• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
ABCs of Security in the Cloud Webinar

ABCs of Security in the Cloud Webinar



Authentication, authorization, and data access controls are standard requirements for most data-centric apps. And in a traditional client-server environment, these are often the most time-consuming ...

Authentication, authorization, and data access controls are standard requirements for most data-centric apps. And in a traditional client-server environment, these are often the most time-consuming features to implement, even for experts. In this session, you'll learn about Database.com's unique approach to user authentication with OAuth, user types, and a built-in and flexible data sharing model.

Watch this webinar to learn about:
:: Common authentication patterns such as OAuth and SAML
:: How functional access controls provide simple administration of a user's permissions
:: How record-level access provides granularity of control at enterprise scale
:: How all three authorization and authentication patterns work together to do most of the work for you

Date: This webinar took place on Feb 23, 2012

More details: http://wiki.developerforce.com/page/Webinar:_Security



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    ABCs of Security in the Cloud Webinar ABCs of Security in the Cloud Webinar Presentation Transcript

    • Security in the Cloud WebinarAdam TormanSenior Product Manager @atormanBud VieiraSenior Product Manager @aavraChuck MortimoreSenior Director, Product Management @cmort
    • Safe HarborSafe harbor statement under the Private Securities Litigation Reform Act of 1995:This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If anysuch uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. coulddiffer materially from the results expressed or implied by the forward-looking statements we make. All statementsother than statements of historical fact could be deemed forward-looking, including any projections of product orservice availability, subscriber growth, earnings, revenues, or other financial items and any statements regardingstrategies or plans of management for future operations, statements of belief, any statements concerning new,planned, or upgraded services or technology developments and customer contracts or use of our services.The risks and uncertainties referred to above include – but are not limited to – risks associated with developing anddelivering new functionality for our service, new products and services, our new business model, our past operatinglosses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting,breach of our security measures, the outcome of intellectual property and other litigation, risks associated withpossible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history,our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service andsuccessful customer deployment, our limited history reselling non-salesforce.com products, and utilization andselling to larger enterprise customers. Further information on potential factors that could affect the financial results ofsalesforce.com, inc. is included in our annual report on Form 10-Q for the most recent fiscal quarter ended July 31,2011. This documents and others containing important disclosures are available on the SEC Filings section of theInvestor Information section of our Web site.Any unreleased services or features referenced in this or other presentations, press releases or public statementsare not currently available and may not be delivered on time or at all. Customers who purchase our services shouldmake the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes noobligation and does not intend to update these forward-looking statements.
    • @forcedotcom / #forcewebinarDeveloper Force Groupfacebook.com/forcedotcom
    • http://bit.ly/sfcloudstock
    • Agenda§  Force.com Overview§  Authenticating Database.com Users§  Provisioning Database.com Users§  Controlling Access§  Key Take Aways§  Q&A
    • Enterprise Data Collaboration Platform§  Trusted by the enterprise§  Designed for social collaboration§  Open for any language, platform, or device§  Support for mobile applications
    • Chuck MortimoreSr. Product Management Director Core Security
    • Authentication and Database.com§  Two primary mechanisms for authentication§  Direct db access with a privileged user –  1 highly privileged user to access the data –  Classic integration and database connection model§  Individual user accounts –  Each user has a named account –  Propagates Identity all they way to the database tier –  Can simplify the development of authentication –  Allows granular authorization at the data tier
    • What is OAuth?§  An open protocol to allow secure API access in a simple and standard method from desktop and web applications§  Standardization of common, successful API patterns§  Standard track in IETF –  Salesforce.com, Google, Microsoft, Facebook, Twitter, Yahoo, Oracle, etc.
    • Why Use OAuth§  Simple –  Protocol is HTTP based. –  Interfaces are already done –  Allows you to focus on your value add§  Works great for mobile –  Salesforce mobile and desktop clients are switching –  No need for API token§  Stops the password anti-pattern –  Reduce the security and management issues with passwords
    • Direct DB Access with a Privileged User§  User Name / Password Flow –  Used for simple server to server integration use-casesPOST /services/oauth/token HTTP/1.1!Host: login.salesforce.com!grant_type=password&client_id={CLIENT_ID}&client_secret={CLIENT_SECRET}&redirect_uri={REDIRECT_URI}&username={USERNAME}&password={PASSWORD}!!!!!HTTP/1.1 200 OK!Content-Type: application/json!!{"id":"https://login.salesforce.com/id/00D300000000mlxEAA/00530000000gKV8AAM","issued_at":"1313612089200","instance_url":"https://cmort-developer-edition.my.salesforce.com","signature":"NRbIb/EnYBfxKz9hApUI70Pl/Rog1S8ArsTHoxbj4eg=","access_token":"00D300000000mlx!AQoAQKtgvm50TODcRU3QboID1DctJIssSMRPWIdVmXcAF9vbqIppVOGIVGZ6MR2xzS2TjQix.bW3ZHH9OnColDSH.5fg_rM"}!
    • Individual User Accounts§  Web Server Flow –  Web servers can protect secrets. Code returned to callback URL and exchanged for a token via a POST§  User Agent Flow –  Used for Javascript, Mobile, and Desktop. Token returned directly to callback URL behind # fragment
    • How Does It Work?1)  Device opens a browser with authorization URL2)  User is Authenticated3)  User Authorizes App4)  Tokens returned to device
    • What the User Sees: Authentication Authorization
    • Step 1: Open a URL https://login.salesforce.com/services/oauth2/authorize ?response_type=token &client_id={YOUR_CLIENT_ID} &redirect_uri={YOUR_REDIRECT_URI}https://login.salesforce.com/services/oauth2/authorize?response_type=token&client_id=MyClient&redirect_uri=myapp%3A%2F%2Fcallback
    • Step 2: Parse the Response {YOUR_REDIRECT_URI}# access_token={SESSION} &refresh_token={LIKE_A_PASSWORD} &instance_url={USERS_INSTANCE} &id={IDENTITY_URL}myapp://callback#access_token=czZCaGRSa3F0MzpnWDFmQm&refresh_token=5Aep8615VRsd_GrUz3LAcJl&redirect_uri=myapp%3A%2F%2Fcallback&instance_url=https%3A%2F%2Fna1.salesforce.com&id=https%3A%2F%2Flogin.salesforce.com%2Fid%2F00DD0000000FJCR%2F005D0000001B5bx
    • Step 3: Use your Token GET /some/resource HTTP/1.1 Host: na1.salesforce.com Authorization: Oauth czZCaGRSa3F0MzpnWDFmQm
    • Using a Token§  Token Response: –  XML or JSON –  access_token: an API only SID –  refresh_token: a token you can use to get new access_tokens –  instance_url: the user’s instance –  id: a url that is both a unique id for the user and a getUserInfo§  Using it with the API –  REST: HTTP Header: “Authorization: OAuth <access_token>” –  SOAP: place access token in SOAP header like a SID
    • Identity URL Service§  Return a central identity url –  https://login.salesforce.com/id/{orgid}/{userid}§  Basic profile information similar to GetUserInfo§  Discovery service for API endpoints§  Chatter Status and photos§  Working to standardize this as “OpenID Connect”
    • Configuring a ClientSetup/Administration/Create/Remote Access
    • Demo Time!
    • Adam Torman and Bud Vieira Sr. Product Managers Administration and Sharing
    • User Provisioning§  Add multiple users quickly§  Add single users with more detail§  Use the sObject API for bulk§  Use REST API§  Use SAML for upsert
    • User Provisioning with REST API https://workbench.developerforce.com/login.php!GET: /services/data/v24.0/sobjects/User/00530000004qkoH!POST: /services/data/v24.0/sobjects/User/! {! "Username" : "gogolbordello@db.com", ! "LastName" : "Bordello", ! "FirstName" : "Gogol", ! "Email" : "atorman@salesforce.com", ! "Alias" : "gUser", ! "CommunityNickname" : "gogolbordello1234", ! "IsActive" : false, ! "TimeZoneSidKey" : "America/Los_Angeles", ! "LocaleSidKey" : "en_US", ! "EmailEncodingKey" : "ISO-8859-1", ! "ProfileId" : "00e30000001btrSAAQ", ! "LanguageLocaleKey" : "en_US", ! "UserPermissionsMobileUser" : false, ! "UserPreferencesDisableAutoSubForFeeds" : false! }!
    • How do Profiles and Sharing Work Together Keep the simple simple and make the complex possible §  Profiles §  Sharing –  What tables and columns –  What rows can I access can I access –  Read/Write/Transfer/Full –  Read/Create/Edit/Delete Event Tableü  Read ü  Readü  Create Name Description ü  Writeü  Edit Authentication: A Practical Guide Practical Guide…q  Delete Keynote 1 Welcome to Dream… q  Read q  Edit
    • Demo: Access to the Dreamforce Event Object Event Table Name Description Authentication: A Practical… Practical Guide… Welcome to Keynote 1 Dream… Developer Zone Welcome Devs Metallica! Killer Show
    • What’s a permission set?§  Like profiles, a permission set is a collection of permissions and settings that allow users to do things in Salesforce.§  What a user can do is determined by one profile plus permission sets
    • Demo: Least Privilege Permissions Db.com w/Events Profile q  Read q  Edit Event Table Name Description Authentication: A Practical Guide… Practical… Keynote 1 Welcome to Dream… Developer Zone Welcome Devs ü  Read q  Edit Event Description Permission Set
    • Highlights of the Sharing Toolbox ! default sharing model for all users Org Wide Defaults management access to data Role Hierarchy target access to specific groups Sharing Rules most granular – complete control Programmatic Sharing
    • Demo: Opening up Sharing Access to Events Event_Share Table User Level Reason Demo User Full Owner Event Owner Full Owner Demo User Read Sharing Rule Demo User Read Custom
    • Key Take Aways§  We have many ways to handle single sign on – take your pick§  There are privileged users, admin users, and everyone in between§  Profiles and Sharing work together to keep the simple simple and make the complex scale
    • ResourcesSecurity Wikihttp://wiki.developerforce.com/page/SecurityForce.com Security Overviewhttp://wiki.developerforce.com/page/An_Overview_of_Force.com_SecuritySecurity Implementation Guidehttps://na1.salesforce.com/help/doc/en/salesforce_security_impl_guide.pdfSecurity Cookbook Recipeshttp://developer.force.com/cookbook/category/security/recentI <3 Permission Sets DF11 Presentationhttp://www.youtube.com/watch?v=arXxUgH9cD4Using Apex Managed Sharing to Create Custom Record Sharing Logichttp://wiki.developerforce.com/page/Using_Apex_Managed_Sharing_to_Create_Custom_Record_Sharing_LogicDigging Deeper into Oauth 2.0 on Force.comhttp://wiki.developerforce.com/page/Digging_Deeper_into_OAuth_2.0_on_Force.com
    • Questions & Answers http://bit.ly/securitywebinar Chuck Mortimore Senior Director, Product Management @cmort Adam Torman Senior Product Manager @atorman Bud Vieira Senior Product Manager @aavra