...
Salesforce Identity - where Salesforce acts as an iDP
iDP - Identity Provider - the server providing the authentication
SP - Service Provider - the service you are logging into
IAM - Identity and Access Management
SAML - Security Assertion Markup Language
SSO Flows
SP initiated
IDP initiated
JIT Provisioning - Just In Time - users are created in Salesforce from iDP
2FA / MFA - Multi Factor Authentication
AD/LDAP - Active DirectlryDirectory
OpenID
SIEM
SCIM
SAML
“XML-based standard for exchanging authentication and authorization data between security domains, that is between an identity provider (a producer of assertions) and a service provider (a consumer of assertions).”
You log into somewhere, you are granted access and get a session token. SAML passes that session token to another app to log you in there.
3 Roles
User
Identity Provider
Service Provider
SAML Assertion
The iDP asserting that the user is legitimate. It contains
The iDP Digital Certificate
The Name of the iDP (Issuer)
The Name of the Service Provider (EntityID)
The User ID (Subject)
User ID can be a Salesforce UserName or fully qualified AD Name eg NORTHWINDTRADERS\JMiners
With JIT Provisioning the SAML Assertion needs to provide
Email
Last Name
Profile Name (or ID)
User Name
Optionally any ther attributes from the AD such as Department, First Name, Manager etc
Salesforce Identity
Where Salesforce acts as the iDP
Application Launcher
Restricted/granted application access
Can automate provisioning using standard Salesforce features like code and flow
Can report using standard Salesforce reports
Can purchase Salesforce Identity licences only for those users that don’t use full Salesforce.
Pre-built integration to use Active Directory as credential store
SSO via
SAML
OpenID
Can use Social Logins (eg Google, Facebook)
SAML allows users to be automatically created in Salesforce when added to your AD
Can deep link into Salesforce from other services. This is then a seamless experience for users.
Identity Connect
The app that syncs Salesforce users with Microsoft AD. It’s a one way sync from AD to Salesforce.
SSO Apps
These apps can be used for SSO, they are the main apps used.
...
This is more pricey than LastPass
But has a really nice travel solution so you are not taking passwords across borders when devices can be seized
As a password manager, for me logging into multiple Salesforce orgs, it works better for me than LastPass, but I don’t know what it’s like as an SSO tool
Can integrate with your AD/LDAP service, plus can integrate with Okta.
Probably better suited to highly technical companies
Techqniques
...
Flows
iDP Initiated SAML Flow
User signs into iDP
SAML Assertion passed to Salesforce
Salesforce logs in and issues a Session ID
User is logged in.
SP Initiated SAML Flow
Usually used for Deep Links into Salesforce
Is needed for Salesforce Mobile
Steps
User clicks on a Salesforce link
If necessary they are taken to the iDP for login
iDP sends SAML assertion back to Salesforce
Salesforce issues a Session ID
User is directed to the page.
Delegated Authentication Flow
Reqires a WSDL
You need to contact Salesforce to have it turned on
Steps
User logs into Salesforce
If Delegated Authentication is enabled for the user, request details from Delegated Authentication Server (User Credentials are encrypted and passed to the DAS
DAS sends true or false back to Salesforce
DAS passes credetials to Authentication Provider for verification
Requires a proxy server to be created
I don’t understand this. Is it old? Not used anymore? It seems to be. I probably only need to ever know about this for the exam, and know enough to know to not use it.
Social Sign On
Usually used for communities to allow people to log on with their google or facebook credentials
Social Sign On is widely accepted by users and often demanded by them. I know I use it all the time.
You can set up to log into your Salesforce org via Facebook Social Sign On but oh dear, why would you?
Steps
User tries to log into Salesforce
They choose the social sign on provider and log into that provider (or they may be logged in already)
If the service has not been linked before the third party service asks you to authorise Salesforce to use the social sign on credentials)
Some Apex code in Salesforce uses information from the authentication provider (eg google) to create or update the user record and creates or updates the contact record if the login is for a community.
The user is logged in.
Best Practices
Don’t set up SSO for System Administrators because if your SSO goes down you won’t be able to login. But still set up MFA for Admins.