Taking Identity from theEnterprise to the CloudPat PattersonPrincipal Developer Evangelistsalesforce.com
Safe HarborSafe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain...
Enterprise vs Cloud• Users authenticate to the enterprise, butresources are increasingly moving to the cloud– sites and AP...
Use Cases• Log in to Windows Desktop1. Browse to external web sites, access protectedresources without further authenticat...
Technologies• Single sign-on– Integrated Windows Authentication• (Kerberos/SPNEGO)– SAML 2.0• Web services– OAuth 2.0– WS-...
Use Case 1: Single Sign-On toExternal Web Sites• Example.com has subscribed to SalesforceCRM• Each Example.com salesperson...
SAML 2.0• Single sign-on across domains/enterprises• OASIS standard (March 2005)• Widely supported– Google Apps since Octo...
SAML 2.0 Roles
SAML 2.0 ProtocolBrowserIdentity Provider Service ProviderGET /somethingHTTP/1.1 302 FoundLocation:http://idp.ex.com/saml?...
SAML 2.0 Assertion<Assertion><Issuer/><Signature/><Subject/><Conditions/><AttributeStatement/><AuthnStatement/></Assertion>
SAML 2.0 Assertion - Issuer<Assertion ID="_20f7…"IssueInstant="2011-03-28T18:23:25.539Z"Version="2.0"><Issuer>http://adfs-...
SAML 2.0 Assertion - Signature<Assertion><Issuer/><Signature><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3....
SAML 2.0 Assertion - Subject<Assertion><Issuer/><Signature/><Subject><SubjectConfirmationMethod="urn:oasis:names:tc:SAML:2...
SAML 2.0 Assertion - Conditions<Assertion><Issuer/><Signature/><Subject/><ConditionsNotBefore="2011-03-28T18:23:25.537Z"No...
SAML 2.0 Assertion –AttributeStatement<Assertion><Issuer/><Signature/><Subject/><Conditions/><AttributeStatement><Attribut...
SAML 2.0 Assertion - AuthnStatement<Assertion><Issuer/><Signature/><Subject/><Conditions/><AttributeStatement/><AuthnState...
SAML 2.0 Example• Authenticate to example.com (identityprovider) with username/password• Access salesforce.com (service pr...
SAML 2.0 Limitations• User is authenticating to the enterprise, butstill being prompted for username/password.
Integrated Windows Authentication• Single sign-on within an AD domain/forest• Browser requests Kerberos token fromdesktop ...
IWA ProtocolBrowserDesktop O/S ServerGET /somethingHTTP/1.1 401 UnauthorizedWWW-Authenticate: NegotiateInitializeSecurityC...
IWA Example• Simple intranet web site showing identity ofauthenticated user
IWA Limitations• Scope is limited to Windows Infrastructure– Server must be Kerberized• What about partners/vendors/custom...
Making SSO Seamless• With SAML 2.0, our Example.com salespeoplecan access salesforce.com without asalesforce.com password•...
SAML 2.0 + IWA• Compose the two protocols• AD FS acts as a broker between the ADdomain and the outside world
SAML 2.0 + IWA ProtocolsBrowserIdentity Provider Service ProviderGET /somethingHTTP/1.1 302 FoundLocation: https://idp.ex....
SAML 2.0 + IWA Example• Set AD FS config file to use integrated ratherthan form-based authentication• Access salesforce.co...
Use Case 2: AuthorizingThird-Party Access to APIs• Third-party web site provides value on top ofcustomer data• Accesses sa...
OAuth 2.0• Authorization for RESTful APIs• Evolution of Google AuthSub, Yahoo BBAuth,AOL OpenAuth etc• ‘Valet key’ for the...
OAuth Roles
OAuth 2.0 ProtocolBrowserAuthorizationServer Client AppGET /something302 FoundLocation:https://login.ex.com/?response_type...
OAuth 2.0 + SAML 2.0 + IWA• Can use SAML 2.0 for the authentication stepof OAuth• Instead of redirecting to centralsalesfo...
OAuth 2.0 + SAML 2.0 + IWA ProtocolsBrowserAuthorizationServer Client AppResource Server
OAuth 2.0 + SAML 2.0 + IWA Example• Service Provider web site retrieves customer’sdata from salesforce.com via REST API• O...
Use Case 3: What AboutDesktop Apps?• Desktop applications can access web APIs, buthow do we authenticate the user?– Invoke...
Security Token Service• WS-Trust protocol• Token in– Username/password– Kerberos– SAML– Custom• Token out– SAML– Custom• N...
WS-Trust + SAML 2.0 + OAuth• Exchange Kerberos Token for SAML 2.0Assertion - PingFederate– WS-Trust• Exchange SAML 2.0 Ass...
High Level Protocol FlowDesktop AppDesktop O/S STSResource ServerGet Kerberos TokenKerberos TokenKerberos TokenAuthorizati...
WS-Trust + SAML 2.0 + Oauth Example• Desktop Chatter client, accessingsalesforce.com REST APIs• Accessing API in context o...
Parting Thoughts• Building blocks exist for satisfying most singlesign-on and web services use cases• AD FS 2.0 SAML 2.0 s...
Please Complete the Survey!www.theexpertsconference.com
Questions & Answers• Pat Patterson– Email - ppatterson@salesforce.com– Blog - blog.sforce.com– Twitter - @metadaddy
Upcoming SlideShare
Loading in …5
×

Taking Identity from the Enterprise to the Cloud

1,540 views
1,379 views

Published on

Presented at The Experts Conference, Las Vegas, April 2011

Published in: Technology, Design
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,540
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
43
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Taking Identity from the Enterprise to the Cloud

  1. 1. Taking Identity from theEnterprise to the CloudPat PattersonPrincipal Developer Evangelistsalesforce.com
  2. 2. Safe HarborSafe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-lookingstatements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptionsproves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, includingany projections of subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plansof management for future operations, statements of belief, any statements concerning new, planned, or upgraded services ortechnology developments and customer contracts or use of our services.The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and deliveringnew functionality for our service, our new business model, our past operating losses, possible fluctuations in our operating resultsand rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the immature market in whichwe operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage ourgrowth, new releases of our service and successful customer deployment, and utilization and selling to larger enterprisecustomers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in ourannual report on Form 10-K filed on February 24, 2011 and in other filings with the Securities and Exchange Commission. Thesedocuments are available on the SEC Filings section of the Investor Information section of our Web site.Any unreleased services or features referenced in this or other press releases or public statements are notcurrently available and may not be delivered on time or at all. Customers who purchase our services should makethe purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes noobligation and does not intend to update these forward-looking statements.
  3. 3. Enterprise vs Cloud• Users authenticate to the enterprise, butresources are increasingly moving to the cloud– sites and APIs• How do we allow users to securely accessresources spread across multiple providerswithout spreading user credentials too?
  4. 4. Use Cases• Log in to Windows Desktop1. Browse to external web sites, access protectedresources without further authentication2. Browse to web site, site accesses external,protected API, on behalf of the user withoutfurther authentication3. Run desktop application, access external,protected API without further authentication
  5. 5. Technologies• Single sign-on– Integrated Windows Authentication• (Kerberos/SPNEGO)– SAML 2.0• Web services– OAuth 2.0– WS-Trust
  6. 6. Use Case 1: Single Sign-On toExternal Web Sites• Example.com has subscribed to SalesforceCRM• Each Example.com salesperson has their ownsalesforce.com account• How do we avoid them having to rememberanother password?
  7. 7. SAML 2.0• Single sign-on across domains/enterprises• OASIS standard (March 2005)• Widely supported– Google Apps since October 2006– salesforce.com since Winter ’09 (October 2008)– Active Directory Federation Services (AD FS) sinceversion 2.0 (May 2010)
  8. 8. SAML 2.0 Roles
  9. 9. SAML 2.0 ProtocolBrowserIdentity Provider Service ProviderGET /somethingHTTP/1.1 302 FoundLocation:http://idp.ex.com/saml?SAMLrequest=hf7893b…&RelayState=HKFDhh383GEThttp://idp.ex.com/saml?SAMLrequest=hf7893b…&RelayState=HKFDhh383200 OKSAML Assertion in HTML FORM POST /acsSAML AssertionHTTP/1.1 302 FoundLocation: http://sp.ex.net/somethingSet-Cookie: token=value; Domain=.ex.netAuthenticate
  10. 10. SAML 2.0 Assertion<Assertion><Issuer/><Signature/><Subject/><Conditions/><AttributeStatement/><AuthnStatement/></Assertion>
  11. 11. SAML 2.0 Assertion - Issuer<Assertion ID="_20f7…"IssueInstant="2011-03-28T18:23:25.539Z"Version="2.0"><Issuer>http://adfs-dc.my.example.com/adfs/services/trust</Issuer><Signature/><Subject/><Conditions/><AttributeStatement/><AuthnStatement/></Assertion>
  12. 12. SAML 2.0 Assertion - Signature<Assertion><Issuer/><Signature><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#_20f7fb27-6bb1-4801-aaab-25b4ff862d2f"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>UrcVwqLcdqMvtJUkxiIw9CBN1h8=</DigestValue></Reference></SignedInfo><SignatureValue>ITY8KT…</SignatureValue><KeyInfoxmlns="http://www.w3.org/2000/09/xmldsig#"><X509Data><X509Certificate>MIIC6D…</X509Certificate></X509Data></KeyInfo></Signature><Subject/><Conditions/><AttributeStatement/><AuthnStatement/></Assertion>
  13. 13. SAML 2.0 Assertion - Subject<Assertion><Issuer/><Signature/><Subject><SubjectConfirmationMethod="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationDataInResponseTo="_2Qwip…"NotOnOrAfter="2011-03-28T18:28:25.539Z"Recipient="https://login.sf.com/?saml=…" /></SubjectConfirmation></Subject><Conditions/><AttributeStatement/><AuthnStatement/></Assertion>
  14. 14. SAML 2.0 Assertion - Conditions<Assertion><Issuer/><Signature/><Subject/><ConditionsNotBefore="2011-03-28T18:23:25.537Z"NotOnOrAfter="2011-03-28T19:23:25.537Z"><AudienceRestriction><Audience>https://superpat.my.salesforce.com</Audience></AudienceRestriction></Conditions><AttributeStatement/><AuthnStatement/></Assertion>
  15. 15. SAML 2.0 Assertion –AttributeStatement<Assertion><Issuer/><Signature/><Subject/><Conditions/><AttributeStatement><Attribute Name="mail"><AttributeValue>pat@superpat.com</AttributeValue></Attribute></AttributeStatement><AuthnStatement/></Assertion>
  16. 16. SAML 2.0 Assertion - AuthnStatement<Assertion><Issuer/><Signature/><Subject/><Conditions/><AttributeStatement/><AuthnStatementAuthnInstant="2011-03-28T18:23:25.501Z"><AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>
  17. 17. SAML 2.0 Example• Authenticate to example.com (identityprovider) with username/password• Access salesforce.com (service provider)
  18. 18. SAML 2.0 Limitations• User is authenticating to the enterprise, butstill being prompted for username/password.
  19. 19. Integrated Windows Authentication• Single sign-on within an AD domain/forest• Browser requests Kerberos token fromdesktop OS, wraps according to SPNEGO andincludes in HTTP request• Relying Party must register a service principalname (SPN) in AD
  20. 20. IWA ProtocolBrowserDesktop O/S ServerGET /somethingHTTP/1.1 401 UnauthorizedWWW-Authenticate: NegotiateInitializeSecurityContext()NegTokenInitGET /somethingAuthorization: Negotiate b64(NegTokenInit)HTTP/1.1 200 OKRequested ContentHTTP/1.1 401 UnauthorizedWWW-Authenticate: Negotiate b64(responseToken)InitializeSecurityContext(responseToken)NegTokenTargGET /somethingAuthorization: Negotiate b64(NegTokenTarg)
  21. 21. IWA Example• Simple intranet web site showing identity ofauthenticated user
  22. 22. IWA Limitations• Scope is limited to Windows Infrastructure– Server must be Kerberized• What about partners/vendors/customers?
  23. 23. Making SSO Seamless• With SAML 2.0, our Example.com salespeoplecan access salesforce.com without asalesforce.com password• If we add IWA to the mix, if they are logged into the example.com AD domain, they don’tneed to log in to salesforce.com at all!
  24. 24. SAML 2.0 + IWA• Compose the two protocols• AD FS acts as a broker between the ADdomain and the outside world
  25. 25. SAML 2.0 + IWA ProtocolsBrowserIdentity Provider Service ProviderGET /somethingHTTP/1.1 302 FoundLocation: https://idp.ex.com/saml?...GET https://idp.ex.com/saml?...200 OKSAML Assertion in HTML FORMPOST /acsSAML AssertionHTTP/1.1 302 FoundLocation: https://sp.ex.net/somethingSet-Cookie: token=value; Domain=.ex.netWWW-Authenticate: NegotiateAuthorization: Negotiate a874…WWW-Authenticate: Negotiate he83…Authorization: Negotiate k83g…
  26. 26. SAML 2.0 + IWA Example• Set AD FS config file to use integrated ratherthan form-based authentication• Access salesforce.com based on Windowsdesktop session
  27. 27. Use Case 2: AuthorizingThird-Party Access to APIs• Third-party web site provides value on top ofcustomer data• Accesses salesforce.com via SOAP or REST APIs• Need to be able to access API in the context ofthe end user
  28. 28. OAuth 2.0• Authorization for RESTful APIs• Evolution of Google AuthSub, Yahoo BBAuth,AOL OpenAuth etc• ‘Valet key’ for the web• Emphasis on simplicity, ease ofimplementation
  29. 29. OAuth Roles
  30. 30. OAuth 2.0 ProtocolBrowserAuthorizationServer Client AppGET /something302 FoundLocation:https://login.ex.com/?response_type=code&client_id=…&redirect_uri=…GET /?response_type=...302 FoundLocation:https://app.cl.com?code=… GET /app.cl.com?code=…Resource ServerAuthenticatePOST /tokencode=…&grant_type=authorization_code&client_id=…&client_secret=…&redirect_uri=…GET /dataAuthorization: OAuth 00D5…200 OK{ “access_token”: “00D5…”}200 OKData200 OKSome Content
  31. 31. OAuth 2.0 + SAML 2.0 + IWA• Can use SAML 2.0 for the authentication stepof OAuth• Instead of redirecting to centralsalesforce.com authorization server, usecustom domain (‘My Domain’ feature)• Triggers SP-initiated SAML 2.0 flow• Use IWA to avoid manual login
  32. 32. OAuth 2.0 + SAML 2.0 + IWA ProtocolsBrowserAuthorizationServer Client AppResource Server
  33. 33. OAuth 2.0 + SAML 2.0 + IWA Example• Service Provider web site retrieves customer’sdata from salesforce.com via REST API• OAuth triggers SAML, which triggers IWA
  34. 34. Use Case 3: What AboutDesktop Apps?• Desktop applications can access web APIs, buthow do we authenticate the user?– Invoke browser for authentication?– Collect username/password?– Use PingFederate STS to broker enterprisecredentials for an OAuth token!
  35. 35. Security Token Service• WS-Trust protocol• Token in– Username/password– Kerberos– SAML– Custom• Token out– SAML– Custom• No protocol diagram required!
  36. 36. WS-Trust + SAML 2.0 + OAuth• Exchange Kerberos Token for SAML 2.0Assertion - PingFederate– WS-Trust• Exchange SAML 2.0 Assertion for OAuth 2.0Access Token – Salesforce.com– OAuth
  37. 37. High Level Protocol FlowDesktop AppDesktop O/S STSResource ServerGet Kerberos TokenKerberos TokenKerberos TokenAuthorizationServerSAML AssertionOAuth TokenGET /dataAuthorization: OAuth 00D5…200 OKDataOAuth Token
  38. 38. WS-Trust + SAML 2.0 + Oauth Example• Desktop Chatter client, accessingsalesforce.com REST APIs• Accessing API in context of end user (ratherthan ‘API user’) is essential!
  39. 39. Parting Thoughts• Building blocks exist for satisfying most singlesign-on and web services use cases• AD FS 2.0 SAML 2.0 support was a watershed• Third-party tools are still essential for a trulyseamless experience
  40. 40. Please Complete the Survey!www.theexpertsconference.com
  41. 41. Questions & Answers• Pat Patterson– Email - ppatterson@salesforce.com– Blog - blog.sforce.com– Twitter - @metadaddy

×