SSO Case StudySuchin RenganPrincipal Technical ArchitectSalesforce.com

2

The Scenario

OutlookBrowser

Mobile

3

Key Considerations

Must be Seamless

No Impacts to the intended Functionality

Focus on Usability

Comply with Security Standards– User credentials cannot be stored in any applications

Reusability wherever possible

Allow for Scalability

4

SSO Mechanisms

DA– SF Legacy way to accomplish SSO– Customers have to build a Web Service that will authenticate requests that are delegated by SF – User Profiles need to be enabled for SSO– Delegated Authentication configuration to point to the Delegated Authentication Web Service

hosted by the customer

SAML– SAML is a technology that enables SSO between two disparate systems (Web and Desktop)– SF supports SAML 1.1 and SAML 2.0

• Support since Summer ’08

– Supports browser post profiles– Cannot be used to accomplish SSO for desktop/ outlook/ mobile clients (DA/ OAuth2 is a better

alternative)

OAuth– Open standard for authorization (OAuth!)– Stop the password anti-pattern– Explicit grant of permission by user

• The Valet key concept

– Credential is per-service-provider• Revokable without changing password

– Browser based authentication for rich clients• Make it possible to participate in SSO

5

The Browser Scenario

BrowserIdentity Provider (Corporate Portal)

3. Post SAML

4. User Session

1. User Request

2. Validate and Generate SAML Token

6

The Outlook Scenario

Outlook

Identity Provider

User Session

Intermediary Service SAML Token

DA Service

True/ False

User Credentials (context based)

SAML Token (Login API)

DA Redirect

7

The Mobile Scenario

Mobile

NT Authentication ServicesNT Login

Credentials

DA Service

True/ False

DA Redirect

User Session

8

Summary

Been in production for 2 years

Supports 20 K users