and provides an identifier to your data source.

First, create a Skuid authentication provider to authenticate—using the OAuth credentials from your app connection—to your data source using the SAML protocol.

  1. Navigate to Configure > Data Sources > Authentication Provider.
  2. Click New Authentication Provider.
  3. Fill out the field as follows:
    • Name: Enter an appropriate name for your authentication provider, such as <Your Data Source>-SAML.
    • Authentication Method: OAuth 2.0 / OpenID
    • Provider Type: Salesforce
    • Grant Type: SAML 2.0 Bearer Assertion
    • Token Endpoint URL: Fill in your My Domain in the appropriate area.
    • Assertion Signing Certificate (Skuid on Salesforce only): Enter the unique name of the certificate you created on Salesforce in the first section.
    • Client ID: Enter the consumer key of the Salesforce connected app.
    • Client Secret: Enter the enter the consumer secret of the Salesforce connected app.
  4. Click Save.

After this, create a Skuid data source that uses the above authentication provider. Within that data source, also configure a name identifier—a field that must correlate with a user record on the external data source being accessed, such as a username or email address.

  1. Navigate to Configure > Data Sources > Data Sources.
  2. Click New Data Source.
  3. Select Salesforce for your Data Source Type.
    • Enter an appropriate name for your authentication provider, such as <Your Data Source>-SAML.
  4. Click Next Step.
  5. Configure any data source specific options.
  6. Click Next Step.
  7. Select the authentication provider you previously configured.
  8. Click Save new Data Source.

After creating this new data source, you’ll need to configure some final settings to properly send a username to the external data source you are connecting to. If you do not see the settings listed below, refresh your page.

  1. Click Advanced Settings for the newly created data source.
  2. Ensure that the Authentication Method is still set for the previously configured authentication provider.
  3. Beside Name Identifier Field, enter a value that will correlate to the name identifier of the org you are connected to. Select an option appropriate for your use case:
    • Email: Use this option to send the email of the current user—on Salesforce or Skuid Platform—as the identifier in the assertion.
    • Federation Identifier: Use this option to send the federation identifier of the current user—on Salesforce or Skuid Platform—as the identifier in the assertion.
    • Username: Use this option to send the username of the current user—on Salesforce or Skuid Platform—as the identifier in the assertion.
    • Result of a Formula: If the identifier does not directly correlate with the above values, you can enter a formula using some text transformation functions and merge syntax here. The following functions are available:
      • LOWER(): Will return the parameter in entirely lowercase letters.
      • UPPER(): Will return the parameter in entirely uppercase letters.
      • FIRST(): Will return the first letter of its parameter.
      • LAST(): Will return the last letter of its parameter.
      • An example formula with a function and merge syntax: LOWER({{$User.FirstName}}) && “@example.com”
  4. Save the data source configuration:
    • In Skuid Platform: Click Save.
    • In Skuid on Salesforce: Click Save Data Source.

Make sure that the Name Identifier Field is set to match the username schema of the org you are connecting to. (Since Salesforce usernames can be complex, you will most likely need to use a Result of a Formula.)

And with that, you’ve successfully configured both Skuid and your Salesforce org for SSO data source authentication.

To see it in action, use this new data source for a Skuid model, set a component to use that model, and preview the Skuid page. Your data should display as it normally would—without any OAuth popup or logging in when visiting the Skuid page.

Anticlimactic? Perhaps, but you’ve made the runtime experience that much easier for your end users.

Troubleshooting

  • Invalid_client or object Object errors appear when selecting the object for a Salesforce model.There is an issue with the credentials within your IdP matching up with your Salesforce credentials—this can happen due to certificate mismatches or unset permissions.
    • The most likely culprit is the certificate settings. Ensure that you are using the correct certificate in your Salesforce connected app and your SSO configuration.
    • Skuid Platform:
      • Navigate to Configure > Site > Single Sign On.
      • Click Edit SSO Configuration beside the IdP settings.
      • Ensure that Request Signing Certificate is the same one uploaded to your Salesforce connected app.
    • Skuid on Salesforce:
      • Navigate to Administer > Security Controls > Single Sign-On Settings in the Salesforce sidebar.
      • Click Edit beside your SSO configuration.
      • Ensure that the Request Signing Certificate is the same one uploaded to your Salesforce connected app.
      • You should also check that the Assertion Signing Certificate for your authentication provider matches the label of the certificate you have chosen.
        • In Skuid, navigate to Configure > Data Sources > Authentication Providers.
        • Click Details on your authentication provider.
        • Check that the Assertion Signing Certificate matches your certificate’s label.
    • Check that the connected app you created has been assigned to any end user attempting to login via permission sets or profile permissions.
  • The getaddrinfo ENOTFOUND error appears when selecting the object for a Salesforce model.
    • Your My Domain within your Skuid authentication provider may not be correct. Ensure that you have the right My Domain value entered, and that there are no extra characters, such as periods.
  • A 400: Bad Request error apepars when selecting the object for a Salesforce model.
    • You may not be logged into Skuid via SAML. To use this flow you must log into Salesforce/Skuid Platform using your IdP. If you login using the standard Salesforce or Skuid Platform login screen—and not through SAML or the Login with SAML option in Skuid Platform—you will not be able to access data sources using this flow.