Single sign-on (SSO) allows users to access multiple systems after one authentication. Common SSO protocols discussed include SAML, OAuth, and username/password. SAML is best for single sign-on across websites while OAuth is for secure API access. Best practices include high availability, proactive certificate management, custom error pages, and testing. The document provides an overview of SSO concepts and recommendations for implementation and troubleshooting.
Single sign on (SSO) How does your company apply?Đỗ Duy Trung
SSO is not a new concept, even we’ve heard very much in your work or research. It's useful but it’s really belong to administration/management people? It's interesting for users but it's really complex and headache for someone implement it? Especially nowadays, we are in an age of Troika Computing: Cloud, Social Network, Mobile, Big data and federation problems. So, with being a professional organisation, or being a skilled member in development team, you will start from where? what is your knowledge about it? which methods will you choose to implement in your organisation? how to develop or intergrate to your customers' products? how does your organisation deploy to support customers and partners...
These slides are supposed to help you understand the basics of application security, and how the latest technologies come together to enable you to reduce the number of times people at your organization need to authenticate.
For more information visit. http://gluu.org
Single sign on (SSO) How does your company apply?Đỗ Duy Trung
SSO is not a new concept, even we’ve heard very much in your work or research. It's useful but it’s really belong to administration/management people? It's interesting for users but it's really complex and headache for someone implement it? Especially nowadays, we are in an age of Troika Computing: Cloud, Social Network, Mobile, Big data and federation problems. So, with being a professional organisation, or being a skilled member in development team, you will start from where? what is your knowledge about it? which methods will you choose to implement in your organisation? how to develop or intergrate to your customers' products? how does your organisation deploy to support customers and partners...
These slides are supposed to help you understand the basics of application security, and how the latest technologies come together to enable you to reduce the number of times people at your organization need to authenticate.
For more information visit. http://gluu.org
What is SAML , How does SAML Works , request and Response , Enterprise and Web SSO, Advantages and Disadvantages of SSO, What is SSO, Single Sign On, Security Assertion Mark-up language.
BriForum 2014 Boston
Dan Brinkmann presents on Identity Providers, SAML, and OAuth. An example of setting up Office 365 to use Active Directory Federation Services is also shown.
Single sign-on (SSO) is a property of access control of multiple related, but independent software systems.With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them.
SCCM Intune Windows 10 Co Management Architecture DecisionsAnoop Nair
SCCM Intune Windows 10 Co Management Architecture Decisions by Rajul and Anoop
https://www.anoopcnair.com/download-powerpoint-slides-bitpro-gab-2018-overview/
How to integrate the complex use cases in the hyper-connected world with millions of devices and services.
Bhavna Bhatnagar (VigourSoft Technical Advisor and Industry expert) talks about SAML, OAuth, OpenID and what you need to make your place in the complex scenario this presents
Azure Role Based Access Control with an use case and explanation about various concepts like Global Administrators, Role Assignments, Account Administrators, Azure Roles, Custom Roles for both Azure AD and Azure Subscriptions
This is the Part 1 of the Azure Active Directory Topic. In this session I introduce the Azure AD and talk about what it is, how it differentiates with on-premises Active Directory Domain Services (AD DS). Further, in this session I provide demos on how to create Azure AD Users from the Azure Portal, associate Custom domains with the Azure AD tenant and the Azure AD PowerShell module. As a bonus, I also talk about and demo how to create additional Azure AD directory within the subscription.
This is the Lesson 2 of the "Azure Governance - Free training" serie.
This document describes Azure Locks and lists all key items you should now when designing your Azure Lock Hierarchy.
Finally, the document describes all methods/tools (GUI & CLI) you can use to create and apply Azure Locks to your Subscriptions, Resource Groups and Azure Resources.
What is SAML , How does SAML Works , request and Response , Enterprise and Web SSO, Advantages and Disadvantages of SSO, What is SSO, Single Sign On, Security Assertion Mark-up language.
BriForum 2014 Boston
Dan Brinkmann presents on Identity Providers, SAML, and OAuth. An example of setting up Office 365 to use Active Directory Federation Services is also shown.
Single sign-on (SSO) is a property of access control of multiple related, but independent software systems.With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them.
SCCM Intune Windows 10 Co Management Architecture DecisionsAnoop Nair
SCCM Intune Windows 10 Co Management Architecture Decisions by Rajul and Anoop
https://www.anoopcnair.com/download-powerpoint-slides-bitpro-gab-2018-overview/
How to integrate the complex use cases in the hyper-connected world with millions of devices and services.
Bhavna Bhatnagar (VigourSoft Technical Advisor and Industry expert) talks about SAML, OAuth, OpenID and what you need to make your place in the complex scenario this presents
Azure Role Based Access Control with an use case and explanation about various concepts like Global Administrators, Role Assignments, Account Administrators, Azure Roles, Custom Roles for both Azure AD and Azure Subscriptions
This is the Part 1 of the Azure Active Directory Topic. In this session I introduce the Azure AD and talk about what it is, how it differentiates with on-premises Active Directory Domain Services (AD DS). Further, in this session I provide demos on how to create Azure AD Users from the Azure Portal, associate Custom domains with the Azure AD tenant and the Azure AD PowerShell module. As a bonus, I also talk about and demo how to create additional Azure AD directory within the subscription.
This is the Lesson 2 of the "Azure Governance - Free training" serie.
This document describes Azure Locks and lists all key items you should now when designing your Azure Lock Hierarchy.
Finally, the document describes all methods/tools (GUI & CLI) you can use to create and apply Azure Locks to your Subscriptions, Resource Groups and Azure Resources.
This presentation is from IBM's New Way to Learn 2016 partner enablement. The topic is an introduction to Single Sign-On within products in the IBM Collaboration Solutions brand.
Building an SSO platform in php (Zendcon 2010)Ivo Jansch
A presentation explaining how to build Single Sign On functionality in PHP using standards such as OpenID, OAuth and SAML. Delivered on November 4, 2010 at Zendcon in Santa Clara
In Today's Complex Multi Perimeter World, Are You Doing Enough to Secure Acce...IBM Security
On today’s smarter planet, providing secure access to sensitive data, applications and infrastructure is more complex than ever. With users accessing corporate data and applications from outside the traditional network perimeter, traditional access and authentication controls are no longer sufficient. To safeguard mobile, cloud and social interactions while preventing insider threat and identity fraud, you need a powerful access management solution thats designed for today’s multi-perimeter world.
We will explore how you can address your problems with the latest IBM Security Access Manager – an “All-in-one” access management solution that is designed to provide both web and mobile security in a modular package suitable to your needs.
View the full on-demand webcast: https://www.youtube.com/watch?v=-ycUQykZSQA
IDENTITY IS THE FIRST STEP TO TRUE NETWORK SECURITYForgeRock
SCOTT STEVENS, VP, Technology, WW Systems, Engineering, Palo Alto Networks and ALLAN FOSTER
VP, Technology & Standards, Office of the CTO, ForgeRock, at the European IRM Summit 2014.
The cloud offers simplified application development and delivery by providing infrastructure, platform and software services that are ready to use immediately. However, the major inhibitor for businesses has been concerns around security. IBM has simplified the typical method for approaching this problem. Whether you’re looking to employ infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) or software-as-a-service (SaaS), use the framework below when designing your solution. Each platform comes with certain built-in security qualities and lets you use add-ons on top of the platform to secure each workload.
CIS13: Mobile Single Sign-On: Extending SSO Out to the ClientCloudIDSummit
Scott Morrison, Chief Technology Officer, Layer7
Think SSO is just about reducing logins across servers? Think again. In the mobile world, the new twist is sharing sessions across mobile apps on a device. Learn how technologies like OAuth and OpenID Connect can be leveraged by native apps to achieve MSSO.
Mobile SSO: Give App Users a Break from Typing PasswordsCA API Management
Why do we use mobile devices? Simple – they’re easy to use and very convenient. So, why do we make it so hard for mobile consumers to do business with us by confronting them with multiple login screens and passwords? While security is essential to protecting mobile usage, convenience cannot be sacrificed.
With the release of the CA Layer 7 Mobile Access Gateway 2.0 and its Mobile SDK, organizations can now achieve faster mobile consumer engagement, end-to-end mobile app security and convenient mobile Single Sign-On (SSO). In this webinar, Tyson Whitten and Leif Bildoy of CA Technologies explore the why and how of mobile SSO and the Mobile Access Gateway.
You will learn
• The mobile app choices you need to make to enable better consumer engagement
• The connectivity and security implications of these choices
• The mobile security solutions that balance security and convenience
This talk introduces microservices as a tool in an API developer's arsenal. We'll introduce what they are, see how and why they could fit into a modern application (and when they may not), and tools that will make dealing with a microservices architecture easier than ever before.
Transformative Solutions: The Impact of a Certified Salesforce Development Se...Daisy Kaur
Businesses evolve, and Salesforce development services are geared towards scalability. Whether a startup or an enterprise, these services are crafted to grow with the business, accommodating increased data, users, and complexities without compromising performance.
What it Means to be a Next-Generation Managed Service ProviderDatadog
Webinar that took place on July 12 2017.
The emergence of cloud-based infrastructure has dramatically reshaped
the IT landscape for managed service providers and their customers. Infrastructure is now dynamic, elastic, and instantly available to any individual or organization.
Customers are becoming increasingly aware of the value of cloud services, and with this heightened awareness comes the desire to partner with providers who can guide them toward innovative business solutions and high-performance environments. But in this new landscape, gaining insight into the status and performance of dynamic infrastructure and applications is more challenging than ever.
Join us as we host Thomas Robinson, Solutions Architect at Amazon Web Services, and Patrick Hannah, VP of Engineering at CloudHesive, to discuss what it means to be a next-generation managed service provider and how Datadog provides visibility into modern cloud infrastructure and helps you adopt new approaches to remain competitive in this ever-changing environment.
100% Visibility - Jason Yee - Codemotion Amsterdam 2018Codemotion
Monitoring systems has traditionally been the responsibility of Ops teams. But our goal is to align devs, ops, & other roles in the organization (aka DevOps), so we need to ensure they are all monitoring critical business systems & do so in ways that take advantage of the unique perspective that each role offers. In this session, I’ll break down the expansive monitoring landscape into 5 categories that each provide a unique view of your systems. I’ll show how each category allows your team to have complete observability, avoid blind spots, & work together to quickly resolve issues & outages.
What are the 5 essential steps to take to prepare for a new CRM system? Find out what you must ask yourself and what factors you must consider to prepare for the success of your CRM project.
CIO Standard Requirements
Source: https://store.theartofservice.com/cio-standard-requirements/
Sample Requirements:
The full extent of a given risk and its priority compared to other risks are not understood. Failure to address the most important risks first leads to dangerous exposures. Nearly all managers believe that their risks are the most important in the enterprise (or at least they say so) but whose risks really matter most?
Does your organization constantly monitor in real time your networks, systems and applications for unauthorized access or anomalous behavior such as viruses, malicious code insertion, or break-in attempts?
We have determined whether the goals, norms and rules of our organization are properly transmitting the value of the organizational culture to staff members and if there are areas for improvement
When deciding to outsource we know if the candidate services require extensive interactions between the service providers and the business's competitive and strategic resources and capabilities
Has the CIO ensured security training and awareness of all agency employees, including contractors and those employees with significant IT security responsibilities?
If services come in direct contact with the customers of customers, we have additional policies and guidelines required to handle user interactions and user information?
What impact has emerging technology (e.g., cloud computing, virtualization and mobile computing) had on your companys ITRM program over the past 12 months?
Do you have a good understanding of emerging technologies and business trends that are vital for the management of IT risks in a fast-changing environment?
Is the CIO or someone similar, responsible for strategic planning, implementation, and management of integrated systems identified by the IT infrastructure plan?
Our strategic approach to Service Design results in services that can be offered at a competitive market price, substantially reduced risk, or offers superior value?
Alliance 2017 - CRM Deep Dive: Workflows, Business Rules, Security, and Troub...Sparkrock
Presented by Irina Kon and Ulrike Kruger on January 25th, 2017.
Irina and Ulrike take a deep dive into our CRM solution to help you get some hands-on experience that you can bring back to your workplace and better understand the solution.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
2. Why are we here?
• To discuss
• Different Mechanisms for Authentication
• When to choose what protocol
• Best practice for implementations
• To help you understand
• Single Sign-On Using SAML 2.0
• API access using OAuth
• Authentication Providers
• To demonstrate
• The amazing things that can be built using our Authentication services
3. What is Single Sign On?
Per wikipedia..
Single sign-on (SSO) is a property of access control of multiple related,
but independent software systems. With this property a user logs in once
and gains access to all systems without being prompted to log in again at
each of them
In simple terms..
Ability for systems to establish Authentication using a mutually
agreed upon an identity mechanism
5. Username / Password Authentication
• The out-of-the-box experience
• Salesforce hosts the authentication interface
• Flexible policies
• Mobile ready
䐟 User sends credentials to Salesforce
䐠 Salesforce authenticates user in our database and
user is granted session to Salesforce
6. What is SAML?
• The Standard for Federated Single Sign-On
• OASIS Standard: Commercial & Open Source support
• Authentication interface is hosted by customer
䐟 User requests a secure resource
䐠 Salesforce.com redirects to Customer IDP
䐡 Customer authenticates user
䐢 User returns to Salesforce.com with SAML and is
granted session
* If you’re logged into the Dreamforce org, you’ve used SAML!
7. What is Delegated Authentication?
• SOAP based protocol for “Single Login”
• Salesforce only: Minimal commercial support
• Salesforce hosts the authentication interface
䐟 User sends credentials to Salesforce
䐠 Salesforce sends credentials to Customer
䐡 Customer authenticates user and replies “true”
䐢 User is granted session to Salesforce
8. What is OAuth?
• An open protocol to allow secure API access in a simple,
standard method from desktop/web applications
• Standard track in IETF
• Integrates with previous authentication mechanisms
䐟 App redirects user to Salesforce
䐠 Salesforce authenticates user
䐡 Saleforce redirects user back to app
with code
䐢 App sends code to Salesforce
䐣 Salesforce issues session
䐤 App accesses API
9. When do I use what?
• UserId/Password
• When you just want the basics
• SAML
•
•
•
• OAuth
•
Single Sign-On for the web and applications
SAML provides the best commercial support
SAML provides re-use across other Cloud services
Building an API client or connected application (including Mobile)
• Delegated Auth
• SF Mobile CRM and older API clients with your own credentials
* Not mutually exclusive…you can mix and match
10. Customer Poll/ Question
If you want to use your Active Directory credentials to use
Salesforce for Outlook what mechanism would you use?
A. Username / Password
B. SAML
C. OAuth
D. Delegated Authentication
12. How about using a Corporate Identity for Employees?
Identity Provider (IDP)
1. Generate SAML token and send
response to Salesforce
2. Validate SAML and generate
session
Service Provider (SP)
MyDomain: A sub-domain
used to access a specific SF
Organization.
Example: https://acme-
developer.my.salesforce.com
13. Provisioning Users
So, how we get the users in Salesforce??
Manually…. But that doesn’t cut for large organizations
API… But that takes code and maintenance
Just In Time Provisioning (SAML JIT)
14. What about Multiple Salesforce Orgs?
Identity Provider (IDP)
Service Provider (SP)Service Provider (SP)
15. …and an org can even be an IDP…
Identity Provider (IDP)
Service Provider (SP) Service Provider (SP)
16. How about bookmarks?
Identity Provider (IDP)
1. Request Resource. Redirect to IDP
2. Send SAML Request
3. Authenticate. Send SAML Response
4. Validate SAML. Generate session
4
2
3 1
Service Provider (SP)
17. How about Employees use Mobile?
1. User Posts Credentials 2. User get’s session
18. Salesforce as an IDP for a Third Party SP
Identity Provider (IDP)
Service Provider (SP)Service Provider (SP)
19. What about Single Sign-On for Partners?
Identity Provider (IDP)
Partner Portal
Same as IDP Initiated SAML, but with 2 additional attributes
Send these in attribute statement: organization_id & portal_id
1. Generate SAML and send to
Salesforce
2. Validate SAML and generate
session
20. What about the Consumers?
Social Sign On
Login using ‘Social’ Credentials
Facebook and Janrain Authentication Providers
Link Accounts
Dyanamic Provisioning
21. How about using Social credentials for Salesforce
access?
1. Authenticate and Link accounts 2. Allow Salesforce access
23. Best Practices
Develop troubleshooting practices for SSO failures
SSO is in critical path since no login means no access to users
S A M L S e t t i n g
R e l a t e d I s s u e ? ( 1 )
Y E S
I s S A M L
T o k e n
V a l i d ? ( 2 )
N O
Y E S
M a k e
a p p r o p r i a t e
c h a n g e s t o S A M L
S e t t i n g s
E r r o r M e s s a g e s
l i k e :- F a i l e d : A u d i e n c e M i s m a t c h e d
- F a i l e d : R e c i p i e n t M i s m a t c h e d
- F a i l e d : C e r t i f i c a t e M i s m a t c h e d
N O
Y E S
i S S O S A M L I s s u e s T r o u b l e s h o o t i n g P r o c e s s
S A M L S S O I s s u e
i s R e p o r t e d
G a t h e r
I n f o r m a t i o n :
- U s e r I d
- E r r o r
M e s s a g e
A n y L o g i n E r r o r
M e s s a g e i n U s e r ’ s
L o g i n H i s t o r y ?
I s U s e r P r o f i l e
C o n f i g u r e d w i t h
P r o p e r F e d e r a t i o n I d ?
N O
Y E S
T y p e “ S A M L I d p
I n i t i a t e d
S S O ”
E r r o r M e s s a g e s l i k e :
- F a i l e d : I s s u e r
M i s m a t c h e d- F a i l e d : C e r t i f i c a t e
M i s m a t h e d
A D D I T I O N A L N O T E S
1 ) F o r C e r t i f i c a t e r e l a t e d i s s u e s , v e r i f y C e r t i f i c a t e t h a t i s u p l o a d e d u n d e r S A M L s e t t i n g s
2 ) A S A M L T o k e n c a n b e v a l i d a t e d u s i n g t h e S A M L T o k e n D e b u g g e r t o o l t h a t i s a c c e s s i b l e o n t h e S A M L S e t t i n g s S c r e e n
3 ) R e p l a y r e l a t e d i s s u e i s a t e m p o r a r y i s s u e a n d h a p p e n s i f m u l t i p l e S A M L r e q u e s t s f o r t h e s a m e u s e r i s m a d e
M a k e
a p p r o p r i a t e
c h a n g e s t o U s e r
P r o f i l e
V e r i f y i f i t r e s o l v e s t h e i s s u e
T a l k t o C i t i
S T S t e a m a n d
g e t t h e i r h e l p i n
r e s o l u t i o n o f t h e
i s s u e
I f n e c e s s a r y
o p e n s u p p o r t
t i c k e t w i t h S F D C
C i t
24. SAML Best Practices – Prevent Failures
• Make sure the IDP server is on a high available environment
• Be proactive with regards to certificate (Salesforce and client)
expirations
• Check for any time skews that may lead to inconsistent timeout/
session creation issues
• Implement custom logout, error pages to present custom
messages instead of defaults
• TEST and TEST and TEST
25. SAML Best Practices – Reliable & Scalable
• Use Federation Id instead of SF username as subject Id
• Identity based on login and no mapping required to know SF username
• Login post is org specific and hence no time needed by SF to resolve org instance
• Disabling users from directly logging into SF if SAML is
enabled
• Enable DA and implement a service that always return false
• Use the “My Domains” feature and redirect the user when attempting to login
directly. Also, disable flag that allows users to log into Salesforce.com directly
Administrators should be excluded from SSO
26. Where do we go from here?
Learn more on developer force:
• http://wiki.developerforce.com/index.php/Single_Sign-
On_for_Desktop_and_Mobile_Applications_using_SAML_and_OAuth
• http://wiki.developerforce.com/index.php/CRC:SSO
Attend these sessions:
• Hands-on Training: Enable Single Sign-on with SAML
Thursday, September 20th: 3:00 PM - 4:00 PM
• Authentication with OAuth and Connected Apps
Thursday, September 20th: 10:30 AM - 11:30 AM