Describe the components of an identity management solution where Salesforce is accepting identity from a third party

/  No Comments

My Domain

  • My Domain is sort of like creating your own empire within the Salesforce universe. It’s a Salesforce Identity feature that lets you personalize your Salesforce org by creating a subdomain (empire) within the Salesforce domain (universe).
  • Salesforce requires you to have a My Domain subdomain in place to:
    • Work in multiple Salesforce orgs in the same browser
    • Set up single sign-on (SSO) with external identity vendors
    • Set up authentication providers, such as Google and Facebook, so that your users can log in to your Salesforce org with their social account credentials
    • Use Lightning components in Lightning component tabs, Lightning page, the Lightning App Builder, or standalone apps

Single Sign-On

  • SSO has lots of advantages.
    • You spend less time managing passwords.
    • Your employees save time when they don’t have to manually log in to Salesforce. Did you know that users take 5–20 seconds to log in to an online application? Those seconds add up.
    • More people use Salesforce. Users can send out links to Salesforce records and reports, and their recipients can open them in a single click.
    • You can manage access to sensitive information from one place.
  • Salesforce supports following ways to use SSO
    • Federated Authentication
    • Delegated Authentication
    • Authentication Providers

SAML

  • Salesforce Identity uses the XML-based Security Assertion Markup Language (SAML) protocol for single sign-on into Salesforce from a corporate portal or identity provider.
  • With SAML, you can transfer user information between services, such as from Salesforce to Microsoft 365.
  • Identity provider sends SAML assertions to Salesforce using the SAML web Single Sign-on Browser POST profile.
  • Salesforce sends SAML responses to the identity provider login URL specified under Setup.
  • Salesforce receives the assertion, verifies it against Salesforce configuration, and, if the assertion is true, allows SSO.

Federation Id

  • When setting up SSO, you use a unique attribute to identify each user. This attribute is the link that associates the Salesforce user with the external identity provider. You can use a username, user ID, or a Federation ID. We’re going to use a Federation ID.
  • A Federation ID must be unique for each user in an org. That’s why the username is handy. But if the user belongs to multiple orgs, use the same Federation ID for the user in each org.
  • Setup —> Users —> Select any user and click edit next to the user record.
  • 34c734a00312a8e8b2962caafaf266b5_identity_sso_federation_id.webp

SSO settings in Salesforce (SERVICE PROVIDER).

  • On Salesforce side we configure SAML settings. SAML is a protocol that Salesforce Identity uses to implement SSO.
  • Get the Certificate from the Identity Provider. Example below
    • In a new browser window, go to http://axiomsso.herokuapp.com.
    • Click SAML Identity Provider & Tester.
    • Click Download the Identity Provider Certificate
  • Open Single Sign-On Settings and click Edit → Select SAML Enabled
  • In SAML Single Sign-On Settings, click New and enter the below values
    • Name: Any user defined name for example Axiom Test App
    • Issuer: Identity provider URL for example http://axiomsso.herokuapp.com
    • Identity Provider Certificate: Choose and upload the file downloaded in earlier step
    • SAML Identity Type: Best to select Assertion contains the Federation ID from the User Object
    • Servide Provider Initiation Request Binding: Select HTTP Redirect
    • Entity Id: Enter My Domain name including https.
    • fa3434f9ff7529892f9284e8ce0ce20a_identity_sso_saml_sso_settings_before_save.webp

Salesforce settings in the SSO provider (Identity Provider).

  • Teach Identity provider about the Service Provider
  • Below are some important information that needs to flow back to Identity Provider. Using Axiom as an example below
    • SAML Version: 2.0
    • Username or Federation Id: example UserName or Federation Id
    • Issuer:
    • Recipient URL: Comes from Salesforce SAML Single Sign-On Settings page under Salesforce Login URL
    • Entity Id: From Salesforce Single Sign-On Settings page
    • 87922971ca2d7360d1e4c433950a01cb_identity_sso_axiom.webp

Make sure it all works.

  • Click Login at the Identity Provider End and if everything is set properly you will be redirected to Salesforce.
  • For example,
    • In the Axiom settings click Request SAML Response
    • Axiom generates SAML assertion in XML.
    • Click Login and you will be redirected to Salesforce if everything is set properly
    • 7f831ea9df4b3f0fb1783b2d31a4418a_identity_sso_saml_assertion.webp

SOCIAL SIGN-ON

To enable customers to log in to Salesforce with their social credentials we configure an authentication (auth) provider for the social account. Here’s what customers experience bd37e1cf73d17877d2231591b3737b49_identity_external_social_signon_process.webp
  • A customer encounters a Salesforce login page with options to log in via Google, Facebook, Twitter, as well as username and password. (1)
  • The customer chooses to log in via Facebook credentials. (2)
  • Salesforce redirects the customer to Facebook. (3)
  • The customer logs in to Facebook. (4)
  • Facebook logs in the customer to Salesforce automatically because Salesforce trusts Facebook’s verification. (5)

AUTHENTICATION PROVIDER

An authentication provider lets users log in to your Salesforce org using their login credentials from an external identity provider, such as Facebook, Google, LinkedIn, and Twitter. Salesforce provides default authentication providers where Salesforce manages the required configuration values. Salesforce provides authentication providers for apps that support the OpenID Connect protocol, such as Google, Facebook, Twitter, and LinkedIn
Post Views: 513

Leave a Reply

Your email address will not be published. Required fields are marked *