Question regarding the SSO login via APIs in multi-tenant environment

Hiroyuki Adachi shared this problem 2 months ago
Resolved

May I ask you one question regarding the SSO login via APIs in multi-tenant environment?

At the customer's place, Yellowfin dashboard is embedded into Salesforce, and SSO into this Yellowfin dashboard is required.

We are currently testing the songle-sign-on process from Salesforce to Yellowfin following the below steps.

Step-1) Create SSO login token via /api/rpc/login-tokens/create-sso-token API, with admin's id/password, userid and ,client org id (the user belong to) in request body.

Step-2) Login into Yellowfin with SSO login token created in the above step via /JsAPI/v3?token= API.

The result is different whether the user belog to Defalt org or not.

When the user belong to both Default and Client org, the user can successfully login into Yellowfin as SSO and the Yellowfin dashboard is displayed in salesforce window.

Meanwhile, when the user belong to only Client org, the login process fails with "ERROR: Login Required" message in step-2.

Does this mean the user who login into Client org need to belog to both Default and Client org?Or, are there alternative way to enable SSO without belongin to Default org?

Comments (1)

photo
1

Hi Hiroyuki,

I hope you're doing well.

It should be possible to log in to client orgs without belonging to the default org via SSO. The error you're seeing could be an issue with the configuration.

Which type of token generation are you using from https://wiki.yellowfinbi.com/display/yfcurrent/REST+API#RESTAPI-SingleSign-On

Have you got an example of the code that is being used here?

Kind regards,

Chris

photo
1

Hi Chris,

Thank you for your replay.

I understand it should be possible to login into client orgs without belonging to the default org via SSO.

Our partner is writing the code in the customer's environment, and we will ask them to share us the code in the meeting on Monday next week. Then I will get back to you with the code.

Regards,

Hiroyuki

photo
1

Hi Hiroyuki,

Hope you're doing well. Did your partner get back to you with the code?

Let me know if this is still an issue for you.

Kind regards,

Chris

photo
1

Hi Chris,

Sorry for the late reply.

I have created the test environment in my local computer to verify this matter in simplified environment.

As a result, it seems login users are needed to belong to both Default and Client org in multi-tenant environment to enable SSO via APIs.

I have described detail steps of the test in the attached.

Kind regards,

Hiroyuki

photo
1

Hi Chris,

I did not change the status from 'Awaiting Reply' on my last submission.

Can you please check this matter?

Regards,

Hiroyuki

photo
1

Hi Hiroyuki,

Thanks for sending over that descriptive PowerPoint, I was also able to replicate this behaviour.

After some investigation, it does seem this is a regression bug that has appeared in newer versions of Yellowfin and is being prioritised as a critical severity 1.

I've linked these two tickets together so you can use this post to track the issue.

Kind regards,

Chris

photo
1

Hi Hiroyuki,

Just to add, there is a workaround in place whereby if you specify the client org in the URL, it should allow you to log in.

c8cbf4f5a6c8aaac62cb17e5e47a2d29

Please see some more details here:

https://community.yellowfinbi.com/ticket/25375?access_key=33936-ebaaf9f6#comment-205042

It is also somewhat specified in the Wiki where creating a new session requires both the token and the client org: https://wiki.yellowfinbi.com/display/yfcurrent/Advanced+API#AdvancedAPI-yellowfin.newSession(token,org);

I've attached some sample code that shows how to use the newSession() call.

Kind regards,

Chris

photo
1

Hi Chris,

By applying the workaround you gave us, we were able to get it to work correctly in our customer's environment.Thank you!

Hiroyuki

photo
2

Hi Hiroyuki,

That's great to hear, enjoy your week!

Kind regards,

Chris

photo