@TrainingCert

Enable Single Sign-On

with SAML and
Salesforce Identity
Chris Barry
Master Technical Instructor

Lydia Mann
Curriculum Developer
Safe Harbor Statement
This presentation may contain forward-looking statements that involve
risks, uncertainties, and assumptions. If any such risks or
uncertainties materialize or if any of the assumptions prove incorrect,
the results of salesforce.com, inc. could differ materially from the
results expressed or implied by the forward-looking statements we
make. All statements other than statements of historical fact could be
deemed forward-looking statements, including: any projections of
product or service availability, customer growth, earnings, revenues,
or other financial items; any statements regarding strategies or plans
of management for future operations; any statements concerning new,
planned, or upgraded services or developments; statements about
current or future economic conditions; and any statements of belief.
The risks and uncertainties referred to above include - but are not
limited to - risks associated with possible fluctuations in our financial
and operating results; our rate of growth; interruptions or delays in our
service or our Web hosting; breaches of our security measures; the
financial impact of any previous and future acquisitions; the nature of
our business model; our ability to continue to release, and gain
customer acceptance of, new and improved versions of our service;
successful customer deployment and utilization of our existing and
future services; competition; the emerging markets in which we
operate; our ability to hire, retain and motivate employees and
manage our growth; changes in our customer base; technological
developments; regulatory developments; litigation related to
intellectual property and other matters; and general developments in
the economy, financial markets, and credit markets.
Further information on these and other factors that could affect our
financial results is included in the reports on Forms 10-K, 10-Q and 8-
K and in other filings we make with the Securities and Exchange
Commission from time to time. These documents and others
containing important disclosures are available on the SEC Filings
section of the Investor Information section of our Web site.
Salesforce.com, inc. assumes no obligation and does not intend to
update these forward-looking statements, except as required by law.
Any unreleased services or features referenced in press releases,
presentations or public statements are not currently available and may
not be delivered on time or at all. Customers who purchase
salesforce.com applications should make their purchase decisions
based upon features that are currently available.
Training Org Login
Org will be active for 30 days post Dreamforce

username password
Username: df13samlA+###@gmail.com
Password: Dreamforce2013

For ###: use the 3-digit number on

the corner of your computer.
010
Example:
 Your computer number = 010
Your username = df13samlA+010@gmail.com

Lab Files: download from Chatter in your org

Agenda

 Single Sign-On with SAML and Salesforce Identity

 Configuring Salesforce as a Service Provider
 Exercise 1: Enabling Salesforce to be a Service Provider
 Exercise 2: Single Sign-On to Salesforce
 Setting Up Salesforce Identity to Access External Services
 Exercise 3: IdP-initiated Single Sign-On to Adobe EchoSign
 Exercise 4: SP-Initiated Single Sign-On/Off with Adobe EchoSign
 Exercise 5: Enable OAuth for Authentication
Q&A
What is Single Sign-On?

 Single password used across multiple systems

 Ability to log in once, then access many systems
 One secure store of credentials to administrate
SAML

 Security Assertion Markup Language: specification for federated authentication

 Identity Provider (IdP): the authentication server
 Service Provider: an accessible business application

Identity Provider (IdP)

Service Provider
Service Provider
HR E-Signature

Service Provider Service Provider

CRM ERP
Broad SAML Support

 Salesforce can be the SAML  Salesforce can be a SAML

Identity Provider, accessing Service Provider, accessed from
other applications. another authentication server.
Salesforce Identity

A suite of centrally managed, standards-based,

authentication and authorization services.
 Salesforce as SAML IdP
 Salesforce as SAML SP
 OAuth Connected Apps
 Canvas Connected Apps
 Single Sign-on for Portals and Communities
– Facebook
– Janrain
– Salesforce
 And more…
Salesforce Identity: Key Identity Provider Features

 Application Launcher
 Restricted/granted application access
 Branded Login Pages
 Multi-org Environment Hub
 Integration with native platform capabilities:
– Visual Workflow
– Workflow Rules
– Apex Triggers
– Reports
 Standalone Salesforce Identity licenses
 Pre-built integration to use Active Directory as credential store
 And much more…
Salesforce Identity as a
SAML Service Provider
SAML is Based on Trust

Identity Provider (IdP) Service Provider

I trust you.

I trust you. Therefore,

I can trust you.

Enabling SAML is about establishing the trust relationship

between the Service Provider and the Identity Provider.
How does Salesforce Trust the Identity Provider?

 During configuration, the IdP shares its public key certificate with Salesforce.

Identity Provider (IdP) Service Provider

 During runtime, Salesforce uses the certificate to validate that the digital
signature originated from the IdP.
Exercise 1: Enabling Salesforce to be a Service Provider

Hands-on
Exercise
Identity Provider (IdP) Service Provider

1. Download the certificate 2. Upload the certificate and

configure Salesforce

Important Note: *NEVER* use the Mock IdP (Axiom) we

will in this exercise in a real production environment!
What is an Assertion in SAML?

A directive from the IdP, attesting that the user is legitimate.

 The Identity Provider's digital signature.
 Issuer: The name of the Identity Provider. Identity Provider (IdP) Service Provider
 Entity Id: The name of the Service Provider.
 The Subject: The user Id.
– Salesforce.com username
• For example: cbarry@salesforce.com
OR
– An enterprise-wide user name, called a Federation Id
• For example: SALESFORCE\cbarry
What Does a SAML Assertion Look Like?

Digital Signature (collapsed)

The Issuer

The User Id

The Entity Id
Identity Provider-Initiated SAML Flow

Service Provider
Identity Provider (IdP)
3
2 User submits
Page returned SAML
contains form assertion to
with SAML login URL.
assertion.

1
User signs
in to IdP. 4
Salesforce
redirects to
start URL with
Session ID.
My Domain

 A custom domain for an org

– For example: https://universalcontainers.my.salesforce.com/
 Enables the capability to redirect users to an IdP upon login or logout
Service Provider-Initiated SAML Flow

Service Provider
Identity Provider (IdP)
1
User requests page
at a custom domain
for Salesforce.

3 2
If necessary, User
user signs in redirected
to IdP. 5
to IdP. Salesforce
redirects to
requested page
4 with Session ID.
IdP redirects user
to Salesforce with
SAML assertion.
Exercise 2: Single Sign-On to Salesforce

Hands-on
Exercise

Identity Provider (IdP) Service Provider

1. Configure the IdP to mimic SP-initiated sign-on.

Salesforce Identity as a
SAML Identity Provider
Salesforce as an IdP

 Use Salesforce as your IdP for single sign-on.

Service Provider

Identity Provider (IdP)

Service Provider E-Signature
HR

Service Provider Service Provider

T&E
Connected Apps

 External applications that interact with Salesforce.

– Web.
– Mobile.
– Desktop.
 Utilized in many ways.
– For single sign-on to external applications using Salesforce Identity.
– For external applications to access Salesforce APIs using OAuth.
– For external iFrame-hosted applications integrated with Salesforce Canvas.
 User access controlled by Profiles or Permission Sets.
Adobe EchoSign

 Enable recipients to e-sign contracts, anywhere, anytime, on any device.

 Give signers a simple, intuitive way to sign; get a rapid response.
 Easily send, track, and manage contracts.
 Automate e-signature processes within Salesforce.
Identity Provider-Initiated SAML Flow with Salesforce Identity

Identity Provider (IdP) Service Provider

2
User submits
SAML assertion
to Assertion
1 Consumer
The App Launcher 3
Service URL. SP redirects to
contains a form with
start URL with
SAML assertion.
new session.
Exercise 3: Sign-on to EchoSign from Salesforce Identity

Hands-on
Exercise
From Salesforce:
Identity Provider (IdP) • Certificate Service Provider
• Entity Id (Issuer)
• Login URL

From EchoSign:
• Assertion Consumer Service URL
• Entity Id

1. Setup a custom domain and download 2. Configure Service Provider settings.

certificate.
3. Define EchoSign as a Connected App.
SP-Initiated Single Sign-On with Salesforce Identity

Identity Provider (IdP) Service Provider

2
3 User redirected to
If necessary, custom Salesforce
user signs in sign-on URL.
1
to Salesforce.
User requests
custom
4 EchoSign URL.
Salesforce redirects to
Assertion Consumer
Service URL with
SAML Assertion.
Service Provider-initiated Single Sign-Off

Identity Provider (IdP) Service Provider

2
EchoSign POSTs
sign-off directive to
custom Salesforce
sign-off URL.
1
3 User signs off
User redirected to of EchoSign.
custom Salesforce
sign-on URL.
Exercise 4: SP-initiated Single Sign-On/Off with EchoSign

In addition to IdP-initiated setup… Hands-on

Exercise

Identity Provider (IdP) Service Provider

From Salesforce:
• Sign-off URL

1. Configure EchoSign for Single Sign-off.

2. Setup bookmark for EchoSign SP-
initiated single sign-on
Salesforce Identity and
OAuth
SAML vs. OAuth

SAML OAuth
Identity Provider Service Provider Service Consumer

Trust Trust

ERP

 SAML facilitates a single  OAuth facilitates secure

secure enterprise-wide cross-application access,
credential. bound to a specific user.
OAuth 2.0

 Secure cross-application access

– Avoids stored passwords
– User-specific Service Consumers

– Revocable
Web
Web Server Flow Applications
Service Provider

Desktop
Applications

User-Agent Flow

Mobile
Applications
Key OAuth Terms

 Service Provider: the database being accessed by an external application.

 Service Consumer: the application requesting access, on behalf of a user.

 Consumer Key: a unique identifier for a remote application.

 Consumer Secret: a protected and trusted passkey for a remote application.

 Authorization Token: an expirable, revocable key, similar in use to a session id.

 Refresh Token: a key used to request a new Authorization Token upon expiration.
 Authorization Code: a very short-lived unauthenticated key used to identify an
authenticated user and application requesting access.
Salesforce Identity and
OAuth User-Agent Flow
User-Agent Flow Example: Salesforce Mobile SDK for Android

2
If tokens don't exist,
begin the OAuth flow
3 to obtain tokens.
After successful Android Device
token grant, begin
business logic. Main Client
Activity Manager

1
Check local data
store for existing
OAuth tokens. Offline
Data Store
OAuth 2.0 for Mobile Applications: User-Agent Flow

1
Developer configures a
Connected App for the
mobile application.

2
A Consumer Key
is generated.
User-Agent Flow Example: Salesforce Mobile SDK for Android
2
1 A browser is launched to the
User launches the app Salesforce Login page with the
from the mobile device. Consumer Key passed as an
HTTP query string parameter.
https://login.salesforce.com
?client_id=3MV…

Apply to
a Job

Browser
User-Agent Flow Example: Salesforce Mobile SDK for Android
User-Agent Flow Example: Salesforce Mobile SDK for Android
2
1 A browser is launched to the
User launches the app Salesforce Login page with the
from the mobile device. Consumer Key passed as an
HTTP query string parameter.
https://login.salesforce.com
?client_id=3MV…

3
The user signs in to
Apply to Salesforce, then grants
a Job
access for this app.

Browser
User-Agent Flow Example: Salesforce Mobile SDK for Android
User-Agent Flow Example: Salesforce Mobile SDK for Android
2
1 A browser is launched to the
User launches the app Salesforce Login page with the
from the mobile device. Consumer Key passed as an
HTTP query string parameter.
https://login.salesforce.com
?client_id=3MV…

3
The user signs in to
Apply to Salesforce, then grants
a Job
access for this app.
df://jobapp
#access_token=…
&refresh_token=…
Browser 4
Salesforce redirects the browser
to the Callback URL with the
Access and Refresh Tokens.
User-Agent Flow Example: Salesforce Mobile SDK for Android
User-Agent Flow Example: Salesforce Mobile SDK for Android
2
1 A browser is launched to the
User launches the app Salesforce Login page with the
from the mobile device. Consumer Key passed as an
HTTP query string parameter.
https://login.salesforce.com
?client_id=3MV…

3
The user signs in to
Apply to Salesforce, then grants
a Job
access for this app.
df://jobapp
#access_token=…
&refresh_token=…
Browser 4
Salesforce redirects the browser
to the Callback URL with the
Access and Refresh Tokens.

5
The mobile app is listening for the redirect to the
callback URL; it captures and stores the tokens.
User-Agent Flow Example: Salesforce Mobile SDK for Android

On the User's record:

6
The user has now granted
revocable access to the
mobile app.
Exercise 5: Enable OAuth for Authentication

1. Define the connected app in the Salesforce Hands-on

Exercise
org.
2. Update the bootconfig.xml with the
generated OAuth keys.
3. Test authentication with the virtual device.
 Salesforce Identity and
OAuth Refresh Token Flow
Refresh Token Flow Example: Salesforce
Mobile SDK for Android 2
1 A browser is launched to the
User launches the app Salesforce Login page with the
from the mobile device. Consumer Key passed as an
HTTP query string parameter.
https://login.salesforce.com
?client_id=3MV…

3
The user signs in to
Apply to Salesforce, then grants
a Job
access for this app.
df://jobapp
#access_token=…
&refresh_token=…
Browser 4
Salesforce redirects the browser
to the Callback URL with the
Access and Refresh Tokens.

5
The mobile app is listening for the redirect to the callback
URL; it captures and stores the tokens.
Refresh Token Flow Example:
Salesforce Mobile SDK for Android

1
Eventually the access
Android Device token expires; Salesforce
returns an error.
Main Client
Activity Manager Old Access Token
HTTP 401
Refresh Token
New Access Token

3
The Mobile SDK 2
Offline The Mobile SDK uses the
stores the new Data Store refresh token to request a
Access Token for
new access token.
later use.
Salesforce Identity and
OAuth Web Server Flow
Web Server Flow Example: Order Management Application

Service Consumer Service Provider

OM

https://login.salesforce.com
?client_id=3MV…

1
User requests
integration, SC
redirects to SP with
Consumer Key.
Web Server Flow Example: Order Management Application

Service Consumer Service Provider

OM
3
Salesforce redirects
to web app with
https://fake.om.com/ 2
?code=aPrxsmIEeqM9 Authorization Code.
User logs into
Salesforce,
1 approves app.
User requests
integration, SC
redirects to SP with
Consumer Key.
Web Server Flow Example: Order Management Application
4
SC makes web service callout to Salesforce
Service Consumer with Authorization Code and Client Secret, Service Provider
receives back Access and Refresh Tokens.

POST /services/oauth2/token HTTP/1.1

Host: login.salesforce.com
code=aPrxsmIEeqM9&
OM client_secret=1955279925675241571...

3
Salesforce redirects
to web app with
Authorization Code. 2
User logs into
Salesforce,
1 approves app.
User requests
integration, SC
redirects to SP with
Consumer Key.
Web Server Flow Example: Order Management Application
4
SC makes web service callout to Salesforce
Service Consumer with Authorization Code and Client Secret, Service Provider
receives back Access and Refresh Tokens.

{..."access_token":"00Dx0000000BV7z!AR8...",
"refresh_token":"5Aep8614iLM.Dq661ePD...",...}

OM
3
Salesforce redirects
to web app with
Authorization Code. 2
User logs into
Salesforce,
1 approves app.
User requests
integration, SC
redirects to SP with
Consumer Key.
Key Takeaways

Already have an Identity and Access Looking to leverage your investment in

Manager? the Salesforce.com platform and
 Enable Salesforce as a Service implement Single Sign-On?
Provider.  Implement Salesforce Identity in your
organization.

 Build secure apps with OAuth!

Make it happen… http://www.salesforce.com/platform/identity/

Session Salesforce
Survey Success
Community
Ready for more
hands-on training? Join the
Follow up with an Talk with our Training community to
instructor-led course, Account Executives collaborate with
Don’t we suggest: for your 10% OFF customers,
forget... training voucher! employees, and
Tell us what
Integrating with peers.
you think with Force.com
Simply log in to
the session Salesforce,
survey
click Help &
Training,
then click
Collaboration.