WebApp Authenticated User SSO through Hydra into Salesforce

developerrino · February 10, 2020, 5:16pm

Looking into potential solutions for OIDC Providers to enable a seamless SSO experience to users in our web app into Salesforce. Salesforce supports SAML or OIDC.

Current design:

Flow.

Authenticated User session within our web app hits a ‘Salesforce Community’ button, sends request to Server/IDP
Server/IDP begins OIDC Auth flow with salesforce
Salesforce completes flow, returns token
Server/IDP returns token to auth’d user
User redirected to salesforce with token, completing the SSO, lands on a salesforce page, seamlessly authenticated, no consent or authorization pop up.

Is this a flow hydra is able to achieve ? The seamless portion is what gives me pause.

hackerman · February 13, 2020, 4:32pm

I guess that depends on your definition of seamless?

developerrino · February 13, 2020, 9:14pm

I guess what I am really trying to achieve is to achieve some form of IDP initiated SSO for OIDC.

If that is not achievable, was considering a mechanism for uniquely identifying the already authenticated user, store a session ID or something, session_id=12345 maps to user [email protected]
ie. GET salesforce.com/sso?session_id=12345, land on /login?session_id=12345, check if session_id is valid, and proceed to salesforce as jon.doe

hackerman · February 14, 2020, 10:33am

I’m sorry but I still don’t understand what you’re expecting the user experience to be or what behavior you’re expecting from Hydra for that matter.

developerrino · February 14, 2020, 3:30pm

Was hoping to achieve some form of IdP initiated SSO, similar to how SAML does it. But after further review OIDC does not support this intentionally, due to the CSRF issue associated with it.