Identity and Access Management – Accepting Third-Party Identity in Salesforce

Define the Salesforce Authentication Provider in Your Org

 

1. From Setup, enter Auth Providers in teh Quick Find Box, select Auth Providers| New

2. Provider Type – Salesforce

3. Enter Name

4. Enter the URL Suffix

5. Paste the consumer key

6. Paste the consumer secret

7. Option Fields

  • Authorize Endpoint URL
  • Token Endpoint URL
  • Default Scopes
  • Include identity organization’s organiation ID for third-party account linkage
  • Custom Error URL
  • Custom Logout URL

8. Select existing apex class as the Registration Handler or select Automatically create a registration handler template

9. Execute Registration As – select the user that runs the Apex handler class

10. To use portal with your provider, select the portal from the portal dropdown list

11. Select an Icon URL

12. Select Save

13. Return to the connected app definition

Test-Only Initialization URL Salesforce admins use this URL to ensure that the third-party provider is set up correctly. The admin opens this URL in a browser, signs in to the third party, and is redirected back to Salesforce with a map of attributes.
Single Sign-On Initialization URL Use this URL to perform SSO into Salesforce from a third party using its third-party credentials. The user opens this URL in a browser and logs in to the third party. The third party either creates a user or updates an existing user. Then the third party signs the user into Salesforce as that user.

Existing User Linking URL

 Use this URL to link existing Salesforce users to a third-party account. The user opens this URL in a browser, signs in to the third party, signs in to Salesforce, and approves the link.
OAuth-Only Initialization URL Use this URL to obtain OAuth access tokens for a third party. Users must authenticate with Salesforce for the third-party service to get a token. This flow doesn’t provide for future SSO functionality.
Callback URL Use the callback URL for the endpoint that the authentication provider calls back to for configuration. The authentication provider must redirect to the callback URL with information for each client configuration URL.

Test the SSO Connection

Open the Test-Only Initialization URL on the Auth Provider detail page. 

Add the Authentication Provider to  Your Login Page

Configure your login page to show the authentication provider as the login option.

Social Sign-On with OpenID Connect

What is OpenID Connect

An identity protocol built on OAuth 2.0 that verifies a user’s identity using authentication by another server

Capabilities

  • Provide Users with a single sign-on form
  • Allow users to loging to Salesforce using other credentials
    • Internal Users
    • Community Users
  • User a variety of providers to authenticate users
    • Google
    • Microsoft
    • Paypal
    • Ping Identity

How do I set this up? (Google Example)

  • Register as an OAuth client with Google
  • Configure the “Auth Provider” in Salesforce
  • Define the logic for user management
  • Use Auth Provider in My Domain/Community

How do I manage identities between systems?

  • Define the logic to be executed when user logs in
    • Create Apex registration handler
    • Use profile information from provider
  • Unrecognized OpenID Connect Profile
    • Match to an existing Salesforce user
    • Create new user
  • Previously logged in profile
    • Update Information

Fun Facts

  • OpenID Connect is built on OAuth 2.0
  • OpenID Connect Identity + OAuth 2.0 Authorisation = API Access
  • Authorisation can be used to access Resources
  • Define using Scope as per OAuth 2.0
  • Use APIs from the Identity Provider
Identity 101: Design Patterns for Access Management

Hub-Spoke Pattern

An identity provider (IdP) is a system component that provides an end user or internet-connected device with a single set of login credentials that ensures the entity is who or what it says it is across multiple platforms, applications and networks.

Managing Multiple Login Options to a Single Service

  • Identity provider to provision access to various services
  • Provide easy access, but IdP choice are quickly forgotten
  • Initial sign up is fluid

Use Case: Gencom Petro Inc

Provides management solutions for the drilling industry. Contractors (transient workers) access the Gencom solution running in each customer org. Contactors use a single set of credentials to access the solution at a drilling site or customer. Physical security will control access the solution console at each customer site.

Platform Feature IdP SP
Insert Federation ID into User Record X
Connected Apps X
SAML/Single Sign-On X
Self-Sign Certification (From IdP) X
Just-In Time Provisioning (JIT Handler) X

Single Sign-On Discovery

  • IdP per partner
  • IdP per division or region
  • IdP per sister company
  • IdP for mobile clients
  • IdP for desktop browsers
Single Sign-On FAQs
  • What are the ways to implement SSO?
    • Identity Provider
    • Service Provider
    • Both
  • Where can I view SSO errors?
    • Login History report
  • Does SSO work outside my corporate firewall?
    • Yes, they can use network passwords, you can restrict to require they be on your network.
  • Can I validate an SAML response?
    • Yes, from SAML Validation on the Single Sign-On Settings page
  • Can I configure a start page and logout page that are specific to my company?
    • Yes
  • Can I test my SSO configuration before implementing it?
    • Yes  – Sandboxes have SAML disabled by default. Turn this on in Single Sign-On Settings > SAML Enabled
  • Can I prevent users from logging into Salesforce with their username and password?
    • Yes – you can require users to login with SSO
  • Can I enable SSO for Salesforce Admins?
    • Yes – but it is recommended to allow some/all admins to login with MFA in case of outage
  • Can I use Salesforce MFA for SSO?
    • Yes 
  • Can I use my third-party identity provider’s MFA for SSO?
    • Yes, you can use third-party identifiers MFA
Delegated Administration

Configure SSO to Salesforce Using Microsoft AD FS as the Identity Provider
  1. Install Software
    1. Install Windows Server 2008 R2
    2. Create a friendly DNS and point to AD FS 2.0 server
    3. Download and install AD FS 2.0
    4. In IIS manager create SSL certificate
    5. Run the AD FS Server configuration wizard
    6. If error results manually create a Kerberos SPN
  2. Configure Salesforce
    1. Configure SAML 2.0
      1. Name
      2. SAML Version
      3. Issuer
      4. Identity Provider Certificate
      5. Request Signing Certificate
      6. Request Signature Method
      7. SAML Identity Type
      8. SAML Identify Location
      9. Service Provider Initiated Request Binding
      10. Identity Provider Login URL
      11. Custom Logout URL
      12. Entity ID
    2. AD FS 2.0 Configuration
      1. Select Data Source
      2. Specify Display Name
      3. Choose Issuance Authorization Rules
      4. Open Edit CLaim Rules Dialog
      5. Claim Rule Name
      6. LDAP Attribute
      7. Outgoing Claim Type
    3. SP-Initiated Login
    4. Testing

 

 

Submit a Comment