Single Sign on (SSO)

Authentication is login and authorization is which object,fields,records a user can access.

SSO: Establish identity once and then login to multiple apps using same.

If identity provider gives green signal than service provider gives required resources to the user.

 SSO:

1] Delegated Authentication : captures creds and sends to external web service for authentication.

2] Federated Authentication (SAML Security Assertion Markup Language)

Identity Provider: System that providers SAML Assertion which provides users identity. Passed over to Service Provider.

Service Provider: Using user identity info from SAML authenticates and allows user to access requested resource.

Classified based on who initiates the flow.

 Identity Flow:

Copy Salesforce identity url from IDP (SAML Metadata Discovery Endpoint) to remotesite setting on SP.

On SP side for SSO, either create from metadata url copied above OR download metadata from IDP and upload on SP and create SSO setting.

Connected app is created in IDP org to connect SP org/community.

Entity id is SSO entity id of SP org.

ACS url is SSO login url of SP /community org. (which you want to connect with IdP SF org)

 1] User enters creds those are validated by IdP

2] User clicks link to access SF

3] SAML assertion is sent to SF with federation id or SF username.

SP Initiated Flow

  1. User enters custom domain URL.
  2. Salesforce forwards SAML request to identity provider.
  3. User enters credentials which are validated by identity provider.
  4. SAML assertion is returned to Salesforce with Federation ID or Salesforce username.
  5. Salesforce generates a session
  6. This is recommended Salesforce best practice.

SSO between SF to SF org

IdP SF org:

1] Enable My Domain

2] Quick Find è Identity Provider è Enable IdP è Create a self signed or CA signed certificate è Create a identity provider using the certificate è Download metadata or note down discovery endpoint to create SSO on SP.

3] Create a connected app for SP which handles external app connecting to this SF org. è Enable SAML è Entity ID is entity id from SSO configuration from SP. ACS is login url of SP org or community which you want to connect to IdP org after SSO is setup on SP è Subject type select Federation ID è Name id format = SAML 2.0 è Copy landing page of SP org where you want to land into Start URL è Click Manage and copy IdP initiated login url è Give profile access to this connected app.

SP SF org:

1] Single Sign on settings è Enable SAML è Create new SSO setting

2] Either using downloaded metadata from IdP (import this to create SSO) or discovery endpoint from IdP (using metadata url on SP. Here add this discovery url to remotesitesettings) create a SSO. è SAML identity type select federation id è Copy IdP initiated login URL from connected app and paste in “Identity Provider Login URL”

3] Copy endpoint from SSO (SP org or community) which you want to connect to IdP into ACS of connected app on IdP org.

4] Setup è My Domain è Authentication Configuration è Authentication Service è Select option created due to SSO

Verify federation id is setup for user in both the orgs and it should be same.

 Test IdP initiated flow:

1] Login to IdP SF org è Go to App Laucher è You will see connected app created è on click of app it should directly take you to landing page of SP SF org.

 Test SP initiated flow:

1] Login into SP SF org.

2] Select option to login using IdP.

3] It will redirect to IdP SF org and than back to SP SF org.

Setup SSO between SF and AD

1] Ask client to provide Certificate from AD and Metadata from “Endpoint”

2] Setup My Domain on SF org. Authentication Configuration, Authentication Services (select AD server)

3] Setup SSO. Enable SAML. Use the certificate provided by Customer . Entity Id=My domain url of box.

4] Identity provider login url is a place where users would be redirected to when they attempt login. Ask this from client.

5] Download Metadata after SSO configuration is done and share with customer.

6] AD, relaying party trust, import file from step 5,

7] Set federation id as email.

8] In AD makes sure that SHA-1 is selected.

 

=== If self signed certificate is generated in SF ===========

Create Self signed certificate.

Create identity provider and use the certificate created above.

Configure SSO and use the certificate created above.

Make Entity ID to URL of the box. 

Ask Customer following:

                Issuer, Identity Provider Login URL

download Metadata and certificate created from Identity provider and send to Client for configuration on his side.

=== If certificate is requested by AD ==============

Configure SSO in SF.

Ask following from client:

Issuer Name : (Federation endpoint which is unique domain for IdP): from client.

Identity Provider Authentication Certificate : (to be downloaded from Identity provider admin console) : from client.

Request Signing Certificate – Select your earlier uploaded certificate from dropdown

Make Entity ID to URL of the box.

SAML Identity Type: Federation ID.

Identity Provider Login URL : ask from client.

After SSO is configured, download metadata and share with customer to add trust in AD.

Share Login URL with customer as new url to login in SF using SSO.

===================================================

OpenID Connect and SSO

SAML is based on XML. OpenID connect is based on JSON.

Setup my domain

Configure Auth Provider è Select OpenID Connect è point to open id connect server

Put client id, secret and url provided by customer

User object need to have a field for account linking.

Link custom registration handler class.

In mydomain, authentication configuration, select auth provider configured. If community, login and registration section select auth provider configured.

For Social sign on.

Setup domain

1] Auth Provider è Select Google. Set client id, secret.

Set google plus user id field on user for account linking.

Update user record with google plus user id.

Share Single Sign-on Initialization Url with customers to integrate

Copy callback url to redirect uri in google app.

2] My Domain è Authentication Configuration, select auth provider configured. If community than registration and login page.


Setup VSCode with Salesforce

Step by Step guide to setup VSCode with Salesforce Install vscode Install Salesforce CLI (developer.salesforce.com/tools/sfdxcli) Perform fo...