Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Single Sign-On Best Practices


Published on

  • Be the first to comment

Single Sign-On Best Practices

  1. 1. Single Sign-On Best PracticesDeveloper TrackSuchin Rengan Shesh KondiDirector, Technical Solutions Architect Cloud Solutions Architect@sacrengan @sheshzilla
  2. 2. Safe Harbor Safe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of, inc. could differ materially from the results expressed or implied by the forward- looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of intellectual property and other litigation, risks associated with possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of, inc. is included in our annual report on Form 10-Q for the most recent fiscal quarter ended July 31, 2012. This documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site. Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available., inc. assumes no obligation and does not intend to update these forward-looking statements.
  3. 3. Why are we here? • To discuss • Different Mechanisms for Authentication • When to choose what protocol • Best practice for implementations • To help you understand • Single Sign-On Using SAML 2.0 • API access using OAuth • Authentication Providers • To demonstrate • The amazing things that can be built using our Authentication services
  4. 4. What is Single Sign On? Per wikipedia.. Single sign-on (SSO) is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them In simple terms.. Ability for systems to establish Authentication using a mutually agreed upon an identity mechanism
  5. 5. Authentication MechanismsSuchin Rengan
  6. 6. Username / Password Authentication • The out-of-the-box experience • Salesforce hosts the authentication interface • Flexible policies • Mobile ready ① User sends credentials to Salesforce ② Salesforce authenticates user in our database and user is granted session to Salesforce
  7. 7. What is SAML? • The Standard for Federated Single Sign-On • OASIS Standard: Commercial & Open Source support • Authentication interface is hosted by customer① User requests a secure resource② redirects to Customer IDP③ Customer authenticates user④ User returns to with SAML and is granted session * If you’re logged into the Dreamforce org, you’ve used SAML!
  8. 8. What is Delegated Authentication? • SOAP based protocol for “Single Login” • Salesforce only: Minimal commercial support • Salesforce hosts the authentication interface① User sends credentials to Salesforce② Salesforce sends credentials to Customer③ Customer authenticates user and replies “true”④ User is granted session to Salesforce
  9. 9. What is OAuth? • An open protocol to allow secure API access in a simple, standard method from desktop/web applications • Standard track in IETF • Integrates with previous authentication mechanisms① App redirects user to Salesforce② Salesforce authenticates user③ Saleforce redirects user back to app with code④ App sends code to Salesforce⑤ Salesforce issues session⑥ App accesses API
  10. 10. When do I use what? • UserId/Password • When you just want the basics • SAML • Single Sign-On for the web and applications • SAML provides the best commercial support • SAML provides re-use across other Cloud services • OAuth • Building an API client or connected application (including Mobile) • Delegated Auth • SF Mobile CRM and older API clients with your own credentials * Not mutually exclusive…you can mix and match
  11. 11. Customer Poll/ Question If you want to use your Active Directory credentials to use Salesforce for Outlook what mechanism would you use? A. Username / Password B. SAML C. OAuth D. Delegated Authentication
  12. 12. SSO in ActionShesh KondiSuchin Rengan
  13. 13. How about using a Corporate Identity for Employees? Identity Provider (IDP) Service Provider (SP) MyDomain: A sub-domain used to access a specific SF Organization. Example: https://acme-1. Generate SAML token and send 2. Validate SAML and generate to Salesforce session
  14. 14. Provisioning Users So, how we get the users in Salesforce??  Manually…. But that doesn’t cut for large organizations  API… But that takes code and maintenance  Just In Time Provisioning (SAML JIT)
  15. 15. What about Multiple Salesforce Orgs? Identity Provider (IDP) Service Provider (SP) Service Provider (SP)
  16. 16. …and an org can even be an IDP… Identity Provider (IDP)Service Provider (SP) Service Provider (SP)
  17. 17. How about bookmarks? 1. Request Resource. Redirect to IDP 2. Send SAML Request 3. Authenticate. Send SAML Response 4. Validate SAML. Generate session Identity Provider (IDP) Service Provider (SP) 4 2 3 1
  18. 18. How about Employees use Mobile? 1. User Posts Credentials 2. User get’s session
  19. 19. Salesforce as an IDP for a Third Party SP Identity Provider (IDP) Service Provider (SP) Service Provider (SP)
  20. 20. What about Single Sign-On for Partners? Identity Provider (IDP) Partner Portal1. Generate SAML and send to 2. Validate SAML and generateSalesforce session Same as IDP Initiated SAML, but with 2 additional attributes Send these in attribute statement: organization_id & portal_id
  21. 21. What about the Consumers? Social Sign On  Login using ‘Social’ Credentials  Facebook and Janrain Authentication Providers  Link Accounts  Dyanamic Provisioning
  22. 22. How about using Social credentials for Salesforceaccess? 1. Authenticate and Link accounts 2. Allow Salesforce access
  23. 23. SSO Best PracticesSuchin Rengan
  24. 24. Best PracticesDevelop troubleshooting practices for SSO failures  SSO is in critical path since no login means no access to users Citi SSO SAML Issues Troubleshooting Process SAML SSO Issue is Reported Gather Information: - User Id - Error Message Check the Login Type “SAML Idp Initiated SSO” Any Login Error NO Is User Profile Make appropriate Message in User’s Configured with changes to User Login History? Proper Federation Id? Profile Error Messages like: - Failed: Issuer Mismatched - Failed: Certificate Mismathed YES YES NO Talk to Citi STS NO team and get SAML Setting Is SAML Token their help in Related Issue? (1) Valid? (2) resolution of the issue YES YES Make appropriate changes to SAML Settings If necessary open support ticket with SFDC Error Messages like: - Failed: Audience Mismatched - Failed: Recipient Mismatched - Failed: Certificate Mismatched Verify if it resolves the issue ADDITIONAL NOTES 1) For Certificate related issues, verify Certificate that is uploaded under SAML settings 2) A SAML Token can be validated using the SAML Token Debugger tool that is accessible on the SAML Settings Screen 3) Replay related issue is a temporary issue and happens if multiple SAML requests for the same user is made
  25. 25. SAML Best Practices – Prevent Failures • Make sure the IDP server is on a high available environment • Be proactive with regards to certificate (Salesforce and client) expirations • Check for any time skews that may lead to inconsistent timeout/ session creation issues • Implement custom logout, error pages to present custom messages instead of defaults • TEST and TEST and TEST
  26. 26. SAML Best Practices – Reliable & Scalable • Use Federation Id instead of SF username as subject Id • Identity based on login and no mapping required to know SF username • Login post is org specific and hence no time needed by SF to resolve org instance • Disabling users from directly logging into SF if SAML is enabled • Enable DA and implement a service that always return false • Use the “My Domains” feature and redirect the user when attempting to login directly. Also, disable flag that allows users to log into directly  Administrators should be excluded from SSO
  27. 27. Where do we go from here? Learn more on developer force: • On_for_Desktop_and_Mobile_Applications_using_SAML_and_OAuth • Attend these sessions: • Hands-on Training: Enable Single Sign-on with SAML Thursday, September 20th: 3:00 PM - 4:00 PM • Authentication with OAuth and Connected Apps Thursday, September 20th: 10:30 AM - 11:30 AM
  28. 28. Suchin Rengan Shesh Kondi @sacrengan @sheshzilla