The document discusses Salesforce's single sign-on (SSO) and user provisioning through Salesforce Identity, highlighting the importance of identity lifecycle management and the integration with Active Directory. It emphasizes the challenges organizations face due to third-party services and mobile employee access, while detailing the initial setup and operational processes for user provisioning and SSO. Additionally, it includes a safe harbor statement regarding forward-looking statements and potential risks faced by Salesforce.

1. Salesforce 2015
Single Sign-On and User Provisioning with Salesforce
Identity
Itzik Koren
Senior Product Manager
ikoren@salesforce.com

2. Safe harbor statement under the Private Securities Litigation Reform Act of 1995:
This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize
or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the
forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any
projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding
strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or
technology developments and customer contracts or use of our services.
The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for
our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate
of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with
completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability
to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our
limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential
factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year
and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are
available on the SEC Filings section of the Investor Information section of our Web site.
Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and
may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are
currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
Safe Harbor

3. Authentication

4. Agenda
Identity Life Cycle Management Demo How It Works Setup

5. Identity Lifecycle Management
When users join your organization, manage their user identities and access rights.

6. Identity Lifecycle Management
During users’ employment, ensure that the system reflects changes to their roles and responsibilities.

7. Identity Lifecycle Management
When users leave your organization, make sure that their access rights are terminated.

8. Identity Lifecycle Management - Challenges
• Organizations use third-party services hosted in the cloud
• Employees use mobile devices and work from…everywhere

9. Demo

10. David Smith

11. How It works

12. How It works
Active Directory

13. Identity Connect
Active
Directory
Identity
Connect
Automatically sync users data from Active Directory into Salesforce.
On Premise
Sync

15. Sync user data from other external sources
Active
Directory
Identity
Connect

16. Auto sync to target service providers
User Provisioning for Connected App
Active
Directory
Identity
Connect

17. Read
curl –s -H "Authorization: Bearer $ACCESS_TOKEN" https://service-
provider/Users?attributes=active,userName,emails,name
Create
curl –s -H "Authorization: Bearer $ACCESS_TOKEN" https://service-
provider/Users?attributes=active,userName,emails,name
-X POST -d '{ "name" : { "familyName" : "koren", "givenName" : "itzik" }, "password" : ”1234",
"primaryEmail" : "ikoren@df15-identity.com" }’
System for Cross-domain Identity Management

18. How It works
User Provisioning for Connected App – Auto sync to another Salesforce org
Active
Directory
Identity
Connect

19. Login in to Salesforce Using Inbound SSO
Active
Directory
Identity
Connect
Service Provider (SP)
Identity Provider (IdP)
1
2
4
3

20. Login in to 3rd-party Services Using Outbound SSO
Active
Directory
Identity
Connect
Identity Provider (IdP)
1
2
3

21. Using OpenID Connect For Single Sign-On

22. App Launcher
Internal
On-prem/Cloud
Apps
3rd party Apps

23. Two-factor Authenticator
Something You Know
Something You Have
57829
1
4
2

24. Safe harbor statement under the Private Securities Litigation Reform Act of 1995:
This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize
or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the
forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any
projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding
strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or
technology developments and customer contracts or use of our services.
The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for
our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate
of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with
completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability
to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our
limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential
factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year
and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are
available on the SEC Filings section of the Investor Information section of our Web site.
Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and
may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are
currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
Safe Harbor

25. New Salesforce Authenticator (coming soon)
Simple Allow/Deny interface
Out-of-Band
Invisible
Channel A
Channel B
1
2
3
4

26. Setup

27. • Enable My domain + Identity
• Create a SAML Service Provider: https://github.com/salesforceidentity/heroku-identity-java
• Setup a connected app for SAML SSO
• Import SAML metadata into SP-SAML app
• Add to App Launcher
Setup SSO to a 3rd party app

28. Enable My Domain
For example: https://acme.my.salesforce.com

29. Enable Salesforce as an Identity Provider

31. • Simple SCIM implementation - https://github.com/salesforceidentity/heroku-scim-ri
• Setup a Named Credentials
• Setup a Connected App and run the User Provisioning Wizard
• Use the User Provisioning flow to map user attributes
Setup User Provisioning

32. Q&A