Allows users to enter their password once, into an identity provider… and then use that athentication for other apps that are connected to that iDP.
Means that you only store user authentication details in one location, and it is easier for the users to only remember one username and password, and the user management (eg adding and removing users, or restricting or increasing access) can be done in one location.
Users generally like it because it’s much easier for them.
When we talk about SSO there is two forms of SSO,
Inbound - Salesforce as a Service Provider (eg Salesforce is the service that Okta can log into)
Outbound - Salesforce as an Identity Provider iDP - Salesforce Identity (eg use your Salesforce credentials to log into Workday). This is Salesforce Identity.
Note that Salesforce can be both a Service Provider and Identity Provider simultaneously.
Why SSO
You start with a Password Manager, then you do shared password folders, then it becomes a bit cumbersome to maintain who has access to which apps. Then you have to provision multiple people on multiple apps. Each time you get a new app you need to set it up for all users. Each time you get a new user you need to set them up on all apps. And when they leave you need to lock them down really quickly. And what if you forget one.
If you have more than a team of 3 or rely on more than 3 critical business apps, then I think it is worth looking at SSO. I am one person and have many critical business apps and even I hate the burden of keeping all the passwords and user access working.
If any of this starts to become a struggle, get an SSO. Don’t wait until it’s too late.
Note that Salesforce can be your SSO, however, I still think it is good to get a third party SSO so you don’t have all your eggs in one basket.
Terms
Salesforce Identity - where Salesforce acts as an iDP
iDP - Identity Provider - the server providing the authentication
SP - Service Provider - the service you are logging into
IAM - Identity and Access Management
SAML - Security Assertion Markup Language
SSO Flows
SP initiated
IDP initiated
2FA / MFA - Multi Factor Authentication
AD/LDAP - Active Directlry
OpenID
SIEM
SCIM
SAML
“XML-based standard for exchanging authentication and authorization data between security domains, that is between an identity provider (a producer of assertions) and a service provider (a consumer of assertions).”
You log into somewhere, you are granted access and get a session token. SAML passes that session token to another app to log you in there.
3 Roles
User
Identity Provider
Service Provider
Salesforce Identity
Where Salesforce acts as the iDP
Application Launcher
Restricted/granted application access
Can automate provisioning using standard Salesforce features like code and flow
Can report using standard Salesforce reports
Can purchase Salesforce Identity licences only for those users that don’t use full Salesforce.
Pre-built integration to use Active Directory as credential store
SSO via
SAML
OpenID
Can use Social Logins (eg Google, Facebook)
SAML allows users to be automatically created in Salesforce when added to your AD
Can deep link into Salesforce from other services. This is then a seamless experience for users.
SSO Apps
These apps can be used for SSO, they are the main apps used.
General Features
2FA/MFA
Salesforce is a supported app out of the box
They are reasonably priced
Syncs to your AD/LDAP service
Logging
Users don’t know their passwords to specific apps so that in itself is good security.
Okta
Not just SSO but a full security suite
Allows 2FA
Can build your own integration to apps not supported out of the box, but there are over 6500 integrations included
Can be used for API athentication
Salesforce is a standard app to connect to
Users can add any site they visit, to their Okta sign in, if it is an Okta enabled site. (If it’s configured this way, I log into an Okta iDP for a client but it’s a heavily regulated industry so they only allow specific apps). So sort of like their own Password Manager.
Syncs to your AD/LDAP server, even On Premise (why do you have an On Premise AD, there should be no reason for On Premise anything for small business).
Logging can be integrated with third party SIEM logging
Can do biometric login
Starting at US $2/u/m
Get Okta if you are in a regulated industry, or have a larger workforce, or anything more than just a few uers logging into a few web apps.
OneLogin
On the face of it very similar to Okta
LastPass
A password manager that can grow to be an SSO and MFA option
Can have shared password folders.
Good for small and growing busineses who have Microsoft Office 365 as their user management
1Password
This is more pricey than LastPass
But has a really nice travel solution so you are not taking passwords across borders when devices can be seized
As a password manager, for me logging into multiple Salesforce orgs, it works better for me than LastPass, but I don’t know what it’s like as an SSO tool
Can integrate with your AD/LDAP service, plus can integrate with Okta.
Probably better suited to highly technical companies
Techqniques
SP Initiated SSO