Given a scenario, recommend the Salesforce technologies that should be used to provide identity to the third-party system (Canvas, Connected Apps, App Launcher, etc.).

/  No Comments

Canvas

  • Canvas enables you to easily integrate a third-party application in Salesforce. Canvas is a set of tools and JavaScript APIs that can be used to expose an application as a canvas app. Our new or existing applications can be made available as part of Salesforce experience.
  • Following authentication methods can be used
    • Signed Request
    • OAuth 2.0
  • Canvas framework includes an SDK that can be used to authenticate apps and retrieve data from Salesforce.
  • Signed Request Authentication
    • This is the default authorization method for canvas apps. The signed request authorization flow varies depending on whether the canvas app’s Permitted Users field
      • Admin Approved users are pre-authorized
        • Users don’t need to approve or deny access, app is accessible as soon as administrator installs and configures it.
        • Salesforce performs a POST to the canvas app with all authorization information contained in the body of the signed request, including request token.
      • All users may self-authorize
        • app is accessible to all users but user is prompted to approve or deny access.
        • If user has approved the app previously and access is not expired or revoked, Salesforce performs POST to canvas app with signed request payload.
        • if user has not approved, or if access is revoked or expired, Salesforce performs a GET to the canvas app URL. Canvas app must handle the GET by accepting the call and looking for URL parameter _sfdc_canvas_authvalue. If the canvas app receives this parameter value, canvas app should initiate the approve or deny OAuth flow. After user approves, canvas app should call repost() method with a parameter of true to retrieve signed request.
    • Considerations
      • Salesforce performs GET or POST depending on the Permitted Users value
      • Server side code is needed to verify and decode the request
      • using SDK signed request can be requested on demand after app is invoked.
    • Signed request is a string with following elements concatenated
      • Canvas app consumer secret encrypted with HMAC SHA 256 algorithm
      • A period (“.”)
      • The context and authorization token JSON encoded in base 64
    • Flow

Screen Shot 2020-01-04 at 11.55.01 PM.png

  • OAuth Authentication
    • Two options are available Web Server Authentication Flow, User-Agent authentication flow.
    • Considerations
      • Salesforce performs an HTTP GET when invoking the canvas app URL.
      • With user agent OAuth, all authorization can be performed in the browser (no server-side code is needed).
    • Flow
      • image.png
  • SAML SSO
    • Whether signed request or OAuth authentication is choses, SAML based SSO can be used to provide users with a seamless authentication flow.
    • SAML SSO enables automatic authentication into canvas app via SAML and authentication into Salesforce via the signed request.
    • We can create a canvas app that begins a standard SAML authentication flow when opened by a user. After this process completes, the user is authenticated into Web application.
  • Exposing Connected App as a Canvas App
    • A connected app can be exposed as a Canvas App.
    • Steps
      • Create connected app
      • In Canvas App Setting section, select Canvas to expose connected app as Canvas app.
      • Enter canvas app URL to third-party app, user is redirected to this URL when clicking the link to canvas app.
      • Select access method
        • Signed Request
          • OAuth authentication is used.
          • Users are not prompted to allow apps to access their information.
          • Authentication is posted directly to canvas app URL.
          • Do not select “Perform requests on your behalf at any time” for OAuth scopes
        • OAuth Webflow
          • OAuth authentication is used.
          • Users are prompted to allow apps to access their information.
          • Canvas app must initiate OAuth authentication flow.
      • If SAML SSO is used for authentication, Select SAML Initiation Method. Options include. This requires Enable SAML in Web App Settings.
        • IdP initiated
        • SP Initiated
      • Select where the canvas app appears to users. Available options are Chatter Feed, Chatter Tab, Console, Layouts and Mobile Cards, Mobile Nav, Open CTI, Publisher, Visualforce Page

Leave a Reply

Your email address will not be published. Required fields are marked *