Salesforce Identity Workshop

How to use the Salesforce Identity PlatformA Deep Dive

@dcarroll

Dave CarrollDeveloper Evangelist

@metadaddy

Pat PattersonDeveloper Evangelist

Safe harborSafe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of intellectual property and other litigation, risks associated with possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-Q for the most recent fiscal quarter ended July 31, 2012. This documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site. Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.

What if there was a single place to login to all your enterprise apps?

What if there was a single place to manage your cloud and mobile apps?

Introducing Salesforce IdentityCloud Identity and Access Management

SimpleLogin once to all your cloud and mobile apps with Single Sign-On.

SocialDeep social and data integration, fully customizable and built on open standards.

TrustedCentralized access management and provisioning, delivered through the simplicity, transparency, and trust of the Salesforce Platform.

social

automateadministrate

trust

enterprise directory integration

single sign-on anduser management

secure single sign-onand social apps

centralized access management, provisioning

and reporting

transparent scalable certified

ISO 27001 SOC 1, 2, 3 ( SAS70 Type II ) GSA Moderate Level Authority EU Safe Harbor Certified JIPDC (Japan Privacy Seal) Tuv (Germany Privacy Mark) SysTrust TRUSTe PCI

60 Billion Transactions / Quarter

26 Billion API calls / Quarter

7 Billion Logins / Year

100,000+ Customers

Simple: Single Sign-On and Social Apps

Single Sign-On to all your Apps• Improve utilization and adoption• Login once with a single, secure cloud Identity• Access any standards based application• Integrated Application Switcher providers quick access

Mobile• Login once, access anywhere• Single Sign-On for Mobile Apps• Secure access without VPN

Social Apps with Deep Integration• Push to your users with a common feed• Apps integrate directly into feed• Deep data integration provides highly differentiated apps

Secure: Centralized Access Management

Centralized Control over User Access• Common Authorization for all your apps• Force.com, Heroku, Mobile, and Third-Party• Single place to enable/disable apps• Rapidly trial, develop and deploy• One-click Enablement

Mobile Ready• Dedicated Mobile Policies• Enterprise Federation for Mobile Apps• Salesforce, IT or ISV developed• Pre-integrated Mobile SDKs

Standard: Broad Open Standard Support

Single Sign-On• SAML 2.0 Identity Provider• SAML 1.1 / 2.0 Service Provider• OpenID Connect

API Access• OAuth 2• OAuth 2 SAML Bearer Tokens• OAuth 2 JWT Bearer Tokens

Cloud Directory & Provisioning• SCIM • SAML Provisioning

Extensible: A Full Identity-Enabled Platform

Enterprise Class Workflow• Graphical Drag and Drop processes• Declarative • Fully pluggable

Broad Declarative Options• Extensible Fields• Declarative validation rules• Drag and Drop layouts

Run Code• Full programming language• Batch Apex • Apex Callouts• User Triggers• Apex Crypto

API Enabled• Automate from off platform

Integrated: Enterprise Integration

Enterprise Class Integration• Leverage your existing authentication systems• Single Sign-On for Web, Mobile and API• Best practice experience from 13,000 Tenants

Broad Provisioning Support• Manual • SOAP / REST • Batch• SAML Just-In-Time • SCIM provisioning

Active Directory

SAML & SCIM

Transparent: Centralized Reporting

Centralized Reporting• Transparency into access and utilization

Customizable• Drag and drop reporting engine

Analytics and Dashboards • Leverage Salesforce Analytics to develop your own reports and dashboards

Brandable: Run your own Identity Services

Fully brand-able for Customers & Partners • Run your own IDP• Build federated Support offerings• Build your customer Social Profile• Cloud-enable your products

Social • Pre-integrated with Facebook and other Consumer providers

Salesforce PlatformCloud based, multi-tenant, enterprise class PaaS

1,000,000Salesforce Platform Developers

9 BillionAPI calls last month

Mobile Social Identity Data Marketplac

e

The Salesforce Platform

SecurityIdentity, data security and user services

User Profiles

Groups, Queues and Hierarchies

Permission Sets

SSO, SAML, OAuth 2.0

Connected Apps

Key Concepts for Data Security

http://developer.force.com/join

Identity Provisioning

Browser

REST API

• POST/GET/PATCH/DELETE on User endpointhttps://instance.salesforce.com/services/data/v27.0/sobjects/User

{ "Username" : "dave@devorg.pat", "Alias" : "davec", "Email" : "dcarroll@salesforce.com", "EmailEncodingKey" : "UTF-8", "FirstName" : "Dave", "LanguageLocaleKey" : "en_US", "LastName" : "Carroll", "LocaleSidKey" : "en_US”, "ProfileId" : "00eE0000000Lst0IAC", "TimeZoneSidKey" : "America/Los_Angeles”}

• http://bit.ly/user-json

Workbench

workbench.developerforce.com

SOAP API

• Pass users to create(), retrieve(), update(), delete()

// For example, in Java...User[] users = new User[2];

users[0].Username = "dave@devorg.pat";users[0].Alias = "davec";// populate other fields

users[1].Username = "pat@devorg.pat";users[1].Alias = ”patp";// populate other fields

SaveResult[] results = connection.create(users);

SCIM

• Standardized REST APIhttps://identity.my.salesforce.com/services/data/v26.0/scim/v1/Users

{ "userName": "demo@identitydemo.org", "name": { "familyName": "User", "givenName": "Demo” }, "emails": [{ "primary": true, "value": "cmortimore@salesforce.com" }], "groups": [{ "value": "00eE0000000FK6tIAG", "display": "Full Time Employees” }], "schemas" : [ "urn:scim:schemas:core:1.0", "urn:scim:schemas:extension:enterprise:1.0" ]}

‘Just in time’ (JIT) provisioning

• SAML 2.0, Auth Providers

• Identity Provider must supply a set of mandatory attributes in the SAML Assertion• ProfileId

• UserName

• LastName

• Email

• Many other optional attributes• FirstName, Phone, Manager etc

Single Sign-On:SAML

SAML 2.0

• Single sign-on across domains/enterprises

• OASIS standard (March 2005)

• Widely supported• Google Apps since October 2006

• salesforce.com since Winter ’09 (October 2008)

• Active Directory Federation Services (AD FS) since version 2.0 (May 2010)

SAML 2.0 Roles

SAML 2.0 Protocol

BrowserIdentity Provider Service Provider

GET /somethingHTTP/1.1 302 Found

Location: http://idp.ex.com/saml?SAMLrequest=hf7893b…&RelayState=HKFDhh383

GET http://idp.ex.com/saml?SAMLrequest=hf7893b…&RelayState=HKFDhh383

200 OKSAML Assertion in HTML FORM

POST /acsSAML Assertion

HTTP/1.1 302 FoundLocation: http://sp.ex.net/something

Set-Cookie: token=value; Domain=.ex.net

Authenticate

SAML 2.0 Assertion

<Assertion> <Issuer/> <Signature/> <Subject/> <Conditions/> <AttributeStatement/> <AuthnStatement/></Assertion>

Single Sign-On Between Salesforce Orgs

bit.ly/multi-org-sso

Social Sign-On:Authentication Providers

Authentication Providers

• Three pre-built connectors

• Sign-on from social providers • Facebook, Janrain (Twitter, LinkedIn etc), other Salesforce orgs

• Automatically create and update users and contacts

OAuth 2.0

OAuth 2.0

•oauth.net/2

•Authorization for RESTful APIs

•Evolution of Google AuthSub, Yahoo BBAuth, AOL OpenAuth etc

•Standardized as RFC 6749/6750

•bit.ly/oauth2-force

OAuth Roles

Authenticate

OAuth 2.0 Protocol – Implicit Flow

BrowserClient AppAuthorization Server

(login.salesforce.com)

https://login.salesforce.com/services/oauth2/authorize?response_type=token&client_id=XYZ…

&redirect_uri=myapp://oauthGET /services/oauth2/authorize? response_type=token&client_id=XYZ…&redirect_uri=myapp://oaut

h

302 FoundLocation: myapp://oauth#

access_token=…&refresh_token=…

&instance_url=…&id=…&signature=…&issued_at=…

GET /oauth#access_token=…&…

Resource Server(na1.salesforce.com)

GET /services/data/v25.0/…Authorization: Bearer 00D5…

200 OKData

OAuth 2.0 Protocol – Authorization Code Flow

BrowserAuthorization Server

(login.salesforce.com) Client AppGET /something302 Found

Location: https://login.salesforce.com/?

response_type=code&client_id=…&redirect_uri=…

GET /?response_type=...

302 FoundLocation: https://app.cl.com?

code=… GET /app.cl.com?code=…

Resource Server

Authenticate

POST /tokencode=…&grant_type=authorization_code&client_id=…

&client_secret=…&redirect_uri=…

GET /dataAuthorization: OAuth 00D5…

200 OK{ “access_token”: “00D5…”}

200 OKData

200 OKSome Content

Enabling org-level policy with OAuth 2.0

• Central Authorization Server• https://login.salesforce.com/services/oauth2/

• Alternative URLs bind to org• My Domain

• https://gluecon.my.salesforce.com/services/oauth2/

• Force.com Site• https://gluecon.secure.force.com/services/oauth2/

• Community• https://gluecon.force.com/attendees/services/oauth2/

Server to Server Authorization

• SAML 2.0 Bearer Assertion• Exchange SAML Assertion for OAuth token

• http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer

• JSON Web Token (JWT)• Assert identity via signed JSON object

• http://tools.ietf.org/html/draft-ietf-oauth-json-web-token

• https://developers.google.com/accounts/docs/OAuth2ServiceAccount

Summer ’13

SAML

• Multiple Identity Providers• Support single sign-on for internal + external users

• Single Sign-On Configurable via API• Packaging, automation

Salesforce Communities

• Public or private, branded spaces for your employees, customers, and partners

• Subset of features and data from internal Salesforce org• Membership, branding, login options, etc are configurable

• Advanced customization via code

• Replaces Partner Portal & Customer Portal

Winter ’14

Winter ’14 and Beyond

• Native two-factor authentication• Standards-based – OATH

• Identity Bridge• Easy integration with Active Directory

• SSO and Provisioning

• SCIM• Currently in pilot

User Management and Provisiong

Automated User Management• Manage your Users in one place • Automate provisioning processes across clouds

Secure De-provisioning• Single place to de-activate users• Quickly and automatically shut them off everywhere

Pre-Integrated• Identity Connectors to popular platforms• Standard SCIM Connector

Fully Extensible• Graphical Workflow Engine• Plugin code directly to the Cloud• Flexible workflow rules, triggers, fields, validation, etc

Winter ’14 and Beyond

Backup – A Deeper Dive into a SAML Assertion

SAML 2.0 Assertion - Issuer

<Assertion ID="_20f7…" IssueInstant="2011-03-28T18:23:25.539Z" Version="2.0"> <Issuer> http://adfs-dc.my.example.com/adfs/services/trust </Issuer> <Signature/> <Subject/> <Conditions/> <AttributeStatement/> <AuthnStatement/>

</Assertion>

SAML 2.0 Assertion - Signature<Assertion> <Issuer/> <Signature> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI="#_20f7fb27-6bb1-4801-aaab-25b4ff862d2f"> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>UrcVwqLcdqMvtJUkxiIw9CBN1h8=</DigestValue> </Reference> </SignedInfo> <SignatureValue>ITY8KT…</SignatureValue> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <X509Data> <X509Certificate>MIIC6D…</X509Certificate> </X509Data> </KeyInfo> </Signature> <Subject/> <Conditions/> <AttributeStatement/> <AuthnStatement/>

</Assertion>

SAML 2.0 Assertion - Subject<Assertion> <Issuer/> <Signature/> <Subject> <NameID> pat@example.com </NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData InResponseTo="_2Qwip…" NotOnOrAfter="2011-03-28T18:28:25.539Z" Recipient="https://login.sf.com/?saml=…" /> </SubjectConfirmation> </Subject> <Conditions/> <AttributeStatement/> <AuthnStatement/>

</Assertion>

SAML 2.0 Assertion - Conditions<Assertion> <Issuer/> <Signature/> <Subject/> <Conditions NotBefore="2011-03-28T18:23:25.537Z" NotOnOrAfter="2011-03-28T19:23:25.537Z"> <AudienceRestriction> <Audience> https://superpat.my.salesforce.com </Audience> </AudienceRestriction> </Conditions> <AttributeStatement/> <AuthnStatement/>

</Assertion>

SAML 2.0 Assertion – AttributeStatement<Assertion> <Issuer/> <Signature/> <Subject/> <Conditions/> <AttributeStatement> <Attribute Name="User.Email”>

<AttributeValue> pat@example.com

</AttributeValue>

</Attribute>

<!-- Also need LastName, ProfileId, UserName

for JIT Provisioning --> </AttributeStatement> <AuthnStatement/>

</Assertion>

SAML 2.0 Assertion - AuthnStatement<Assertion> <Issuer/> <Signature/> <Subject/> <Conditions/> <AttributeStatement/> <AuthnStatement AuthnInstant="2011-03-28T18:23:25.501Z"> <AuthnContext> <AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </AuthnContextClassRef> </AuthnContext> </AuthnStatement>

</Assertion>