Authentication is login and authorization is which
object,fields,records a user can access.
SSO: Establish identity once and then login to multiple
apps using same.
If identity provider gives green signal than service
provider gives required resources to the user.
1] Delegated Authentication : captures creds and sends to
external web service for authentication.
2] Federated Authentication (SAML Security Assertion
Markup Language)
Identity Provider: System that providers SAML Assertion
which provides users identity. Passed over to Service Provider.
Service Provider: Using user identity info from SAML
authenticates and allows user to access requested resource.
Classified based on who initiates the flow.
Copy Salesforce identity url from IDP (SAML Metadata
Discovery Endpoint) to remotesite setting on SP.
On SP side for SSO, either create from metadata url
copied above OR download metadata from IDP and upload on SP and create SSO
setting.
Connected app is created in IDP org to connect SP org/community.
Entity id is SSO entity id of SP org.
ACS url is SSO login url of SP /community org. (which you
want to connect with IdP SF org)
2] User clicks link to access SF
3] SAML assertion is sent to SF with federation id or SF
username.
- User enters custom domain URL.
- Salesforce forwards SAML request to identity provider.
- User enters credentials which are validated by identity provider.
- SAML assertion is returned to Salesforce with Federation ID or Salesforce username.
- Salesforce generates a session
- This is recommended Salesforce best practice.
SSO between SF to SF org
IdP SF org:
1] Enable My Domain
2] Quick Find è
Identity Provider è
Enable IdP è
Create a self signed or CA signed certificate è
Create a identity provider using the certificate è
Download metadata or note down discovery endpoint to create SSO on SP.
3] Create a connected app for SP which handles external
app connecting to this SF org. è
Enable SAML è
Entity ID is entity id from SSO configuration from SP. ACS is login url of SP
org or community which you want to connect to IdP org after SSO is setup on SP è Subject type select
Federation ID è
Name id format = SAML 2.0 è
Copy landing page of SP org where you want to land into Start URL è Click Manage and copy
IdP initiated login url è
Give profile access to this connected app.
SP SF org:
1] Single Sign on settings è
Enable SAML è
Create new SSO setting
2] Either using downloaded metadata from IdP (import this
to create SSO) or discovery endpoint from IdP (using metadata url on SP. Here
add this discovery url to remotesitesettings) create a SSO. è SAML identity type
select federation id è
Copy IdP initiated login URL from connected app and paste in “Identity Provider
Login URL”
3] Copy endpoint from SSO (SP org or community) which you
want to connect to IdP into ACS of connected app on IdP org.
4] Setup è
My Domain è
Authentication Configuration è
Authentication Service è
Select option created due to SSO
Verify federation id is setup for user in both the orgs
and it should be same.
1] Login to IdP SF org è
Go to App Laucher è
You will see connected app created è
on click of app it should directly take you to landing page of SP SF org.
1] Login into SP SF org.
2] Select option to login using IdP.
3] It will redirect to IdP SF org and than back to SP SF
org.
Setup SSO between SF and AD
1] Ask client to provide Certificate from AD and Metadata
from “Endpoint”
2] Setup My Domain on SF org. Authentication
Configuration, Authentication Services (select AD server)
3] Setup SSO. Enable SAML. Use the certificate provided
by Customer . Entity Id=My domain url of box.
4] Identity provider login url is a place where users
would be redirected to when they attempt login. Ask this from client.
5] Download Metadata after SSO configuration is done and
share with customer.
6] AD, relaying party trust, import file from step 5,
7] Set federation id as email.
8] In AD makes sure that SHA-1 is selected.
=== If self signed certificate is generated in SF
===========
Create Self signed certificate.
Create identity provider and use the certificate created
above.
Configure SSO and use the certificate created above.
Make Entity ID to URL of the box.
Ask Customer following:
Issuer,
Identity Provider Login URL
download Metadata and certificate created from Identity
provider and send to Client for configuration on his side.
=== If certificate is requested by AD ==============
Configure SSO in SF.
Ask following from client:
Issuer Name : (Federation endpoint which is unique domain
for IdP): from client.
Identity Provider Authentication Certificate : (to be
downloaded from Identity provider admin console) : from client.
Request Signing Certificate – Select your earlier
uploaded certificate from dropdown
Make Entity ID to URL of the box.
SAML Identity Type: Federation ID.
Identity Provider Login URL : ask from client.
After SSO is configured, download metadata and share with
customer to add trust in AD.
Share Login URL with customer as new url to login in SF
using SSO.
===================================================
OpenID Connect and SSO
SAML is based on XML. OpenID connect is based on JSON.
Setup my domain
Configure Auth Provider è
Select OpenID Connect è
point to open id connect server
Put client id, secret and url provided by customer
User object need to have a field for account linking.
Link custom registration handler class.
In mydomain, authentication configuration, select auth
provider configured. If community, login and registration section select auth
provider configured.
For Social sign on.
Setup domain
1] Auth Provider è
Select Google. Set client id, secret.
Set google plus user id field on user for account
linking.
Update user record with google plus user id.
Share Single Sign-on Initialization Url with customers to
integrate
Copy callback url to redirect uri in google app.
2] My Domain è
Authentication Configuration, select auth provider configured. If community
than registration and login page.