Download - Salesforce Identity Workshop
How to use the Salesforce Identity PlatformA Deep Dive
@dcarroll
Dave CarrollDeveloper Evangelist
@metadaddy
Pat PattersonDeveloper Evangelist
Safe harborSafe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of intellectual property and other litigation, risks associated with possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-Q for the most recent fiscal quarter ended July 31, 2012. This documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site. Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
What if there was a single place to login to all your enterprise apps?
What if there was a single place to manage your cloud and mobile apps?
Introducing Salesforce IdentityCloud Identity and Access Management
SimpleLogin once to all your cloud and mobile apps with Single Sign-On.
SocialDeep social and data integration, fully customizable and built on open standards.
TrustedCentralized access management and provisioning, delivered through the simplicity, transparency, and trust of the Salesforce Platform.
social
automateadministrate
trust
enterprise directory integration
single sign-on anduser management
secure single sign-onand social apps
centralized access management, provisioning
and reporting
transparent scalable certified
ISO 27001 SOC 1, 2, 3 ( SAS70 Type II ) GSA Moderate Level Authority EU Safe Harbor Certified JIPDC (Japan Privacy Seal) Tuv (Germany Privacy Mark) SysTrust TRUSTe PCI
60 Billion Transactions / Quarter
26 Billion API calls / Quarter
7 Billion Logins / Year
100,000+ Customers
Simple: Single Sign-On and Social Apps
Single Sign-On to all your Apps• Improve utilization and adoption• Login once with a single, secure cloud Identity• Access any standards based application• Integrated Application Switcher providers quick access
Mobile• Login once, access anywhere• Single Sign-On for Mobile Apps• Secure access without VPN
Social Apps with Deep Integration• Push to your users with a common feed• Apps integrate directly into feed• Deep data integration provides highly differentiated apps
Secure: Centralized Access Management
Centralized Control over User Access• Common Authorization for all your apps• Force.com, Heroku, Mobile, and Third-Party• Single place to enable/disable apps• Rapidly trial, develop and deploy• One-click Enablement
Mobile Ready• Dedicated Mobile Policies• Enterprise Federation for Mobile Apps• Salesforce, IT or ISV developed• Pre-integrated Mobile SDKs
Standard: Broad Open Standard Support
Single Sign-On• SAML 2.0 Identity Provider• SAML 1.1 / 2.0 Service Provider• OpenID Connect
API Access• OAuth 2• OAuth 2 SAML Bearer Tokens• OAuth 2 JWT Bearer Tokens
Cloud Directory & Provisioning• SCIM • SAML Provisioning
Extensible: A Full Identity-Enabled Platform
Enterprise Class Workflow• Graphical Drag and Drop processes• Declarative • Fully pluggable
Broad Declarative Options• Extensible Fields• Declarative validation rules• Drag and Drop layouts
Run Code• Full programming language• Batch Apex • Apex Callouts• User Triggers• Apex Crypto
API Enabled• Automate from off platform
Integrated: Enterprise Integration
Enterprise Class Integration• Leverage your existing authentication systems• Single Sign-On for Web, Mobile and API• Best practice experience from 13,000 Tenants
Broad Provisioning Support• Manual • SOAP / REST • Batch• SAML Just-In-Time • SCIM provisioning
Active Directory
SAML & SCIM
Transparent: Centralized Reporting
Centralized Reporting• Transparency into access and utilization
Customizable• Drag and drop reporting engine
Analytics and Dashboards • Leverage Salesforce Analytics to develop your own reports and dashboards
Brandable: Run your own Identity Services
Fully brand-able for Customers & Partners • Run your own IDP• Build federated Support offerings• Build your customer Social Profile• Cloud-enable your products
Social • Pre-integrated with Facebook and other Consumer providers
Salesforce PlatformCloud based, multi-tenant, enterprise class PaaS
1,000,000Salesforce Platform Developers
9 BillionAPI calls last month
Mobile Social Identity Data Marketplac
e
The Salesforce Platform
SecurityIdentity, data security and user services
User Profiles
Groups, Queues and Hierarchies
Permission Sets
SSO, SAML, OAuth 2.0
Connected Apps
Key Concepts for Data Security
http://developer.force.com/join
Identity Provisioning
Browser
REST API
• POST/GET/PATCH/DELETE on User endpointhttps://instance.salesforce.com/services/data/v27.0/sobjects/User
{ "Username" : "[email protected]", "Alias" : "davec", "Email" : "[email protected]", "EmailEncodingKey" : "UTF-8", "FirstName" : "Dave", "LanguageLocaleKey" : "en_US", "LastName" : "Carroll", "LocaleSidKey" : "en_US”, "ProfileId" : "00eE0000000Lst0IAC", "TimeZoneSidKey" : "America/Los_Angeles”}
• http://bit.ly/user-json
SOAP API
• Pass users to create(), retrieve(), update(), delete()
// For example, in Java...User[] users = new User[2];
users[0].Username = "[email protected]";users[0].Alias = "davec";// populate other fields
users[1].Username = "[email protected]";users[1].Alias = ”patp";// populate other fields
SaveResult[] results = connection.create(users);
SCIM
• Standardized REST APIhttps://identity.my.salesforce.com/services/data/v26.0/scim/v1/Users
{ "userName": "[email protected]", "name": { "familyName": "User", "givenName": "Demo” }, "emails": [{ "primary": true, "value": "[email protected]" }], "groups": [{ "value": "00eE0000000FK6tIAG", "display": "Full Time Employees” }], "schemas" : [ "urn:scim:schemas:core:1.0", "urn:scim:schemas:extension:enterprise:1.0" ]}
‘Just in time’ (JIT) provisioning
• SAML 2.0, Auth Providers
• Identity Provider must supply a set of mandatory attributes in the SAML Assertion• ProfileId
• UserName
• LastName
• Many other optional attributes• FirstName, Phone, Manager etc
Single Sign-On:SAML
SAML 2.0
• Single sign-on across domains/enterprises
• OASIS standard (March 2005)
• Widely supported• Google Apps since October 2006
• salesforce.com since Winter ’09 (October 2008)
• Active Directory Federation Services (AD FS) since version 2.0 (May 2010)
SAML 2.0 Roles
SAML 2.0 Protocol
BrowserIdentity Provider Service Provider
GET /somethingHTTP/1.1 302 Found
Location: http://idp.ex.com/saml?SAMLrequest=hf7893b…&RelayState=HKFDhh383
GET http://idp.ex.com/saml?SAMLrequest=hf7893b…&RelayState=HKFDhh383
200 OKSAML Assertion in HTML FORM
POST /acsSAML Assertion
HTTP/1.1 302 FoundLocation: http://sp.ex.net/something
Set-Cookie: token=value; Domain=.ex.net
Authenticate
SAML 2.0 Assertion
<Assertion> <Issuer/> <Signature/> <Subject/> <Conditions/> <AttributeStatement/> <AuthnStatement/></Assertion>
Single Sign-On Between Salesforce Orgs
bit.ly/multi-org-sso
Social Sign-On:Authentication Providers
Authentication Providers
• Three pre-built connectors
• Sign-on from social providers • Facebook, Janrain (Twitter, LinkedIn etc), other Salesforce orgs
• Automatically create and update users and contacts
OAuth 2.0
OAuth 2.0
•oauth.net/2
•Authorization for RESTful APIs
•Evolution of Google AuthSub, Yahoo BBAuth, AOL OpenAuth etc
•Standardized as RFC 6749/6750
•bit.ly/oauth2-force
OAuth Roles
Authenticate
OAuth 2.0 Protocol – Implicit Flow
BrowserClient AppAuthorization Server
(login.salesforce.com)
https://login.salesforce.com/services/oauth2/authorize?response_type=token&client_id=XYZ…
&redirect_uri=myapp://oauthGET /services/oauth2/authorize? response_type=token&client_id=XYZ…&redirect_uri=myapp://oaut
h
302 FoundLocation: myapp://oauth#
access_token=…&refresh_token=…
&instance_url=…&id=…&signature=…&issued_at=…
GET /oauth#access_token=…&…
Resource Server(na1.salesforce.com)
GET /services/data/v25.0/…Authorization: Bearer 00D5…
200 OKData
OAuth 2.0 Protocol – Authorization Code Flow
BrowserAuthorization Server
(login.salesforce.com) Client AppGET /something302 Found
Location: https://login.salesforce.com/?
response_type=code&client_id=…&redirect_uri=…
GET /?response_type=...
302 FoundLocation: https://app.cl.com?
code=… GET /app.cl.com?code=…
Resource Server
Authenticate
POST /tokencode=…&grant_type=authorization_code&client_id=…
&client_secret=…&redirect_uri=…
GET /dataAuthorization: OAuth 00D5…
200 OK{ “access_token”: “00D5…”}
200 OKData
200 OKSome Content
Enabling org-level policy with OAuth 2.0
• Central Authorization Server• https://login.salesforce.com/services/oauth2/
• Alternative URLs bind to org• My Domain
• https://gluecon.my.salesforce.com/services/oauth2/
• Force.com Site• https://gluecon.secure.force.com/services/oauth2/
• Community• https://gluecon.force.com/attendees/services/oauth2/
Server to Server Authorization
• SAML 2.0 Bearer Assertion• Exchange SAML Assertion for OAuth token
• http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer
• JSON Web Token (JWT)• Assert identity via signed JSON object
• http://tools.ietf.org/html/draft-ietf-oauth-json-web-token
• https://developers.google.com/accounts/docs/OAuth2ServiceAccount
Summer ’13
SAML
• Multiple Identity Providers• Support single sign-on for internal + external users
• Single Sign-On Configurable via API• Packaging, automation
Salesforce Communities
• Public or private, branded spaces for your employees, customers, and partners
• Subset of features and data from internal Salesforce org• Membership, branding, login options, etc are configurable
• Advanced customization via code
• Replaces Partner Portal & Customer Portal
Winter ’14
Winter ’14 and Beyond
• Native two-factor authentication• Standards-based – OATH
• Identity Bridge• Easy integration with Active Directory
• SSO and Provisioning
• SCIM• Currently in pilot
User Management and Provisiong
Automated User Management• Manage your Users in one place • Automate provisioning processes across clouds
Secure De-provisioning• Single place to de-activate users• Quickly and automatically shut them off everywhere
Pre-Integrated• Identity Connectors to popular platforms• Standard SCIM Connector
Fully Extensible• Graphical Workflow Engine• Plugin code directly to the Cloud• Flexible workflow rules, triggers, fields, validation, etc
Winter ’14 and Beyond
Backup – A Deeper Dive into a SAML Assertion
SAML 2.0 Assertion - Issuer
<Assertion ID="_20f7…" IssueInstant="2011-03-28T18:23:25.539Z" Version="2.0"> <Issuer> http://adfs-dc.my.example.com/adfs/services/trust </Issuer> <Signature/> <Subject/> <Conditions/> <AttributeStatement/> <AuthnStatement/>
</Assertion>
SAML 2.0 Assertion - Signature<Assertion> <Issuer/> <Signature> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI="#_20f7fb27-6bb1-4801-aaab-25b4ff862d2f"> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>UrcVwqLcdqMvtJUkxiIw9CBN1h8=</DigestValue> </Reference> </SignedInfo> <SignatureValue>ITY8KT…</SignatureValue> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <X509Data> <X509Certificate>MIIC6D…</X509Certificate> </X509Data> </KeyInfo> </Signature> <Subject/> <Conditions/> <AttributeStatement/> <AuthnStatement/>
</Assertion>
SAML 2.0 Assertion - Subject<Assertion> <Issuer/> <Signature/> <Subject> <NameID> [email protected] </NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData InResponseTo="_2Qwip…" NotOnOrAfter="2011-03-28T18:28:25.539Z" Recipient="https://login.sf.com/?saml=…" /> </SubjectConfirmation> </Subject> <Conditions/> <AttributeStatement/> <AuthnStatement/>
</Assertion>
SAML 2.0 Assertion - Conditions<Assertion> <Issuer/> <Signature/> <Subject/> <Conditions NotBefore="2011-03-28T18:23:25.537Z" NotOnOrAfter="2011-03-28T19:23:25.537Z"> <AudienceRestriction> <Audience> https://superpat.my.salesforce.com </Audience> </AudienceRestriction> </Conditions> <AttributeStatement/> <AuthnStatement/>
</Assertion>
SAML 2.0 Assertion – AttributeStatement<Assertion> <Issuer/> <Signature/> <Subject/> <Conditions/> <AttributeStatement> <Attribute Name="User.Email”>
<AttributeValue> [email protected]
</AttributeValue>
</Attribute>
<!-- Also need LastName, ProfileId, UserName
for JIT Provisioning --> </AttributeStatement> <AuthnStatement/>
</Assertion>
SAML 2.0 Assertion - AuthnStatement<Assertion> <Issuer/> <Signature/> <Subject/> <Conditions/> <AttributeStatement/> <AuthnStatement AuthnInstant="2011-03-28T18:23:25.501Z"> <AuthnContext> <AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </AuthnContextClassRef> </AuthnContext> </AuthnStatement>
</Assertion>