Security in the Cloud WebinarAdam TormanSenior Product Manager   @atormanBud VieiraSenior Product Manager   @aavraChuck Mo...
Safe HarborSafe harbor statement under the Private Securities Litigation Reform Act of 1995:This presentation may contain ...
@forcedotcom / #forcewebinarDeveloper Force Groupfacebook.com/forcedotcom
http://bit.ly/sfcloudstock
Agenda§  Force.com Overview§  Authenticating Database.com Users§  Provisioning Database.com Users§  Controlling Access...
Enterprise Data Collaboration Platform§  Trusted by the enterprise§  Designed for social collaboration§  Open for any l...
Chuck MortimoreSr. Product Management Director         Core Security
Authentication and Database.com§  Two primary mechanisms for authentication§  Direct db access with a privileged user   ...
What is OAuth?§  An open protocol to allow secure API access in a simple    and standard method from desktop and web    a...
Why Use OAuth§  Simple   –  Protocol is HTTP based.   –  Interfaces are already done   –  Allows you to focus on your val...
Direct DB Access with a Privileged User§  User Name / Password Flow    –  Used for simple server to server integration us...
Individual User Accounts§  Web Server Flow   –  Web servers can protect secrets. Code returned to callback      URL and e...
How Does It Work?1)  Device opens a browser    with authorization URL2)  User is Authenticated3)  User Authorizes App4)  T...
What the User Sees:      Authentication   Authorization
Step 1: Open a URL https://login.salesforce.com/services/oauth2/authorize ?response_type=token &client_id={YOUR_CLIENT_ID}...
Step 2: Parse the Response  {YOUR_REDIRECT_URI}#  access_token={SESSION}  &refresh_token={LIKE_A_PASSWORD}  &instance_url=...
Step 3: Use your Token GET /some/resource HTTP/1.1 Host: na1.salesforce.com Authorization: Oauth czZCaGRSa3F0MzpnWDFmQm
Using a Token§  Token Response:   –  XML or JSON   –  access_token: an API only SID   –  refresh_token: a token you can u...
Identity URL Service§  Return a central identity url   –  https://login.salesforce.com/id/{orgid}/{userid}§  Basic profi...
Configuring a ClientSetup/Administration/Create/Remote Access
Demo Time!
Adam Torman and Bud Vieira       Sr. Product Managers     Administration and Sharing
User Provisioning§  Add multiple users    quickly§  Add single users    with more detail§  Use the sObject    API for b...
User Provisioning with REST API      https://workbench.developerforce.com/login.php!GET: /services/data/v24.0/sobjects/Use...
How do Profiles and Sharing Work Together  Keep the simple simple and make the complex possible  §  Profiles             ...
Demo: Access to the Dreamforce Event Object                           Event Table          Name                           ...
What’s a permission set?§  Like profiles, a permission set is a collection of    permissions and settings that allow user...
Demo: Least Privilege Permissions                       Db.com w/Events Profile                                           ...
Highlights of the Sharing Toolbox               !                              default sharing model for all users        ...
Demo: Opening up Sharing Access to Events                  Event_Share Table           User          Level   Reason       ...
Key Take Aways§  We have many ways to handle single sign on – take    your pick§  There are privileged users, admin user...
ResourcesSecurity Wikihttp://wiki.developerforce.com/page/SecurityForce.com Security Overviewhttp://wiki.developerforce.co...
Questions & Answers  http://bit.ly/securitywebinar                  Chuck Mortimore                  Senior Director, Prod...
ABCs of Security in the Cloud Webinar
Upcoming SlideShare
Loading in …5
×

ABCs of Security in the Cloud Webinar

1,488 views

Published on

Authentication, authorization, and data access controls are standard requirements for most data-centric apps. And in a traditional client-server environment, these are often the most time-consuming features to implement, even for experts. In this session, you'll learn about Database.com's unique approach to user authentication with OAuth, user types, and a built-in and flexible data sharing model.

Watch this webinar to learn about:
:: Common authentication patterns such as OAuth and SAML
:: How functional access controls provide simple administration of a user's permissions
:: How record-level access provides granularity of control at enterprise scale
:: How all three authorization and authentication patterns work together to do most of the work for you

Date: This webinar took place on Feb 23, 2012

More details: http://wiki.developerforce.com/page/Webinar:_Security

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,488
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
33
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

ABCs of Security in the Cloud Webinar

  1. 1. Security in the Cloud WebinarAdam TormanSenior Product Manager @atormanBud VieiraSenior Product Manager @aavraChuck MortimoreSenior Director, Product Management @cmort
  2. 2. Safe HarborSafe harbor statement under the Private Securities Litigation Reform Act of 1995:This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If anysuch uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. coulddiffer materially from the results expressed or implied by the forward-looking statements we make. All statementsother than statements of historical fact could be deemed forward-looking, including any projections of product orservice availability, subscriber growth, earnings, revenues, or other financial items and any statements regardingstrategies or plans of management for future operations, statements of belief, any statements concerning new,planned, or upgraded services or technology developments and customer contracts or use of our services.The risks and uncertainties referred to above include – but are not limited to – risks associated with developing anddelivering new functionality for our service, new products and services, our new business model, our past operatinglosses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting,breach of our security measures, the outcome of intellectual property and other litigation, risks associated withpossible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history,our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service andsuccessful customer deployment, our limited history reselling non-salesforce.com products, and utilization andselling to larger enterprise customers. Further information on potential factors that could affect the financial results ofsalesforce.com, inc. is included in our annual report on Form 10-Q for the most recent fiscal quarter ended July 31,2011. This documents and others containing important disclosures are available on the SEC Filings section of theInvestor Information section of our Web site.Any unreleased services or features referenced in this or other presentations, press releases or public statementsare not currently available and may not be delivered on time or at all. Customers who purchase our services shouldmake the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes noobligation and does not intend to update these forward-looking statements.
  3. 3. @forcedotcom / #forcewebinarDeveloper Force Groupfacebook.com/forcedotcom
  4. 4. http://bit.ly/sfcloudstock
  5. 5. Agenda§  Force.com Overview§  Authenticating Database.com Users§  Provisioning Database.com Users§  Controlling Access§  Key Take Aways§  Q&A
  6. 6. Enterprise Data Collaboration Platform§  Trusted by the enterprise§  Designed for social collaboration§  Open for any language, platform, or device§  Support for mobile applications
  7. 7. Chuck MortimoreSr. Product Management Director Core Security
  8. 8. Authentication and Database.com§  Two primary mechanisms for authentication§  Direct db access with a privileged user –  1 highly privileged user to access the data –  Classic integration and database connection model§  Individual user accounts –  Each user has a named account –  Propagates Identity all they way to the database tier –  Can simplify the development of authentication –  Allows granular authorization at the data tier
  9. 9. What is OAuth?§  An open protocol to allow secure API access in a simple and standard method from desktop and web applications§  Standardization of common, successful API patterns§  Standard track in IETF –  Salesforce.com, Google, Microsoft, Facebook, Twitter, Yahoo, Oracle, etc.
  10. 10. Why Use OAuth§  Simple –  Protocol is HTTP based. –  Interfaces are already done –  Allows you to focus on your value add§  Works great for mobile –  Salesforce mobile and desktop clients are switching –  No need for API token§  Stops the password anti-pattern –  Reduce the security and management issues with passwords
  11. 11. Direct DB Access with a Privileged User§  User Name / Password Flow –  Used for simple server to server integration use-casesPOST /services/oauth/token HTTP/1.1!Host: login.salesforce.com!grant_type=password&client_id={CLIENT_ID}&client_secret={CLIENT_SECRET}&redirect_uri={REDIRECT_URI}&username={USERNAME}&password={PASSWORD}!!!!!HTTP/1.1 200 OK!Content-Type: application/json!!{"id":"https://login.salesforce.com/id/00D300000000mlxEAA/00530000000gKV8AAM","issued_at":"1313612089200","instance_url":"https://cmort-developer-edition.my.salesforce.com","signature":"NRbIb/EnYBfxKz9hApUI70Pl/Rog1S8ArsTHoxbj4eg=","access_token":"00D300000000mlx!AQoAQKtgvm50TODcRU3QboID1DctJIssSMRPWIdVmXcAF9vbqIppVOGIVGZ6MR2xzS2TjQix.bW3ZHH9OnColDSH.5fg_rM"}!
  12. 12. Individual User Accounts§  Web Server Flow –  Web servers can protect secrets. Code returned to callback URL and exchanged for a token via a POST§  User Agent Flow –  Used for Javascript, Mobile, and Desktop. Token returned directly to callback URL behind # fragment
  13. 13. How Does It Work?1)  Device opens a browser with authorization URL2)  User is Authenticated3)  User Authorizes App4)  Tokens returned to device
  14. 14. What the User Sees: Authentication Authorization
  15. 15. Step 1: Open a URL https://login.salesforce.com/services/oauth2/authorize ?response_type=token &client_id={YOUR_CLIENT_ID} &redirect_uri={YOUR_REDIRECT_URI}https://login.salesforce.com/services/oauth2/authorize?response_type=token&client_id=MyClient&redirect_uri=myapp%3A%2F%2Fcallback
  16. 16. Step 2: Parse the Response {YOUR_REDIRECT_URI}# access_token={SESSION} &refresh_token={LIKE_A_PASSWORD} &instance_url={USERS_INSTANCE} &id={IDENTITY_URL}myapp://callback#access_token=czZCaGRSa3F0MzpnWDFmQm&refresh_token=5Aep8615VRsd_GrUz3LAcJl&redirect_uri=myapp%3A%2F%2Fcallback&instance_url=https%3A%2F%2Fna1.salesforce.com&id=https%3A%2F%2Flogin.salesforce.com%2Fid%2F00DD0000000FJCR%2F005D0000001B5bx
  17. 17. Step 3: Use your Token GET /some/resource HTTP/1.1 Host: na1.salesforce.com Authorization: Oauth czZCaGRSa3F0MzpnWDFmQm
  18. 18. Using a Token§  Token Response: –  XML or JSON –  access_token: an API only SID –  refresh_token: a token you can use to get new access_tokens –  instance_url: the user’s instance –  id: a url that is both a unique id for the user and a getUserInfo§  Using it with the API –  REST: HTTP Header: “Authorization: OAuth <access_token>” –  SOAP: place access token in SOAP header like a SID
  19. 19. Identity URL Service§  Return a central identity url –  https://login.salesforce.com/id/{orgid}/{userid}§  Basic profile information similar to GetUserInfo§  Discovery service for API endpoints§  Chatter Status and photos§  Working to standardize this as “OpenID Connect”
  20. 20. Configuring a ClientSetup/Administration/Create/Remote Access
  21. 21. Demo Time!
  22. 22. Adam Torman and Bud Vieira Sr. Product Managers Administration and Sharing
  23. 23. User Provisioning§  Add multiple users quickly§  Add single users with more detail§  Use the sObject API for bulk§  Use REST API§  Use SAML for upsert
  24. 24. User Provisioning with REST API https://workbench.developerforce.com/login.php!GET: /services/data/v24.0/sobjects/User/00530000004qkoH!POST: /services/data/v24.0/sobjects/User/! {! "Username" : "gogolbordello@db.com", ! "LastName" : "Bordello", ! "FirstName" : "Gogol", ! "Email" : "atorman@salesforce.com", ! "Alias" : "gUser", ! "CommunityNickname" : "gogolbordello1234", ! "IsActive" : false, ! "TimeZoneSidKey" : "America/Los_Angeles", ! "LocaleSidKey" : "en_US", ! "EmailEncodingKey" : "ISO-8859-1", ! "ProfileId" : "00e30000001btrSAAQ", ! "LanguageLocaleKey" : "en_US", ! "UserPermissionsMobileUser" : false, ! "UserPreferencesDisableAutoSubForFeeds" : false! }!
  25. 25. How do Profiles and Sharing Work Together Keep the simple simple and make the complex possible §  Profiles §  Sharing –  What tables and columns –  What rows can I access can I access –  Read/Write/Transfer/Full –  Read/Create/Edit/Delete Event Tableü  Read ü  Readü  Create Name Description ü  Writeü  Edit Authentication: A Practical Guide Practical Guide…q  Delete Keynote 1 Welcome to Dream… q  Read q  Edit
  26. 26. Demo: Access to the Dreamforce Event Object Event Table Name Description Authentication: A Practical… Practical Guide… Welcome to Keynote 1 Dream… Developer Zone Welcome Devs Metallica! Killer Show
  27. 27. What’s a permission set?§  Like profiles, a permission set is a collection of permissions and settings that allow users to do things in Salesforce.§  What a user can do is determined by one profile plus permission sets
  28. 28. Demo: Least Privilege Permissions Db.com w/Events Profile q  Read q  Edit Event Table Name Description Authentication: A Practical Guide… Practical… Keynote 1 Welcome to Dream… Developer Zone Welcome Devs ü  Read q  Edit Event Description Permission Set
  29. 29. Highlights of the Sharing Toolbox ! default sharing model for all users Org Wide Defaults management access to data Role Hierarchy target access to specific groups Sharing Rules most granular – complete control Programmatic Sharing
  30. 30. Demo: Opening up Sharing Access to Events Event_Share Table User Level Reason Demo User Full Owner Event Owner Full Owner Demo User Read Sharing Rule Demo User Read Custom
  31. 31. Key Take Aways§  We have many ways to handle single sign on – take your pick§  There are privileged users, admin users, and everyone in between§  Profiles and Sharing work together to keep the simple simple and make the complex scale
  32. 32. ResourcesSecurity Wikihttp://wiki.developerforce.com/page/SecurityForce.com Security Overviewhttp://wiki.developerforce.com/page/An_Overview_of_Force.com_SecuritySecurity Implementation Guidehttps://na1.salesforce.com/help/doc/en/salesforce_security_impl_guide.pdfSecurity Cookbook Recipeshttp://developer.force.com/cookbook/category/security/recentI <3 Permission Sets DF11 Presentationhttp://www.youtube.com/watch?v=arXxUgH9cD4Using Apex Managed Sharing to Create Custom Record Sharing Logichttp://wiki.developerforce.com/page/Using_Apex_Managed_Sharing_to_Create_Custom_Record_Sharing_LogicDigging Deeper into Oauth 2.0 on Force.comhttp://wiki.developerforce.com/page/Digging_Deeper_into_OAuth_2.0_on_Force.com
  33. 33. Questions & Answers http://bit.ly/securitywebinar Chuck Mortimore Senior Director, Product Management @cmort Adam Torman Senior Product Manager @atorman Bud Vieira Senior Product Manager @aavra

×