I'm new to the OAuth concept in Salesforce and looking for some pointers for my use-case. I'm not even sure if I'm framing my question correctly, but I'm trying to understand if I can invoke an Apex Rest API using Azure Ad as the identity provider(assuming that Single Sign-On is enabled in the Salesforce org with Azure as the provider).
Use Case:
We have a web app that uses Azure Ad for authorizing the users(SSO to the app using windows credentials). On successful sign-in, the identity token is stored on the client-side(I believe mostly in a cookie).
The client should provide a component to post messages to Salesforce Chatter Rest API. Due to the request being a CORS request, Salesforce OAuth endpoints cannot be accessed, hence Username-Password OAuth Authentication Flow cannot be used. Also, there is a business requirement that the user should not be redirected to the Salesforce login screen for creating an active session, so User-Agent OAuth flow is also not an option.
So, I'm trying to explore the case where Salesforce acts as the Authentication Provider for the Azure Ad IDP. Now, here are my questions:
- Is it possible to invoke Salesforce Rest API with this Azure token?
- If yes, what are the steps that I need to follow?
- Also, please provide some pointers for configuring Salesforce and Azure integration with Azure as IDP and Salesforce as ADP
Best Answer
In general, for oauth to work, the user needs to authorise salesforce to perform requests on their behalf.
If you haven't done it already, I suggest you go through the documentation on the many different types of oauth flows, and see if one of them fits your scenario.
https://help.salesforce.com/articleView?id=remoteaccess_authenticate_overview.htm
Generally speaking, you have to have a salesforce session id/access token in order to make requests with any API, be it the Salesforce SOAP API or the REST API. How the client gets a hold of that session id is irrelevant ones the client has one.
So what you need to figure out is how to get a session id/access token, which is why you should study in detail every oauth flow.
Also, if Azure can send a SAML Assertion to salesforce in order to log in, you can use the same SAML Assertion to get a session id/access token.
https://help.salesforce.com/articleView?id=remoteaccess_oauth_web_sso_flow.htm&type=5
Here are some docs on how to send SAML Assertions from Azure to Salesforce
https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/salesforce-tutorial
Best of luck!