Versions Compared

Old Version 2

changes.mady.by.user Jodie Miners

Saved on

compared with

New Version Current

changes.mady.by.user Jodie Miners

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Salesforce Identity - where Salesforce acts as an iDP

  • iDP - Identity Provider - the server providing the authentication

  • SP - Service Provider - the service you are logging into

  • IAM - Identity and Access Management

  • SAML - Security Assertion Markup Language

  • SSO Flows

  • SP initiated

  • IDP initiated

  • JIT Provisioning - Just In Time - users are created in Salesforce from iDP

  • 2FA / MFA - Multi Factor Authentication

  • AD/LDAP - Active DirectlryDirectory

  • OpenID

  • SIEM

  • SCIM

SAML

  • “XML-based standard for exchanging authentication and authorization data between security domains, that is between an identity provider (a producer of assertions) and a service provider (a consumer of assertions).”

  • You log into somewhere, you are granted access and get a session token. SAML passes that session token to another app to log you in there.

  • 3 Roles

    • User

    • Identity Provider

    • Service Provider

SAML Assertion

  • The iDP asserting that the user is legitimate. It contains

    • The iDP Digital Certificate

    • The Name of the iDP (Issuer)

    • The Name of the Service Provider (EntityID)

    • The User ID (Subject)

      • User ID can be a Salesforce UserName or fully qualified AD Name eg NORTHWINDTRADERS\JMiners

    • With JIT Provisioning the SAML Assertion needs to provide

      • Email

      • Last Name

      • Profile Name (or ID)

      • User Name

      • Optionally any ther attributes from the AD such as Department, First Name, Manager etc

Salesforce Identity

Where Salesforce acts as the iDP

  • Application Launcher

  • Restricted/granted application access

  • Can automate provisioning using standard Salesforce features like code and flow

  • Can report using standard Salesforce reports

  • Can purchase Salesforce Identity licences only for those users that don’t use full Salesforce.

  • Pre-built integration to use Active Directory as credential store

  • SSO via

    • SAML

    • OpenID

  • Can use Social Logins (eg Google, Facebook)

  • SAML allows users to be automatically created in Salesforce when added to your AD

  • Can deep link into Salesforce from other services. This is then a seamless experience for users.

Identity Connect

The app that syncs Salesforce users with Microsoft AD. It’s a one way sync from AD to Salesforce.

SSO Apps

These apps can be used for SSO, they are the main apps used.

...

  • https://1password.com/enterprise-password-manager/

  • This is more pricey than LastPass

  • But has a really nice travel solution so you are not taking passwords across borders when devices can be seized

  • As a password manager, for me logging into multiple Salesforce orgs, it works better for me than LastPass, but I don’t know what it’s like as an SSO tool

  • Can integrate with your AD/LDAP service, plus can integrate with Okta.

  • Probably better suited to highly technical companies

Techqniques

...

Flows

iDP Initiated SAML Flow

  • User signs into iDP

  • SAML Assertion passed to Salesforce

  • Salesforce logs in and issues a Session ID

  • User is logged in.

SP Initiated SAML Flow

  • Usually used for Deep Links into Salesforce

  • Is needed for Salesforce Mobile

  • Steps

    • User clicks on a Salesforce link

    • If necessary they are taken to the iDP for login

    • iDP sends SAML assertion back to Salesforce

    • Salesforce issues a Session ID

    • User is directed to the page.

Delegated Authentication Flow

  • Reqires a WSDL

  • You need to contact Salesforce to have it turned on

  • Steps

    • User logs into Salesforce

    • If Delegated Authentication is enabled for the user, request details from Delegated Authentication Server (User Credentials are encrypted and passed to the DAS

    • DAS sends true or false back to Salesforce

    • DAS passes credetials to Authentication Provider for verification

  • Requires a proxy server to be created

I don’t understand this. Is it old? Not used anymore? It seems to be. I probably only need to ever know about this for the exam, and know enough to know to not use it.

Social Sign On

  • Usually used for communities to allow people to log on with their google or facebook credentials

  • Social Sign On is widely accepted by users and often demanded by them. I know I use it all the time.

  • You can set up to log into your Salesforce org via Facebook Social Sign On but oh dear, why would you?

  • Steps

    • User tries to log into Salesforce

    • They choose the social sign on provider and log into that provider (or they may be logged in already)

    • If the service has not been linked before the third party service asks you to authorise Salesforce to use the social sign on credentials)

    • Some Apex code in Salesforce uses information from the authentication provider (eg google) to create or update the user record and creates or updates the contact record if the login is for a community.

    • The user is logged in.

Best Practices

  • Don’t set up SSO for System Administrators because if your SSO goes down you won’t be able to login. But still set up MFA for Admins.