WS-Trust and SAML and OAuth, oh my! | Salesforce Developers Blog

Hi, Force.com developers – I'm Pat Patterson. I joined Dave, Quinton and the rest of the Platform Developer Evangelism team here at Salesforce.com a little over two weeks ago and, since this is my first entry here at the Force.com blog, I thought I'd take a few paragraphs to introduce myself…

I describe myself as the 'articulate techie' – one day I'll be hacking Linux kernel driver code, another I'll be presenting a conference session to a thousand or so developers, all the while blogging and tweeting the latest news. Here I'll be blogging all things related to the Force.com platform; I also have a personal blog, Superpatterns, where I cover a much wider range of topics. If Twitter is your thing, I'm @metadaddy.

I've been working with Java since the late 90's, when I was at a small startup in London, England. That startup was acquired by Sun Microsystems in 2000, and I spent ten years at Sun in a variety of roles, most notably community lead for OpenSSO – an open source project based on Sun's web access management product.

With the Oracle acquisition looming, I moved to Huawei, a major supplier of equipment to the telco industry – everything from handsets to the big switch that routes calls for tens of millions of subscribers – to work on cloud storage infrastructure. Fascinating stuff, but very much heads down engineering, without much of an opportunity to interact with a wider community.

Now I'm here at Salesforce.com as a developer evangelist, gearing up for my first Dreamforce and the very first Cloudstock!

So, back to the purpose of this post – earlier this week, I spent a couple of days at the Internet Identity Workshop, a biannual 'unconference' that hosts a loose, industry-wide community working in digital identity. One of the highlights of the workshop was the collection of demos, showing products and proofs of concept at the very bleeding edge of the field, including an integration of a mobile client app with Salesforce.com, demonstrated by Brian Campbell, Principal Software Architect with Ping Identity.

We've shown this kind of use case before, most recently in the REST API Developer Preview Webinar, but this demo had a twist – the username and password were verified not by Salesforce.com, but by PingFederate in the user's own enterprise. The flow goes like this:

  1. Mobile app accepts the username and password, and submits them to PingFederate in a WS-Trust request.
  2. PingFederate validates the user credentials, creates a SAML assertion and submits that to Salesforce.com in an OAuth 2.0 request.
  3. Salesforce.com validates the SAML assertion and responds to PingFederate with an OAuth access token.
  4. PingFederate in turn replies to the Android app with a WS-Trust response containing the access token.
  5. The Android app uses the access token to invoke the Salesforce.com REST API.

A great example of leveraging the available protocols to create a smooth user experience! Chuck Mortimore, Salesforce.com's Director of Product Management for Identity and Security, will be presenting Single Sign-On and Federation with Salesforce at Dreamforce, focusing on our recent work in this area, including a demo that goes one step further than the above in providing a completely seamless user experience. Chuck's session is currently scheduled for Tuesday, December 7th at 5:15 PM – be there, or miss out!

Stay up to date with the latest news from the Salesforce Developers Blog

Subscribe