Single Sign-On Best Practices

Developer Track

Suchin Rengan Shesh Kondi

Director, Technical Solutions Architect Cloud Solutions Architect

@sacrengan @sheshzilla

Safe Harbor

Safe harbor statement under the Private Securities Litigation Reform Act of 1995:

This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if

any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-

looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of

product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of

management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments

and customer contracts or use of our services.

The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our

service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth,

interruptions or delays in our Web hosting, breach of our security measures, the outcome of intellectual property and other l itigation, risks associated

with possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain,

and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling

non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the

financial results of salesforce.com, inc. is included in our annual report on Form 10-Q for the most recent fiscal quarter ended July 31, 2012. This

documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site.

Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may

not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently

available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.

Why are we here?

• To discuss

• Different Mechanisms for Authentication

• When to choose what protocol

• Best practice for implementations

• To help you understand

• Single Sign-On Using SAML 2.0

• API access using OAuth

• Authentication Providers

• To demonstrate

• The amazing things that can be built using our Authentication services

What is Single Sign On?

Per wikipedia..

Single sign-on (SSO) is a property of access control of multiple related,

but independent software systems. With this property a user logs in once

and gains access to all systems without being prompted to log in again at

each of them

In simple terms..

Ability for systems to establish Authentication using a mutually

agreed upon an identity mechanism

Authentication Mechanisms

Suchin Rengan

Username / Password Authentication

• The out-of-the-box experience

• Salesforce hosts the authentication interface

• Flexible policies

• Mobile ready

① User sends credentials to Salesforce

② Salesforce authenticates user in our database and

user is granted session to Salesforce

What is SAML?

• The Standard for Federated Single Sign-On

• OASIS Standard: Commercial & Open Source support

• Authentication interface is hosted by customer

① User requests a secure resource

② Salesforce.com redirects to Customer IDP

③ Customer authenticates user

④ User returns to Salesforce.com with SAML and is

granted session

* If you’re logged into the Dreamforce org, you’ve used SAML!

What is Delegated Authentication?

• SOAP based protocol for “Single Login”

• Salesforce only: Minimal commercial support

• Salesforce hosts the authentication interface

① User sends credentials to Salesforce

② Salesforce sends credentials to Customer

③ Customer authenticates user and replies “true”

④ User is granted session to Salesforce

What is OAuth?

• An open protocol to allow secure API access in a simple,

standard method from desktop/web applications

• Standard track in IETF

• Integrates with previous authentication mechanisms

① App redirects user to Salesforce

② Salesforce authenticates user

③ Saleforce redirects user back to app

with code

④ App sends code to Salesforce

⑤ Salesforce issues session

⑥ App accesses API

When do I use what?

• UserId/Password

• When you just want the basics

• SAML

• Single Sign-On for the web and applications

• SAML provides the best commercial support

• SAML provides re-use across other Cloud services

• OAuth

• Building an API client or connected application (including Mobile)

• Delegated Auth

• SF Mobile CRM and older API clients with your own credentials

* Not mutually exclusive…you can mix and match

Customer Poll/ Question

If you want to use your Active Directory credentials to use

Salesforce for Outlook what mechanism would you use?

A. Username / Password

B. SAML

C. OAuth

D. Delegated Authentication

SSO in Action

Shesh Kondi

Suchin Rengan

How about using a Corporate Identity for Employees?

Identity Provider (IDP)

1. Generate SAML token and send

response to Salesforce 2. Validate SAML and generate

session

Service Provider (SP)

MyDomain: A sub-domain

used to access a specific SF

Organization.

Example: https://acme-

developer.my.salesforce.com

Provisioning Users

So, how we get the users in Salesforce??

Manually…. But that doesn’t cut for large organizations

API… But that takes code and maintenance

Just In Time Provisioning (SAML JIT)

What about Multiple Salesforce Orgs?

Identity Provider (IDP)

Service Provider (SP) Service Provider (SP)

…and an org can even be an IDP…

Identity Provider (IDP)

Service Provider (SP) Service Provider (SP)

How about bookmarks?

Identity Provider (IDP)

1. Request Resource. Redirect to IDP

2. Send SAML Request

3. Authenticate. Send SAML Response

4. Validate SAML. Generate session

4 2

3 1

Service Provider (SP)

How about Employees use Mobile?

1. User Posts Credentials 2. User get’s session

Salesforce as an IDP for a Third Party SP

Identity Provider (IDP)

Service Provider (SP) Service Provider (SP)

What about Single Sign-On for Partners?

Identity Provider (IDP)

Same as IDP Initiated SAML, but with 2 additional attributes

Send these in attribute statement: organization_id & portal_id

1. Generate SAML and send to

Salesforce

2. Validate SAML and generate

session

Partner Portal

What about the Consumers?

Social Sign On

Login using ‘Social’ Credentials

Facebook and Janrain Authentication Providers

Link Accounts

Dyanamic Provisioning

How about using Social credentials for Salesforce

access?

1. Authenticate and Link accounts 2. Allow Salesforce access

SSO Best Practices Suchin Rengan

Best Practices Develop troubleshooting practices for SSO failures

SSO is in critical path since no login means no access to users

SAML SSO Issue is

Reported

SAML Setting

Related Issue? (1)

Gather

Information:

- User Id

- Error Message

Any Login Error

Message in User’s

Login History?

Is User Profile

Configured with

Proper Federation Id?

NO

YES

Check the Login

Type “SAML Idp

Initiated SSO”

Error Messages like:

- Failed: Issuer Mismatched

- Failed: Certificate Mismathed

ADDITIONAL NOTES

1) For Certificate related issues, verify Certificate that is uploaded under SAML settings

2) A SAML Token can be validated using the SAML Token Debugger tool that is accessible on the SAML Settings Screen

3) Replay related issue is a temporary issue and happens if multiple SAML requests for the same user is made

YES

Is SAML Token

Valid? (2)

Make appropriate

changes to User

Profile

Verify if it resolves the issue

Talk to Citi STS

team and get

their help in

resolution of the

issue

If necessary open

support ticket

with SFDC

NO

YES

Make appropriate

changes to SAML

Settings

Error Messages like:

- Failed: Audience Mismatched

- Failed: Recipient Mismatched

- Failed: Certificate Mismatched

NO

YES

Citi SSO SAML Issues Troubleshooting Process

SAML Best Practices – Prevent Failures

• Make sure the IDP server is on a high available environment

• Be proactive with regards to certificate (Salesforce and client)

expirations

• Check for any time skews that may lead to inconsistent timeout/

session creation issues

• Implement custom logout, error pages to present custom

messages instead of defaults

• TEST and TEST and TEST

SAML Best Practices – Reliable & Scalable

• Use Federation Id instead of SF username as subject Id

• Identity based on login and no mapping required to know SF username

• Login post is org specific and hence no time needed by SF to resolve org instance

• Disabling users from directly logging into SF if SAML is

enabled

• Enable DA and implement a service that always return false

• Use the “My Domains” feature and redirect the user when attempting to login

directly. Also, disable flag that allows users to log into Salesforce.com directly

Administrators should be excluded from SSO

Where do we go from here?

Learn more on developer force:

• http://wiki.developerforce.com/index.php/Single_Sign-

On_for_Desktop_and_Mobile_Applications_using_SAML_and_OAuth

• http://wiki.developerforce.com/index.php/CRC:SSO

Attend these sessions:

• Hands-on Training: Enable Single Sign-on with SAML

Thursday, September 20th: 3:00 PM - 4:00 PM

• Authentication with OAuth and Connected Apps

Thursday, September 20th: 10:30 AM - 11:30 AM

Suchin Rengan @sacrengan

Shesh Kondi @sheshzilla