PowerPoint-Prsentation

Single-Sign-On considerations and best practicesVenkat GattamaneniEnterprise ArchitectVenkat@ermlabs.com

Why are we here?To discussDifferent Mechanisms for AuthenticationWhen to choose what protocolBest practice for implementationsTo help you understandSingle Sign-On Using SAML 2.0API access using OAuthAuthentication ProvidersTo demonstrateThe amazing things that can be built using our Authentication services

What is Single Sign On?Per wikipedia..Single sign-on (SSO) is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them

In simple terms..Ability for systems to establish Authentication using a mutuallyagreed upon an identity mechanism

Authentication Mechanisms

Username / Password AuthenticationThe out-of-the-box experienceSalesforce hosts the authentication interfaceFlexible policiesMobile ready

User sends credentials to SalesforceSalesforce authenticates user in our database anduser is granted session to Salesforce

What is SAML?The Standard for Federated Single Sign-OnOASIS Standard: Commercial & Open Source supportAuthentication interface is hosted by customer

User requests a secure resourceSalesforce.com redirects to Customer IDPCustomer authenticates userUser returns to Salesforce.com with SAML and is granted session

* If youre logged into the Dreamforce org, youve used SAML!

What is Delegated Authentication?SOAP based protocol for Single LoginSalesforce only: Minimal commercial supportSalesforce hosts the authentication interface

User sends credentials to SalesforceSalesforce sends credentials to CustomerCustomer authenticates user and replies trueUser is granted session to Salesforce

What is OAuth?

An open protocol to allow secure API access in a simple, standard method from desktop/web applicationsStandard track in IETFIntegrates with previous authentication mechanismsApp redirects user to SalesforceSalesforce authenticates userSaleforce redirects user back to appwith codeApp sends code to SalesforceSalesforce issues sessionApp accesses API

When do I use what?UserId/PasswordWhen you just want the basicsSAMLOAuthSingle Sign-On for the web and applications SAML provides the best commercial supportSAML provides re-use across other Cloud servicesBuilding an API client or connected application (including Mobile)Delegated AuthSF Mobile CRM and older API clients with your own credentials* Not mutually exclusiveyou can mix and match

Customer Poll/ QuestionIf you want to use your Active Directory credentials to use Salesforce for Outlook what mechanism would you use?

Username / PasswordSAMLOAuthDelegated Authentication

SSO in Action

How about using a Corporate Identity for Employees?

Identity Provider (IDP)

1. Generate SAML token and send response to Salesforce2. Validate SAML and generate session

Service Provider (SP)

MyDomain: A sub-domain used to access a specific SF Organization.Example: https://acme-developer.my.salesforce.com

Provisioning UsersSo, how we get the users in Salesforce??

Manually. But that doesnt cut for large organizations

API But that takes code and maintenance

Just In Time Provisioning (SAML JIT)

What about Multiple Salesforce Orgs?

Identity Provider (IDP)

Service Provider (SP)Service Provider (SP)

and an org can even be an IDPIdentity Provider (IDP)

Service Provider (SP)Service Provider (SP)

How about bookmarks?

Identity Provider (IDP)

Request Resource. Redirect to IDPSend SAML RequestAuthenticate. Send SAML ResponseValidate SAML. Generate session

4231Service Provider (SP)

How about Employees use Mobile?

1. User Posts Credentials2. User gets session

Salesforce as an IDP for a Third Party SPIdentity Provider (IDP)

Service Provider (SP)Service Provider (SP)

What about Single Sign-On for Partners?

Identity Provider (IDP)Partner PortalSame as IDP Initiated SAML, but with 2 additional attributes

Send these in attribute statement: organization_id & portal_id1. Generate SAML and send to Salesforce2. Validate SAML and generate session

What about the Consumers?Social Sign OnLogin using Social CredentialsFacebook and Janrain Authentication ProvidersLink AccountsDyanamic Provisioning

How about using Social credentials for Salesforceaccess?

1. Authenticate and Link accounts2. Allow Salesforce access

SSO Best Practices

Best PracticesDevelop troubleshooting practices forSSO failuresSSO is in critical path since no login means no access to users

SAML Setting Related Issue? (1)

YES

Is SAML Token Valid? (2)

NO

YES

Make appropriate changes to SAML Settings

Error Messages like:Failed: Audience MismatchedFailed: Recipient MismatchedFailed: Certificate MismatchedNOYES

i SSO SAML Issues Troubleshooting Process

SAML SSO Issue is ReportedGather Information:- User Id- Error MessageAny Login Error Message in Users Login History?Is User Profile Configured with Proper Federation Id?NOYESType SAML IdpInitiated SSOError Messages like:- Failed: Issuer Mismatched- Failed: Certificate MismathedADDITIONAL NOTES

For Certificate related issues, verify Certificate that is uploaded under SAML settings

A SAML Token can be validated using the SAML Token Debugger tool that is accessible on the SAML Settings Screen

Replay related issue is a temporary issue and happens if multiple SAML requests for the same user is madeMake appropriate changes to User ProfileVerify if it resolves the issueTalk to Citi STS team and get their help in resolution of the issueIf necessary open support ticket with SFDCCit

SAML Best Practices Prevent FailuresMake sure the IDP server is on a high available environmentBe proactive with regards to certificate (Salesforce and client) expirationsCheck for any time skews that may lead to inconsistent timeout/session creation issuesImplement custom logout, error pages to present custom messages instead of defaultsTEST andTEST and TEST

SAML Best Practices Reliable & ScalableUse Federation Id instead of SF username as subject IdIdentity based on login and no mapping required to know SF usernameLogin post is org specific and hence no time needed by SF to resolve org instanceDisabling users from directly logging into SF if SAML is enabledEnable DA and implement a service that always return falseUse the My Domains feature and redirect the user when attempting to logindirectly. Also, disable flag that allows users to log into Salesforce.com directlyAdministrators should be excluded from SSO

Where do we go from here?Learn more on developer force:http://wiki.developerforce.com/index.php/Single_Sign- On_for_Desktop_and_Mobile_Applications_using_SAML_and_OAuthhttp://wiki.developerforce.com/index.php/CRC:SSOAttend these sessions:Hands-on Training: Enable Single Sign-on with SAMLThursday, September 20th: 3:00 PM - 4:00 PMAuthentication with OAuth and Connected AppsThursday, September 20th: 10:30 AM - 11:30 AM

Venkat Gattamaneni@venkilivehttps://www.linkedin.com/in/venkatgattamaneni