Canvas
- Canvas enables you to easily integrate a third-party application in Salesforce. Canvas is a set of tools and JavaScript APIs that can be used to expose an application as a canvas app. Our new or existing applications can be made available as part of Salesforce experience.
- Following authentication methods can be used
- Signed Request
- OAuth 2.0
- Canvas framework includes an SDK that can be used to authenticate apps and retrieve data from Salesforce.
- Signed Request Authentication
- This is the default authorization method for canvas apps. The signed request authorization flow varies depending on whether the canvas app’s Permitted Users field
- Admin Approved users are pre-authorized
- Users don’t need to approve or deny access, app is accessible as soon as administrator installs and configures it.
- Salesforce performs a POST to the canvas app with all authorization information contained in the body of the signed request, including request token.
- All users may self-authorize
- app is accessible to all users but user is prompted to approve or deny access.
- If user has approved the app previously and access is not expired or revoked, Salesforce performs POST to canvas app with signed request payload.
- if user has not approved, or if access is revoked or expired, Salesforce performs a GET to the canvas app URL. Canvas app must handle the GET by accepting the call and looking for URL parameter _sfdc_canvas_authvalue. If the canvas app receives this parameter value, canvas app should initiate the approve or deny OAuth flow. After user approves, canvas app should call repost() method with a parameter of true to retrieve signed request.
- Admin Approved users are pre-authorized
- Considerations
- Salesforce performs GET or POST depending on the Permitted Users value
- Server side code is needed to verify and decode the request
- using SDK signed request can be requested on demand after app is invoked.
- Signed request is a string with following elements concatenated
- Canvas app consumer secret encrypted with HMAC SHA 256 algorithm
- A period (“.”)
- The context and authorization token JSON encoded in base 64
- Flow
- This is the default authorization method for canvas apps. The signed request authorization flow varies depending on whether the canvas app’s Permitted Users field
- OAuth Authentication
- Two options are available Web Server Authentication Flow, User-Agent authentication flow.
- Considerations
- Salesforce performs an HTTP GET when invoking the canvas app URL.
- With user agent OAuth, all authorization can be performed in the browser (no server-side code is needed).
- Flow
- SAML SSO
- Whether signed request or OAuth authentication is choses, SAML based SSO can be used to provide users with a seamless authentication flow.
- SAML SSO enables automatic authentication into canvas app via SAML and authentication into Salesforce via the signed request.
- We can create a canvas app that begins a standard SAML authentication flow when opened by a user. After this process completes, the user is authenticated into Web application.
- Exposing Connected App as a Canvas App
- A connected app can be exposed as a Canvas App.
- Steps
- Create connected app
- In Canvas App Setting section, select Canvas to expose connected app as Canvas app.
- Enter canvas app URL to third-party app, user is redirected to this URL when clicking the link to canvas app.
- Select access method
- Signed Request
- OAuth authentication is used.
- Users are not prompted to allow apps to access their information.
- Authentication is posted directly to canvas app URL.
- Do not select “Perform requests on your behalf at any time” for OAuth scopes
- OAuth Webflow
- OAuth authentication is used.
- Users are prompted to allow apps to access their information.
- Canvas app must initiate OAuth authentication flow.
- Signed Request
- If SAML SSO is used for authentication, Select SAML Initiation Method. Options include. This requires Enable SAML in Web App Settings.
- IdP initiated
- SP Initiated
- Select where the canvas app appears to users. Available options are Chatter Feed, Chatter Tab, Console, Layouts and Mobile Cards, Mobile Nav, Open CTI, Publisher, Visualforce Page