Authentication on API calls with Federated SSO

You will need to set up a Connected App with the appropriate OAuth Scopes.

Configure the Connected App Permitted Users behaviour to Admin Approved Users (under Manage Apps), so that Users don't need to manually authorize the Connected App, unless you desire this behaviour.

You can use the SAML Bearer Flow to post a SAML Assertion (Containing the Client Secret and Key from the Connected App you configured above) to the OAUTH2 Endpoint, and obtain an access token.

  • The Issuer must be the OAuth client_id or the remote access application for which the developer registered their certificate.
  • The Audience must be https://login.salesforce.com or https://test.salesforce.com.
  • The Recipient must be https://login.salesforce.com/services/oauth2/token or https://test.salesforce.com/services/oauth2/token.
  • The Subject NameID must be the username of the desired Salesforce user.

This token can then be used for Authorisation in your REST Calls.